search

docker-library / redmine

Docker Official Image packaging for Redmine
GNU General Public License v2.0
209 stars 173 forks source link

Running as an arbitrary user failed #259

Closed fhaefemeier closed 2 years ago

fhaefemeier commented 2 years ago

Following the documentation on ducker hub I start my redmine setup (4-alpine image) with a dedicated user/group id.

networks:
  redmine:
    external:
      name: internal_net

volumes:
  files:
  plugins:

services:
  redmine:
    image: redmine:4-alpine
    user: "1005:1005"
    environment:
# ------ Redmine configuration
      REDMINE_DB_POSTGRES: ${REDMINE_DB_POSTGRES}
      REDMINE_DB_USERNAME: ${REDMINE_DB_USERNAME}
      REDMINE_SECRET_KEY_BASE: ${REDMINE_SECRET_KEY_BASE}
      REDMINE_DB_PASSWORD: ${REDMINE_DB_PASSWORD}
# ------ Force correct time zone
      TZ: Europe/Berlin
    volumes:
      - "files:/usr/src/redmine/files"
      - "plugins:/usr/src/redmine/plugins"
      - "./configuration.yml:/usr/src/redmine/config/configuration.yml"
      - "./additional_environment.rb:/usr/src/redmine/config/additional_environment.rb"
    depends_on:
      - database
    networks:
      redmine:
    restart: on-failure

After starting the service the log shows following message:

redmine_1   | The Gemfile's dependencies are satisfied
redmine_1   | rake aborted!
redmine_1   | Could not create directory /usr/src/redmine/public/plugin_assets/redmine_issue_todo_lists/javascripts: Permission denied @ dir_s_mkdir - /usr/src/redmine/public/plugin_assets/redmine_issue_todo_lists
redmine_1   | /usr/src/redmine/lib/redmine/plugin.rb:458:in `rescue in mirror_assets'
redmine_1   | /usr/src/redmine/lib/redmine/plugin.rb:455:in `mirror_assets'

Maybe I miss something...

wglambert commented 2 years ago

I'm not able to reproduce, since it's permissions related it's either something with the volume mounts or maybe pre-existing data with the named volumes

docker-compose logs ```console $ docker-compose logs Attaching to redmine_db_1, redmine_redmine_1 db_1 | The files belonging to this database system will be owned by user "postgres". db_1 | This user must also own the server process. db_1 | db_1 | The database cluster will be initialized with locale "en_US.utf8". db_1 | The default database encoding has accordingly been set to "UTF8". db_1 | The default text search configuration will be set to "english". db_1 | db_1 | Data page checksums are disabled. db_1 | db_1 | fixing permissions on existing directory /var/lib/postgresql/data ... ok db_1 | creating subdirectories ... ok db_1 | selecting dynamic shared memory implementation ... posix db_1 | selecting default max_connections ... 100 db_1 | selecting default shared_buffers ... 128MB db_1 | selecting default time zone ... Etc/UTC db_1 | creating configuration files ... ok db_1 | running bootstrap script ... ok db_1 | performing post-bootstrap initialization ... ok db_1 | syncing data to disk ... ok db_1 | db_1 | initdb: warning: enabling "trust" authentication for local connections db_1 | You can change this by editing pg_hba.conf or using the option -A, or db_1 | --auth-local and --auth-host, the next time you run initdb. db_1 | db_1 | Success. You can now start the database server using: db_1 | db_1 | pg_ctl -D /var/lib/postgresql/data -l logfile start db_1 | db_1 | waiting for server to start....2022-02-28 16:36:40.014 UTC [47] LOG: starting PostgreSQL 14.2 (Debian 14.2-1.pgdg110+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 10.2.1-6) 10.2.1 20210110, 64-bit db_1 | 2022-02-28 16:36:40.015 UTC [47] LOG: listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432" db_1 | 2022-02-28 16:36:40.019 UTC [48] LOG: database system was shut down at 2022-02-28 16:36:39 UTC db_1 | 2022-02-28 16:36:40.023 UTC [47] LOG: database system is ready to accept connections db_1 | done db_1 | server started db_1 | CREATE DATABASE db_1 | db_1 | db_1 | /usr/local/bin/docker-entrypoint.sh: ignoring /docker-entrypoint-initdb.d/* db_1 | db_1 | 2022-02-28 16:36:40.242 UTC [47] LOG: received fast shutdown request db_1 | waiting for server to shut down....2022-02-28 16:36:40.243 UTC [47] LOG: aborting any active transactions db_1 | 2022-02-28 16:36:40.249 UTC [47] LOG: background worker "logical replication launcher" (PID 54) exited with exit code 1 db_1 | 2022-02-28 16:36:40.249 UTC [49] LOG: shutting down db_1 | 2022-02-28 16:36:40.257 UTC [47] LOG: database system is shut down db_1 | done db_1 | server stopped db_1 | db_1 | PostgreSQL init process complete; ready for start up. db_1 | db_1 | 2022-02-28 16:36:40.371 UTC [1] LOG: starting PostgreSQL 14.2 (Debian 14.2-1.pgdg110+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 10.2.1-6) 10.2.1 20210110, 64-bit db_1 | 2022-02-28 16:36:40.371 UTC [1] LOG: listening on IPv4 address "0.0.0.0", port 5432 db_1 | 2022-02-28 16:36:40.371 UTC [1] LOG: listening on IPv6 address "::", port 5432 db_1 | 2022-02-28 16:36:40.373 UTC [1] LOG: listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432" db_1 | 2022-02-28 16:36:40.376 UTC [61] LOG: database system was shut down at 2022-02-28 16:36:40 UTC db_1 | 2022-02-28 16:36:40.381 UTC [1] LOG: database system is ready to accept connections redmine_1 | The dependency tzinfo-data (>= 0) will be unused by any of the platforms Bundler is installing for. Bundler is installing for ruby but the dependency is only for x86-mingw32, x64-mingw32, x86-mswin32. To add those platforms to the bundle, run `bundle lock --add-platform x86-mingw32 x64-mingw32 x86-mswin32`. redmine_1 | The dependency ffi (>= 0) will be unused by any of the platforms Bundler is installing for. Bundler is installing for ruby but the dependency is only for x86-mingw32, x64-mingw32, x86-mswin32. To add those platforms to the bundle, run `bundle lock --add-platform x86-mingw32 x64-mingw32 x86-mswin32`. redmine_1 | The Gemfile's dependencies are satisfied redmine_1 | I, [2022-02-28T17:36:44.405624 #16] INFO -- : Migrating to Setup (1) redmine_1 | == 1 Setup: migrating ========================================================= redmine_1 | -- create_table("attachments", {:force=>true, :id=>:integer}) redmine_1 | -> 0.0073s redmine_1 | -- create_table("auth_sources", {:force=>true, :id=>:integer}) redmine_1 | -> 0.0049s redmine_1 | -- create_table("custom_fields", {:force=>true, :id=>:integer}) redmine_1 | -> 0.0071s redmine_1 | -- create_table("custom_fields_projects", {:id=>false, :force=>true}) redmine_1 | -> 0.0017s redmine_1 | -- create_table("custom_fields_trackers", {:id=>false, :force=>true}) redmine_1 | -> 0.0014s redmine_1 | -- create_table("custom_values", {:force=>true, :id=>:integer}) redmine_1 | -> 0.0050s redmine_1 | -- create_table("documents", {:force=>true, :id=>:integer}) redmine_1 | -> 0.0056s redmine_1 | -- add_index("documents", ["project_id"], {:name=>"documents_project_id"}) redmine_1 | -> 0.0041s redmine_1 | -- create_table("enumerations", {:force=>true, :id=>:integer}) redmine_1 | -> 0.0033s redmine_1 | -- create_table("issue_categories", {:force=>true, :id=>:integer}) redmine_1 | -> 0.0033s redmine_1 | -- add_index("issue_categories", ["project_id"], {:name=>"issue_categories_project_id"}) redmine_1 | -> 0.0028s redmine_1 | -- create_table("issue_histories", {:force=>true, :id=>:integer}) redmine_1 | -> 0.0057s redmine_1 | -- add_index("issue_histories", ["issue_id"], {:name=>"issue_histories_issue_id"}) redmine_1 | -> 0.0039s redmine_1 | -- create_table("issue_statuses", {:force=>true, :id=>:integer}) redmine_1 | -> 0.0040s redmine_1 | -- create_table("issues", {:force=>true, :id=>:integer}) redmine_1 | -> 0.0074s redmine_1 | -- add_index("issues", ["project_id"], {:name=>"issues_project_id"}) redmine_1 | -> 0.0033s redmine_1 | -- create_table("members", {:force=>true, :id=>:integer}) redmine_1 | -> 0.0039s redmine_1 | -- create_table("news", {:force=>true, :id=>:integer}) redmine_1 | -> 0.0050s redmine_1 | -- add_index("news", ["project_id"], {:name=>"news_project_id"}) redmine_1 | -> 0.0032s redmine_1 | -- create_table("permissions", {:force=>true, :id=>:integer}) redmine_1 | -> 0.0043s redmine_1 | -- create_table("permissions_roles", {:id=>false, :force=>true}) redmine_1 | -> 0.0015s redmine_1 | -- add_index("permissions_roles", ["role_id"], {:name=>"permissions_roles_role_id"}) redmine_1 | -> 0.0028s redmine_1 | -- create_table("projects", {:force=>true, :id=>:integer}) redmine_1 | -> 0.0053s redmine_1 | -- create_table("roles", {:force=>true, :id=>:integer}) redmine_1 | -> 0.0033s redmine_1 | -- create_table("tokens", {:force=>true, :id=>:integer}) redmine_1 | -> 0.0039s redmine_1 | -- create_table("trackers", {:force=>true, :id=>:integer}) redmine_1 | -> 0.0036s redmine_1 | -- create_table("users", {:force=>true, :id=>:integer}) redmine_1 | -> 0.0056s redmine_1 | -- create_table("versions", {:force=>true, :id=>:integer}) redmine_1 | -> 0.0050s redmine_1 | -- add_index("versions", ["project_id"], {:name=>"versions_project_id"}) redmine_1 | -> 0.0030s redmine_1 | -- create_table("workflows", {:force=>true, :id=>:integer}) redmine_1 | -> 0.0033s redmine_1 | == 1 Setup: migrated (0.2109s) ================================================ redmine_1 | redmine_1 | I, [2022-02-28T17:36:44.627859 #16] INFO -- : Migrating to IssueMove (2) redmine_1 | == 2 IssueMove: migrating ===================================================== redmine_1 | == 2 IssueMove: migrated (0.0111s) ============================================ redmine_1 | redmine_1 | I, [2022-02-28T17:36:44.644793 #16] INFO -- : Migrating to IssueAddNote (3) redmine_1 | == 3 IssueAddNote: migrating ================================================== redmine_1 | == 3 IssueAddNote: migrated (0.0089s) ========================================= . . . redmine_1 | I, [2022-02-28T17:36:47.920497 #16] INFO -- : Migrating to ChangeRolesNameLimit (20190620135549) redmine_1 | == 20190620135549 ChangeRolesNameLimit: migrating ============================= redmine_1 | -- change_column(:roles, :name, :string, {:limit=>255, :default=>""}) redmine_1 | -> 0.0009s redmine_1 | == 20190620135549 ChangeRolesNameLimit: migrated (0.0010s) ==================== redmine_1 | redmine_1 | I, [2022-02-28T17:36:47.923212 #16] INFO -- : Migrating to AddTwofaSchemeToUser (20200826153401) redmine_1 | == 20200826153401 AddTwofaSchemeToUser: migrating ============================= redmine_1 | -- add_column(:users, :twofa_scheme, :string) redmine_1 | -> 0.0005s redmine_1 | == 20200826153401 AddTwofaSchemeToUser: migrated (0.0005s) ==================== redmine_1 | redmine_1 | I, [2022-02-28T17:36:47.925842 #16] INFO -- : Migrating to AddTotpToUser (20200826153402) redmine_1 | == 20200826153402 AddTotpToUser: migrating ==================================== redmine_1 | -- add_column(:users, :twofa_totp_key, :string) redmine_1 | -> 0.0004s redmine_1 | -- add_column(:users, :twofa_totp_last_used_at, :integer) redmine_1 | -> 0.0004s redmine_1 | == 20200826153402 AddTotpToUser: migrated (0.0009s) =========================== redmine_1 | redmine_1 | [2022-02-28 17:36:52] INFO WEBrick 1.6.1 redmine_1 | [2022-02-28 17:36:52] INFO ruby 2.7.5 (2021-11-24) [x86_64-linux-musl] redmine_1 | [2022-02-28 17:36:52] INFO WEBrick::HTTPServer#start: pid=1 port=3000 ```

docker-compose.yml

version: '3.1'

volumes:
  files:
  plugins:

services:

  redmine:
    image: redmine:4-alpine
    user: "1005:1005"
    environment:
# ------ Redmine configuration
      REDMINE_DB_POSTGRES: db
      REDMINE_DB_USERNAME: redmine
      REDMINE_DB_PASSWORD: pass
# ------ Force correct time zone
      TZ: Europe/Berlin
    volumes:
      - "files:/usr/src/redmine/files"
      - "plugins:/usr/src/redmine/plugins"
  db:
    image: postgres
    restart: always
    environment:
      POSTGRES_PASSWORD: pass
      POSTGRES_USER: redmine
fhaefemeier commented 2 years ago

I started with a fresh installtion (like you) and everything seems fine. The rails server process is running under the right user id and no errors happen during start time. I did not make any further application tests... After that I copied the plugin redmine_issue_todo_lists in the docker volume with command 

docker run --rm -u 999:1000 -v test_plugins:/plugins -v ${PWD}/plugins:/download -it alpine \
    cp -r /download/redmine_issue_todo_lists /plugins

I have to use the user 999:1000 because these are the ownership of the docker volume created by docker-compose during the first docker-compose up -d call (as all files and directories inside of the container). After this I restart redmine with docker-compose restart redmine. The same error happen as described in my original message. It seems someone/something tries to transfer files into the directory /usr/src/redmine/public/plugin_assets. It isn't possible because the container is started with user 1005:1005, but all files and directories inside the container has ownership 999:1000.

It makes no difference to use up -d instead of restart.

Take a look into the docker-entrypoint.sh I am wondering if _fix_permissions is working as expected, because it is running under ownership 1005 but the directories has ownership 999 and it change only the permissions.

tianon commented 2 years ago

Unfortunately I'm not sure there's much more we can do to help here -- I'd suggest trying a dedicated support forum, such as the Docker Community Forums, the Docker Community Slack, or Stack Overflow.

fhaefemeier commented 2 years ago

It is, in my oppinion, not a general docker issue. It is related how docker-entrypoint.sh script initialise your image with setting for example permissions in the function _fix_permissions. But I solved it by creating my own image using your image as base and setting the permissions by my own beside other stuff needed to get it running well in my environment. Thanks for your time.

bmaehr commented 3 months ago

The issue is still not solved. @wglambert was on the right track to reproduce it but he needs to add a plugin with assets to the installation - tha assets will be extracted to /usr/src/redmine/public/plugin_assets but there is no permission

Workarond: create a mount for public/plugin_asset and set correct permissions

tianon commented 3 months ago

See https://github.com/docker-library/redmine/issues/336, especially https://github.com/docker-library/redmine/issues/336#issuecomment-2195404449 for some more recent discussion of this same issue.