search

gristlabs / grist-core

Grist is the evolution of spreadsheets.
https://www.getgrist.com/
Apache License 2.0
7.01k stars 311 forks source link

Rootless container failing on startup on SELinux system #1174

Open josh-hemphill opened 4 weeks ago

josh-hemphill commented 4 weeks ago

Describe the current behavior

Applying the same SELinux file permissions applied to other rootless containers, the grist container stops after printing an unhelpful TLS error during startup.

Steps to reproduce

  1. Configure a grist container with the GRIST_DOCKER_USER and GRIST_DOCKER_GROUP flags set to the same user as flags to set the run-as, and add the :Z flag on any volumes (ensures the container gets singular ownership, and avoids other SELinux issues when sharing between multiple containers)
  2. Use the podman unshare or equivalent to find or set the file permissions to own or have permissions for the UID/GID from the container namespace (from the local perspective it will show a much higher UID/GID number which corresponds to the lower UID/GID number inside the container namespace)
  3. Run it and it should crash.

The resulting error:

Error: connect ECONNREFUSED ::1:443
    at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1555:16) {
  errno: -111,
  code: 'ECONNREFUSED',
  syscall: 'connect',
  address: '::1',
  port: 443
}

Which prints after the debug: skipping incomplete language ... gets printed a few times

Describe the expected behavior

Either running or printing a more helpful error

Where have you encountered this bug?

Instance information (when self-hosting only)

Spoffy commented 1 week ago

Hey @josh-hemphill - are you using any custom SELinux policies for your containers?

At a glance, I'm wondering if one the health checks (or similar) is failing on startup due to Grist not having the right policy set to allow it to connect to :443?

Or maybe a tighter firewall setup on Fedora?

I can have a look into this, although my SELinux + Fedora knowledge is pretty limited! :slightly_smiling_face:

josh-hemphill commented 1 week ago

Nothing custom, this was a fresh install of Fedora. I tried looking up anything I could find about container networking on Fedora/RHEL, and all I could find is stuff talking about exposing ports which seems to work fine; I can't find anything about outbound traffic being effected. 🤔