Open themowski opened 1 year ago
Thanks @themowski - yes when you say "(Note, however, that the ckan/ckan-docker-base version of this script does not use sudo, so presumably this override file got out of sync with upstream.)" thats exactly what has happened. I'll sort out a way to make this more robust. Thanks for your help. Oh and using the -e
option is probably better. No reason for not using it
@kowh-ai would a possible fix for this be to simply install sudo
? Perhaps including apk add sudo
at the top of the start_ckan.sh
script? If that's the case, I would be happy to open a PR for this.
sudo
was removed about the same time last year commit: a7f14ddadd5d850dd7a8bd65666a87c2332e9cd0
Thanks for the update @kowh-ai! I think the start_ckan.sh.override
(in ckan-docker) will need to be updated to match.
https://github.com/ckan/ckan-docker/blob/b70bd393692e257894b2687066c0b95ba442e116/ckan/setup/start_ckan.sh.override#L19
It wasn't clear to me what the process for deploying ckan using docker was, so we used the ckan/ckan-docker repo as a template to start from. If there's a better approach, we'd be glad to hear it.
Otherwise, I'm happy to open a PR in the ckan-docker repo to update both start_ckan.sh.override
and start_ckan_development.sh.override
to match their respective scripts in ckan-docker-base.
Thanks again for all your work on CKAN :)
EDIT: I see you have a PR opened already for this: https://github.com/ckan/ckan-docker/pull/150
Overview
The
ckan/setup/start_ckan.sh.override
file usessudo
to impersonate theckan
user. However,sudo
is not available in the Alpine-based container images. As a result, if you follow the instructions in step 5 of the top-levelREADME.md
and install the override script to create a customckan
image, the script fails when a container is started with that custom image (see the "Demonstration" section).I did not try to build the development image, but looking at the corresponding override file, this error also affects that one.
As a note, it appears that the
start_ckan.sh.override
script is a copy ofckan-2.10/base/setup/start_ckan.sh
in theckan/ckan-docker-base
repo. (Note, however, that theckan/ckan-docker-base
version of this script does not usesudo
, so presumably this override file got out of sync with upstream.) Similarly, thestart_ckan_development.sh.override
file seems to be a copy ofckan-2.10/dev/setup/start_ckan_development.sh
in theckan/ckan-docker-base
repo.It would probably be worth adding comments to the override files or to the
README
stating this, so that people who encounter issues with these in the future can understand how they relates to the base images.Demonstration
I cloned the current
master
(commit 6bbc482e0) and made this change tockan/Dockerfile
:Then, I ran
docker compose build
anddocker compose up
. Theckan
container eventually died. Here are its logs, minus some extremely lengthy traceback that I believe occurs because the invocation ofsudo python3 prerun.py
fails due tosudo
:Suggested Fixes
For the
start_ckan.sh.override
file, remove the instances ofsudo -u ckan -EH
from the file. It's worth pointing out that this results in the application running as root, which might not be ideal.It's also worth noting that because the script does not run with the
-e
flag, the firstsudo
call in the current script does not cause the container to die immediately. I verified that changing the shebang line to#!/bin/sh -e
causes the script to fail as soon as that firstsudo
is hit, but I don't know if that's really desirable; are some failures OK or expected? (This is really an upstreamckan/ckan-docker-base
question; if there is interest, I can log an issue there as well, if needed.)For
start_ckan_development.sh.override
, the approach is less clear, since I haven't actually tested it. Removingsudo -u ckan -EH
probably needs to happen. However, theckan/ckan-docker-base
version of the script has an extrasu
command on the last line that appears to be used to run CKAN as theckan
user.Maybe using
su ckan -c ...
is the best path forward for both override scripts? I don't know enough about how CKAN runs / expects to run to say for sure, but it is worth noting that this difference exists.