search

goharbor / harbor

An open source trusted cloud native registry project that stores, signs, and scans content.
https://goharbor.io
Apache License 2.0
24.22k stars 4.77k forks source link

Harbor db image throws ./docker-entrypoint.sh: line 4: //initdb.sh: Permission denied errors after local build. #21006

Open hajnalmt opened 1 month ago

hajnalmt commented 1 month ago

After an install according to the docs, I didn't manage to setup harbor locally beacuse the db didn't start.

Problem description

The logs showed that the entrypoint gets permission denied when it calls the initdb.sh

docker logs harbor-db
./docker-entrypoint.sh: line 4: //initdb.sh: Permission denied
./docker-entrypoint.sh: line 4: //initdb.sh: Permission denied
./docker-entrypoint.sh: line 4: //initdb.sh: Permission denied
...

Reproduce the problem

I built the the db as BULDTARGET, switched the entrypoint to a sleep and indeed initdb.sh is mounted as root not the postgres user.

make build BUILDTARGET=_build_db
...

Execing into the image:

docker exec -it harbor-db sh
sh-5.2$ ls -la
total 80
drwxr-xr-x   1 root     root     4096 Oct  6 16:33 .
drwxr-xr-x   1 root     root     4096 Oct  6 16:33 ..
-rwxr-xr-x   1 root     root        0 Oct  6 16:33 .dockerenv
lrwxrwxrwx   1 root     root        7 Sep  5 22:38 bin -> usr/bin
drwxr-xr-x   1 root     root     4096 Oct  4 07:54 boot
drwxr-xr-x   5 root     root      340 Oct  6 16:33 dev
drwxr-xr-x   1 postgres postgres 4096 Oct  4 07:54 docker-entrypoint-initdb.d
-rwxrw----   1 postgres postgres 3297 Oct  2 21:50 docker-entrypoint.sh
-rwxrw----   1 postgres postgres  439 Oct  2 21:50 docker-healthcheck.sh
drwxr-xr-x   1 root     root     4096 Oct  6 16:33 etc
drwxr-xr-x   1 root     root     4096 Oct  4 07:53 home
-rwxrwx---   1 root     root     4263 Oct  2 21:50 initdb.sh
lrwxrwxrwx   1 root     root        7 Sep  5 22:38 lib -> usr/lib
lrwxrwxrwx   1 root     root        7 Sep  5 22:38 lib64 -> usr/lib
lrwxrwxrwx   1 root     root        9 Sep  5 22:38 media -> run/media
drwxr-xr-x   4 root     root     4096 Sep 13 06:38 mnt
dr-xr-xr-x 499 root     root        0 Oct  6 16:33 proc
drwxr-x---   1 root     root     4096 Oct  4 07:54 root
drwxr-xr-x   1 root     root     4096 Oct  4 07:54 run
lrwxrwxrwx   1 root     root        8 Sep  5 22:38 sbin -> usr/sbin
lrwxrwxrwx   1 root     root        7 Sep  5 22:38 srv -> var/srv
dr-xr-xr-x  13 root     root        0 Oct  6 16:33 sys
drwxrwxrwt   2 root     root     4096 Sep  5 22:38 tmp
-rwxrwx---   1 root     root     1184 Oct  2 21:50 upgrade.sh
drwxr-xr-x   1 root     root     4096 Oct  4 07:54 usr
drwxr-xr-x   1 root     root     4096 Sep 13 06:38 var

The problem is that this script is not added to the chown-ed one in the Dockerfile.

I am curious how this didn't come up for others. I checked and the official image doesn't have this problem because initdb has execute permissions. 

docker exec -it harbor-db sh
sh-5.0$ ls -lah 
total 68K
drwxr-xr-x   1 root     root     4.0K Oct  7 07:22 .
drwxr-xr-x   1 root     root     4.0K Oct  7 07:22 ..
-rwxr-xr-x   1 root     root        0 Oct  7 07:22 .dockerenv
lrwxrwxrwx   1 root     root        7 Feb 24  2021 bin -> usr/bin
drwxr-xr-x   1 root     root     4.0K Oct 10  2022 boot
drwxr-xr-x   5 root     root      340 Oct  7 07:22 dev
drwxr-xr-x   1 postgres postgres 4.0K Oct 10  2022 docker-entrypoint-initdb.d
-rwxr--r--   1 postgres postgres 2.5K Oct 10  2022 docker-entrypoint.sh
-rwxr--r--   1 postgres postgres  439 Oct 10  2022 docker-healthcheck.sh
drwxr-xr-x   1 root     root     4.0K Oct  7 07:22 etc
drwxr-xr-x   1 root     root     4.0K Oct 10  2022 home
-rwxr-xr-x   1 root     root     4.2K Oct 10  2022 initdb.sh
lrwxrwxrwx   1 root     root        7 Feb 24  2021 lib -> usr/lib
lrwxrwxrwx   1 root     root        7 Feb 24  2021 lib64 -> usr/lib
lrwxrwxrwx   1 root     root        9 Feb 24  2021 media -> run/media
drwxr-xr-x   4 root     root     4.0K Sep 30  2022 mnt
dr-xr-xr-x 516 root     root        0 Oct  7 07:22 proc
drwxr-x---   2 root     root     4.0K Feb 24  2021 root
drwxr-xr-x   1 root     root     4.0K Oct 10  2022 run
lrwxrwxrwx   1 root     root        8 Feb 24  2021 sbin -> usr/sbin
lrwxrwxrwx   1 root     root        7 Feb 24  2021 srv -> var/srv
dr-xr-xr-x  13 root     root        0 Oct  7 07:22 sys
drwxrwxrwt   2 root     root     4.0K Feb 24  2021 tmp
-rwxr-xr-x   1 root     root     1.2K Oct 10  2022 upgrade.sh
drwxr-xr-x   1 root     root     4.0K Oct 10  2022 usr
drwxr-xr-x   1 root     root     4.0K Sep 30  2022 var

Same is true for upgrade.sh

I have a fairly old compose version:

hajnalmt commented 1 month ago

There were PRs regarding this, but they were disregarded because the user supposedly used an ARM-based system. https://github.com/goharbor/harbor/pull/18766 I am using amd.

dpkg --print-architecture
amd64

I have an 11th gen Intel CPU.

lscpu | grep "Model name"
Model name:                           11th Gen Intel(R) Core(TM) i5-11500H @ 2.90GHz

With Ubuntu as OS:

cat /etc/os-release  | head -1
PRETTY_NAME="Ubuntu 22.04.4 LTS"