Open inmakum19 opened 2 years ago
Can you share the Docker Swarm configuration that you have used to host Appsmith? Appsmith needs a persistent volume in order to issue certificates & persist data. Hence, asking for the swarm configuration.
Below is the service configuration
Ability_ /home/ability $ docker service inspect formbuilderui
[
{
"ID": "ovf1w2ctrju63hrcju879ohqh",
"Version": {
"Index": 15243
},
"CreatedAt": "2021-12-10T17:22:43.4255516Z",
"UpdatedAt": "2021-12-10T17:22:43.491757Z",
"Spec": {
"Name": "formbuilderui",
"Labels": {
"module": "true",
"objectId": "4865206a-dcf3-47c6-b87c-08ccd3153b18",
"system": "false",
"traefik.enable": "true",
"traefik.http.middlewares.formbuilderui.stripprefix.prefixes": "/formbuilderui/",
"traefik.http.middlewares.redirect-to-https.redirectscheme.scheme": "https",
"traefik.http.routers.formbuilderui.entrypoints": "https",
"traefik.http.routers.formbuilderui.middlewares": "formbuilderui",
"traefik.http.routers.formbuilderui.rule": "PathPrefix(/{path:(?i:formbuilderui/)}
)",
"traefik.http.routers.formbuilderui.tls": "true",
"traefik.http.services.formbuilderui.loadbalancer.server.port": "80",
"type": "abb.ia.edge.modules.formbuilderfrontendpoc.configuration@1",
"version": "1"
},
"TaskTemplate": {
"ContainerSpec": {
"Image": "registry.hub.docker.com/11616125/formbuilderui:latest",
"Env": [
"module_id=formbuilderui",
"host_rpc_server_path=/var/ability/rpc/socket",
"object_id=4865206a-dcf3-47c6-b87c-08ccd3153b18",
"device_id=6406240a-f8a4-4fd0-963e-119d04000416",
"tenant_id=9ebcb34e-839d-4729-8389-0e4106efb2a1",
"connectivity_mode=connectondemand",
"reverse_proxy_url=https://unicorns10.iomind.abb.com",
"authentication_server_url=https://unicorns10.iomind.abb.com/auth",
"api_gateway_url=http://edgeapigateway:8880",
"principal_id=8e1a23b2-467c-49cd-996d-2ee68665cc2c",
"mqtt_client_id=formbuilderui",
"mqtt_url=mqtt://edge-broker:1883",
"mqtt_password_file=/run/secrets/formbuilderui",
"topics_model_in=modules/formbuilderui/model/desired",
"topics_model_out=modules/formbuilderui/model/reported",
"topics_methods_in=modules/formbuilderui/methods/req",
"topics_methods_out=modules/formbuilderui/methods/res",
"topics_messages_in=modules/formbuilderui/messages/devicebound",
"topics_messages_out=modules/formbuilderui/messages/events",
"topics_local_in=modules/local/formbuilderui",
"topics_local_out=modules/local",
"topics_files_in=modules/formbuilderui/files/notifications",
"topics_files_out=modules/formbuilderui/files/upload",
"topics_lwt=modules/formbuilderui/lwt",
"topics_status_in=modules/+/status",
"topics_status_out=modules/formbuilderui/status",
"topics_cold=cold/",
"topics_warm=warm/",
"topics_hot=hot/",
"topics_audit_events=modules/formbuilderui/auditEvents",
"appConfiguration__webApiUrl=formbuilderui",
"log_level=Information"
],
"User": "999:999",
"Mounts": [
{
"Type": "bind",
"Source": "/var/ability/modules/formbuilderui/appsmith-stacks",
"Target": "/appsmith-stacks"
},
{
"Type": "bind",
"Source": "/var/ability/modules/formbuilderui/files",
"Target": "/files"
},
{
"Type": "bind",
"Source": "/var/ability/modules/sharedFiles",
"Target": "/sharedFiles"
}
],
"StopGracePeriod": 10000000000,
"DNSConfig": {},
"Secrets": [
{
"File": {
"Name": "formbuilderui",
"UID": "0",
"GID": "0",
"Mode": 292
},
"SecretID": "r4kfd9wtpdmokg6gynrnprmcc",
"SecretName": "formbuilderui"
}
],
"Isolation": "default"
},
"Resources": {},
"RestartPolicy": {
"Condition": "any",
"Delay": 5000000000,
"MaxAttempts": 0
},
"Placement": {},
"ForceUpdate": 0,
"Runtime": "container"
},
"Mode": {
"Replicated": {
"Replicas": 1
}
},
"UpdateConfig": {
"Parallelism": 1,
"FailureAction": "rollback",
"Monitor": 5000000000,
"MaxFailureRatio": 0,
"Order": "stop-first"
},
"RollbackConfig": {
"Parallelism": 1,
"FailureAction": "pause",
"Monitor": 5000000000,
"MaxFailureRatio": 0,
"Order": "stop-first"
},
"Networks": [
{
"Target": "x7rajl08w0y0oi7fm03iju8hn"
}
],
"EndpointSpec": {
"Mode": "vip"
}
},
"Endpoint": {
"Spec": {
"Mode": "vip"
},
"VirtualIPs": [
{
"NetworkID": "x7rajl08w0y0oi7fm03iju8hn",
"Addr": "10.0.1.192/24"
}
]
}
}
]
Hey, thank for sharing this. We are looking into this currently.
Hello all, thanks for working on the bug. Any solution?
Hey @inmakum19, sorry we're still working on this one. We'll share updates regarding this on this issue when we resolve it. Thank you for sharing your interest.
Hello all, Any solution?
Hey @inmakum19, thanks for sharing your interest in this. This has actually gotten a little more elaborate than we initially expected. We are actually still working on this, figuring out the best path towards this. Thank you for your patience.
@sharat87 is this issue because of superviord software? Just wanted to know if I can contribute here
Hey @anvaravind, thanks for offering! The problem's actually not related to supervisord. The problem is to do with the fact that currently, the Docker image is built assuming commands are run as the root user inside the container. This is usually find, since the container is already a sandbox so the root user shouldn't have any affect on the host.
However, environments like Docker Swarm (and at least OpenShift I think) don't work with this. They need the image to use a user with less privileges than the user. I'm not really sure of the intricacies of why and how this is the case, but that's what we're observing. We're now trying to figure out how best to make this change without breaking existing installations.
Any news? I'm experiencing the same problem in Openshift 4
@ricardosantosmti Are you running as the docker service?
We've solved this for open shift but I'll turn this into a feature request for docker swarm
Is there an existing issue for this?
Current Behavior
appsmith in docker swarm
Since docker swarm doesn't have root privilege's, permissions related issues are throwing when running image inside a docker swarm.
below are the error's from docker service logs.
After initial error below modification is done in docker file
then observed the secondary error
logs
formbuilderui.1.nxlxqh55d5ux@ability-edge-sdk | Load environment configuration formbuilderui.1.nxlxqh55d5ux@ability-edge-sdk | Checking environment configuration formbuilderui.1.nxlxqh55d5ux@ability-edge-sdk | Init database formbuilderui.1.nxlxqh55d5ux@ability-edge-sdk | rm: cannot remove '/etc/letsencrypt/cli.ini': Permission denied formbuilderui.1.nxlxqh55d5ux@ability-edge-sdk | Check initialized database formbuilderui.1.nxlxqh55d5ux@ability-edge-sdk | Mounting Let's encrypt directory formbuilderui.1.joehd7ao0aez@ability-edge-sdk | rm: cannot remove '/etc/letsencrypt/cli.ini': Permission denied formbuilderui.1.r1ozq3kz7so5@ability-edge-sdk | rm: cannot remove '/etc/letsencrypt/cli.ini': Permission denied formbuilderui.1.fqmfftx1x0f3@ability-edge-sdk | rm: cannot remove '/etc/letsencrypt/cli.ini': Permission denied formbuilderui.1.zr1nngnpgspo@ability-edge-sdk | Checking configuration file formbuilderui.1.zr1nngnpgspo@ability-edge-sdk | Load environment configuration formbuilderui.1.zr1nngnpgspo@ability-edge-sdk | Checking environment configuration formbuilderui.1.zr1nngnpgspo@ability-edge-sdk | Init database formbuilderui.1.zr1nngnpgspo@ability-edge-sdk | Check initialized database formbuilderui.1.zr1nngnpgspo@ability-edge-sdk | Mounting Let's encrypt directory formbuilderui.1.zr1nngnpgspo@ability-edge-sdk | rm: cannot remove '/etc/letsencrypt/cli.ini': Permission denied
formbuilderui.1.4aqnl6refn06@ability-edge-sdk | Checking configuration file formbuilderui.1.4aqnl6refn06@ability-edge-sdk | Load environment configuration formbuilderui.1.4aqnl6refn06@ability-edge-sdk | Checking environment configuration formbuilderui.1.4aqnl6refn06@ability-edge-sdk | Init database formbuilderui.1.4aqnl6refn06@ability-edge-sdk | Check initialized database formbuilderui.1.4aqnl6refn06@ability-edge-sdk | Mounting Let's encrypt directory formbuilderui.1.4aqnl6refn06@ability-edge-sdk | 2021-12-10 12:58:13,707 INFO Included extra file "/etc/supervisor/conf.d/backend.conf" during parsing formbuilderui.1.4aqnl6refn06@ability-edge-sdk | 2021-12-10 12:58:13,707 INFO Included extra file "/etc/supervisor/conf.d/cron.conf" during parsing formbuilderui.1.4aqnl6refn06@ability-edge-sdk | 2021-12-10 12:58:13,707 INFO Included extra file "/etc/supervisor/conf.d/editor.conf" during parsing formbuilderui.1.4aqnl6refn06@ability-edge-sdk | 2021-12-10 12:58:13,707 INFO Included extra file "/etc/supervisor/conf.d/mongodb.conf" during parsing formbuilderui.1.4aqnl6refn06@ability-edge-sdk | 2021-12-10 12:58:13,708 INFO Included extra file "/etc/supervisor/conf.d/redis.conf" during parsing formbuilderui.1.4aqnl6refn06@ability-edge-sdk | 2021-12-10 12:58:13,708 INFO Included extra file "/etc/supervisor/conf.d/rts.conf" during parsing formbuilderui.1.4aqnl6refn06@ability-edge-sdk | 2021-12-10 12:58:13,722 INFO RPC interface 'supervisor' initialized formbuilderui.1.4aqnl6refn06@ability-edge-sdk | 2021-12-10 12:58:13,723 CRIT Server 'inet_http_server' running without any HTTP authentication checking formbuilderui.1.4aqnl6refn06@ability-edge-sdk | Error: Cannot open an HTTP server: socket.error reported errno.EACCES (13) formbuilderui.1.4aqnl6refn06@ability-edge-sdk | For help, use /usr/bin/supervisord -h formbuilderui.1.urbo9pbc1qal@ability-edge-sdk | Error: Cannot open an HTTP server: socket.error reported errno.EACCES (13) formbuilderui.1.urbo9pbc1qal@ability-edge-sdk | For help, use /usr/bin/supervisord -h formbuilderui.1.juc46ui0xq8e@ability-edge-sdk | Error: Cannot open an HTTP server: socket.error reported errno.EACCES (13) formbuilderui.1.juc46ui0xq8e@ability-edge-sdk | For help, use /usr/bin/supervisord -h formbuilderui.1.p1q9n8k6c9u7@ability-edge-sdk | Checking configuration file formbuilderui.1.p1q9n8k6c9u7@ability-edge-sdk | Load environment configuration formbuilderui.1.p1q9n8k6c9u7@ability-edge-sdk | Checking environment configuration formbuilderui.1.p1q9n8k6c9u7@ability-edge-sdk | Init database formbuilderui.1.p1q9n8k6c9u7@ability-edge-sdk | Check initialized database formbuilderui.1.p1q9n8k6c9u7@ability-edge-sdk | Mounting Let's encrypt directory formbuilderui.1.p1q9n8k6c9u7@ability-edge-sdk | 2021-12-10 12:59:14,494 INFO Included extra file "/etc/supervisor/conf.d/backend.conf" during parsing formbuilderui.1.p1q9n8k6c9u7@ability-edge-sdk | 2021-12-10 12:59:14,494 INFO Included extra file "/etc/supervisor/conf.d/cron.conf" during parsing formbuilderui.1.p1q9n8k6c9u7@ability-edge-sdk | 2021-12-10 12:59:14,494 INFO Included extra file "/etc/supervisor/conf.d/editor.conf" during parsing formbuilderui.1.p1q9n8k6c9u7@ability-edge-sdk | 2021-12-10 12:59:14,495 INFO Included extra file "/etc/supervisor/conf.d/mongodb.conf" during parsing formbuilderui.1.p1q9n8k6c9u7@ability-edge-sdk | 2021-12-10 12:59:14,495 INFO Included extra file "/etc/supervisor/conf.d/redis.conf" during parsing formbuilderui.1.p1q9n8k6c9u7@ability-edge-sdk | 2021-12-10 12:59:14,495 INFO Included extra file "/etc/supervisor/conf.d/rts.conf" during parsing formbuilderui.1.p1q9n8k6c9u7@ability-edge-sdk | 2021-12-10 12:59:14,505 INFO RPC interface 'supervisor' initialized formbuilderui.1.p1q9n8k6c9u7@ability-edge-sdk | 2021-12-10 12:59:14,506 CRIT Server 'inet_http_server' running without any HTTP authentication checking formbuilderui.1.p1q9n8k6c9u7@ability-edge-sdk | Error: Cannot open an HTTP server: socket.error reported errno.EACCES (13) formbuilderui.1.p1q9n8k6c9u7@ability-edge-sdk | For help, use /usr/bin/supervisord -h formbuilderui.1.kdbfyouwreh5@ability-edge-sdk | Checking configuration file formbuilderui.1.kdbfyouwreh5@ability-edge-sdk | Load environment configuration formbuilderui.1.kdbfyouwreh5@ability-edge-sdk | Checking environment configuration formbuilderui.1.kdbfyouwreh5@ability-edge-sdk | Init database formbuilderui.1.kdbfyouwreh5@ability-edge-sdk | Check initialized database formbuilderui.1.kdbfyouwreh5@ability-edge-sdk | Mounting Let's encrypt directory
Steps To Reproduce
Environment
Release
Version
Self-Hosted