search

dokku / ansible-dokku

Ansible modules for installing and configuring Dokku
MIT License
176 stars 44 forks source link

Plugins not accessible by dokku user #71

Closed manelclos closed 4 years ago

manelclos commented 4 years ago

If you're using Dokku - especially for commercial purposes - consider donating to project development via OpenCollective or Patreon. Funds go to general development, support, and infrastructure costs.

If you'd like to sponsor specific functionality, see the project's Sponsoring document.

If you need support for a version of Dokku that is more than a year old, your issue may be closed without an answer. Please upgrade to a recent version before filing an issue.

Description of problem

When installing a plugin, the files are owned by root. Given the umask we are using, the files are NOT accessible by the dokku user.

How reproducible

Every time

Steps to Reproduce

    - role: dokku_bot.ansible_dokku
      vars:
        dokku_plugins:
          - name: clone
            url: https://github.com/crisward/dokku-clone.git

ansible-playbook dokku.yml --tags dokku-plugins

Actual Results

See that all plugins are owned by dokku, but clone is not:

lrwxrwxrwx 1 dokku dokku   44 Jun 15 17:05 checks -> /var/lib/dokku/core-plugins/available/checks/
drwxr-x--- 4 root  root  4096 Jun 16 16:37 clone/
lrwxrwxrwx 1 dokku dokku   44 Jun 15 17:05 common -> /var/lib/dokku/core-plugins/available/common/

Expected Results

Correct ownership of files

Environment Information

dokku report APP_NAME output

-----> uname: Linux xxxx 5.6.1-x86_64-linode134 #1 SMP PREEMPT Wed Apr 1 22:25:48 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux -----> memory: total used free shared buff/cache available Mem: 7944 233 6960 0 749 7710 Swap: 511 0 511 -----> docker version: Client: Docker Engine - Community Version: 19.03.11 API version: 1.40 Go version: go1.13.10 Git commit: 42e35e61f3 Built: Mon Jun 1 09:12:22 2020 OS/Arch: linux/amd64 Experimental: false

   Server: Docker Engine - Community
    Engine:
     Version:          19.03.11
     API version:      1.40 (minimum version 1.12)
     Go version:       go1.13.10
     Git commit:       42e35e61f3
     Built:            Mon Jun  1 09:10:54 2020
     OS/Arch:          linux/amd64
     Experimental:     false
    containerd:
     Version:          1.2.13
     GitCommit:        7ad184331fa3e55e52b890ea95e65ba581ae3429
    runc:
     Version:          1.0.0-rc10
     GitCommit:        dc9208a3303feef5b3839f4323d9beb36df0a9dd
    docker-init:
     Version:          0.18.0
     GitCommit:        fec3683

-----> docker daemon info: Client: Debug Mode: true

   Server:
    Containers: 0
     Running: 0
     Paused: 0
     Stopped: 0
    Images: 1
    Server Version: 19.03.11
    Storage Driver: overlay2
     Backing Filesystem: extfs
     Supports d_type: true
     Native Overlay Diff: false
    Logging Driver: json-file
    Cgroup Driver: cgroupfs
    Plugins:
     Volume: local
     Network: bridge host ipvlan macvlan null overlay
     Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
    Swarm: inactive
    Runtimes: runc
    Default Runtime: runc
    Init Binary: docker-init
    containerd version: 7ad184331fa3e55e52b890ea95e65ba581ae3429
    runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
    init version: fec3683
    Security Options:
     seccomp
      Profile: default
    Kernel Version: 5.6.1-x86_64-linode134
    Operating System: Ubuntu 18.04.4 LTS
    OSType: linux
    Architecture: x86_64
    CPUs: 4
    Total Memory: 7.758GiB
    Name: XXXX
    ID: QJX4:MGZE:57RC:YUOU:OL2M:TRPY:MKIG:MJBV:ZJYF:EZEJ:TTPF:PH7Q
    Docker Root Dir: /var/lib/docker
    Debug Mode: false
    Registry: https://index.docker.io/v1/
    Labels:
    Experimental: false
    Insecure Registries:
     127.0.0.0/8
    Live Restore Enabled: false

-----> sigil version: 0.6.0 -----> herokuish version: herokuish: 0.5.5 buildpacks: heroku-buildpack-multi v1.0.0 heroku-buildpack-ruby v207 heroku-buildpack-nodejs v166 heroku-buildpack-clojure v84 heroku-buildpack-python v162 heroku-buildpack-java v66 heroku-buildpack-gradle v31 heroku-buildpack-scala v86 heroku-buildpack-play v26 heroku-buildpack-php v166 heroku-buildpack-go v136 buildpack-nginx v12 -----> dokku version: dokku version 0.19.11 -----> dokku plugins: plugn: 0.3.2 00_dokku-standard 0.19.11 enabled dokku core standard plugin 20_events 0.19.11 enabled dokku core events logging plugin app-json 0.19.11 enabled dokku core app-json plugin apps 0.19.11 enabled dokku core apps plugin builder-dockerfile 0.19.11 enabled dokku core builder-dockerfile plugin builder-herokuish 0.19.11 enabled dokku core builder-herokuish plugin buildpacks 0.19.11 enabled dokku core buildpacks plugin certs 0.19.11 enabled dokku core certificate management plugin checks 0.19.11 enabled dokku core checks plugin cat: /var/lib/dokku/plugins/available/clone/plugin.toml: Permission denied panic: interface conversion: interface {} is nil, not map[string]interface {}

goroutine 1 [running]: main.TomlGet(0xc000010080, 0x2, 0x2) github.com/dokku/plugn/plugn.go:30 +0x2d1 github.com/progrium/go-basher.(*Context).HandleFuncs(0xc000096280, 0xc000010050, 0x5, 0x5, 0x0) /go/pkg/mod/github.com/progrium/go-basher@v0.0.0-20150902213704-ad5de635edd1/basher.go:195 +0x26d github.com/progrium/go-basher.ApplicationWithPath(0xc000043e48, 0xc000043e78, 0x4, 0x4, 0x62cde8, 0x1, 0xc000016420, 0x18) /go/pkg/mod/github.com/progrium/go-basher@v0.0.0-20150902213704-ad5de635edd1/basher.go:77 +0x19c github.com/progrium/go-basher.Application(0xc000043e48, 0xc000043e78, 0x4, 0x4, 0x62cde8, 0x660d01) /go/pkg/mod/github.com/progrium/go-basher@v0.0.0-20150902213704-ad5de635edd1/basher.go:58 +0x1ce main.main() github.com/dokku/plugn/plugn.go:102 +0x396 cat: /var/lib/dokku/plugins/available/clone/plugin.toml: Permission denied panic: interface conversion: interface {} is nil, not map[string]interface {}

goroutine 1 [running]: main.TomlGet(0xc000096030, 0x2, 0x2) github.com/dokku/plugn/plugn.go:30 +0x2d1 github.com/progrium/go-basher.(*Context).HandleFuncs(0xc0000aa280, 0xc000096000, 0x5, 0x5, 0x0) /go/pkg/mod/github.com/progrium/go-basher@v0.0.0-20150902213704-ad5de635edd1/basher.go:195 +0x26d github.com/progrium/go-basher.ApplicationWithPath(0xc000073e48, 0xc000073e78, 0x4, 0x4, 0x62cde8, 0x1, 0xc0000ae180, 0x18) /go/pkg/mod/github.com/progrium/go-basher@v0.0.0-20150902213704-ad5de635edd1/basher.go:77 +0x19c github.com/progrium/go-basher.Application(0xc000073e48, 0xc000073e78, 0x4, 0x4, 0x62cde8, 0x660d01) /go/pkg/mod/github.com/progrium/go-basher@v0.0.0-20150902213704-ad5de635edd1/basher.go:58 +0x1ce main.main() github.com/dokku/plugn/plugn.go:102 +0x396 clone enabled
common 0.19.11 enabled dokku core common plugin config 0.19.11 enabled dokku core config plugin docker-options 0.19.11 enabled dokku core docker-options plugin domains 0.19.11 enabled dokku core domains plugin enter 0.19.11 enabled dokku core enter plugin git 0.19.11 enabled dokku core git plugin logs 0.19.11 enabled dokku core logs plugin network 0.19.11 enabled dokku core network plugin nginx-vhosts 0.19.11 enabled dokku core nginx-vhosts plugin plugin 0.19.11 enabled dokku core plugin plugin proxy 0.19.11 enabled dokku core proxy plugin ps 0.19.11 enabled dokku core ps plugin repo 0.19.11 enabled dokku core repo plugin resource 0.19.11 enabled dokku core resource plugin scheduler-docker-local 0.19.11 enabled dokku core scheduler-docker-local plugin shell 0.19.11 enabled dokku core shell plugin ssh-keys 0.19.11 enabled dokku core ssh-keys plugin storage 0.19.11 enabled dokku core storage plugin tags 0.19.11 enabled dokku core tags plugin tar 0.19.11 enabled dokku core tar plugin trace 0.19.11 enabled dokku core trace plugin

This is required! Issues missing this information may be closed.

For problems affecting all applications, the report output for a broken application is useful for our debugging. In these cases, you may run dokku report without any arguments to display the top-level reporting information.

How (deb/make/rpm) and where (AWS, VirtualBox, physical, etc.) was Dokku installed?:

Installed using ansible-dokku

josegonzalez commented 4 years ago

Did you install anything to harden permissions, such as pam_umask?

manelclos commented 4 years ago

@josegonzalez yes, https://github.com/dev-sec/ansible-os-hardening, which sets a more conservative umask. Though the base plugins are owned by the dokku user and this is not a problem.

josegonzalez commented 4 years ago

Did this ansible-os-hardening thing suddenly get posted somewhere fancy? Seems like it came up here as well...

manelclos commented 4 years ago

I found it on ansible galaxy while searching for some other packages. I started using it a couple of months ago, and yes, the umask thing forces little changes on other procedures as well,

josegonzalez commented 4 years ago

Do you know if there are any other issues with umask usage?

manelclos commented 4 years ago

If you mean issues related to dokku, I just started using ansible-dokku to build a devel server, so first time in combination with os-hardening. I tried it because a co-worker is already using dokku, but he is using standalone installer and not in combination with os-hardening role.

josegonzalez commented 4 years ago

Closing as this should be fixed via https://github.com/dokku/dokku/pull/4074 (and released in 0.21.3).