Open joerg opened 1 year ago
Hello there,
I am passing this to engineering team based on the previous issue that was opened.
Just as a heads up: The same problem/error exists for all other docker images, especially the key-connector which is not included in the unified build and also the separate images.
Same here when hosting on Azure App Service with external mount (Storage --> File Share)
Disclaimer: This is a copy of https://github.com/bitwarden/server/issues/2989, since the Docker part moved to this repo
Steps To Reproduce
Actual Result
The logs show a "permission denied" error when trying to set the permissions for /etc/bitwarden. This happens in the unified and the regular containers. The exact line of code producing the error is for the regular installation this https://github.com/bitwarden/server/blob/master/src/Admin/entrypoint.sh#L33 and for the unified this https://github.com/bitwarden/server/blob/master/docker-unified/entrypoint.sh#L97.
After some investiagation the underlying problem seems to be that the application user is created in the entrypoint.sh script and thus the /etc/bitwarden directory is owned by root:root during the container creation when the mount is happening. Changing permissions to a mounted directory is not possible afterwards, thus the application does not have permissions to /etc/bitwarden during runtime and does not work.
Screenshots or Videos
No response
Additional Context
Best practice by Docker seems to be to create the user with an explicit UID/GID during the image creation and not during container startup. Source: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user A change of this explicit UID/GID should then not be done in the entrypoint script but utilizing a remap as suggested by Docker: https://docs.docker.com/engine/security/userns-remap/
Build Version
https://github.com/bitwarden/server/commit/8d9ca424a1ec2079cc2508be5c23a4883987ea69-dirty and 2023.4.3
Environment
Self-Hosted
Environment Details
Tested on various Setups including:
Issue Tracking Info