search

guillaumedsde / alpine-qbittorrent-openvpn

qBittorrent docker container with OpenVPN client running as unprivileged user on alpine linux
https://guillaumedsde.gitlab.io/alpine-qbittorrent-openvpn/
GNU General Public License v3.0
216 stars 40 forks source link

cont-init: Permission Denied #136

Closed Moonlight63 closed 2 years ago

Moonlight63 commented 2 years ago

Information

Permission issue with latest update. I don't know what exactly changed between the last tag and latest, because it looks like a simple version bump, but the container no longer starts. Here's the output:

latest: Pulling from guillaumedsde/alpine-qbittorrent-openvpn
Digest: sha256:96c69262657f534370fc63deddd825ee66dd3be13fb0eff6761ba4588b3fa389
Status: Image is up to date for guillaumedsde/alpine-qbittorrent-openvpn:latest
docker.io/guillaumedsde/alpine-qbittorrent-openvpn:latest
s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
cont-init: info: running /etc/cont-init.d/01-setup-permissions
/package/admin/s6-overlay-3.1.0.1/etc/s6-rc/scripts/cont-init: line 14: /etc/cont-init.d/01-setup-permissions: Permission denied
cont-init: info: /etc/cont-init.d/01-setup-permissions exited 126
cont-init: info: running /etc/cont-init.d/02-setup-openvpn
/package/admin/s6-overlay-3.1.0.1/etc/s6-rc/scripts/cont-init: line 14: /etc/cont-init.d/02-setup-openvpn: Permission denied
cont-init: info: /etc/cont-init.d/02-setup-openvpn exited 126
cont-init: info: running /etc/cont-init.d/03-setup-iptables
/package/admin/s6-overlay-3.1.0.1/etc/s6-rc/scripts/cont-init: line 14: /etc/cont-init.d/03-setup-iptables: Permission denied
cont-init: info: /etc/cont-init.d/03-setup-iptables exited 126
cont-init: warning: some scripts exited nonzero
s6-rc: warning: unable to start service legacy-cont-init: command exited 1
/run/s6/basedir/scripts/rc.init: warning: s6-rc failed to properly bring all the services up! Check your logs (in /run/uncaught-logs/current if you have in-container logging) for more information.
/run/s6/basedir/scripts/rc.init: fatal: stopping the container.
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped

Rolling the container back to tag d6b9285 solves the problem.

Current setup

information about your current setup

docker image tag (ex: python, latest, 32242d1 ...) latest
docker image hash (ex: 603b78e07727) e1503e094b62 I think?

docker-compose.yml file or docker run command

how did you start the container? (don't forget to use backticks for creating a proper code block)

I am running the container as part of my LibreELEC installation, so yes, it is a little different, but it's still just docker. This is the run command inside of a bash script that is called by a systemd service. The variables are set by the GUI interface in kodi. I know the run command works fine because it still works with the older tag.

docker run --cap-add=NET_ADMIN --name="$name" \
           -e PUID="$E_PUID" \
           -e PGID="$E_PGID" \
           -e TZ="$TIMEZONE" \
           -e OPENVPN_PROVIDER=$vpn_provider \
           -e OPENVPN_CONFIG=$vpn_config \
           -e OPENVPN_USERNAME=$vpn_username \
           -e OPENVPN_PASSWORD=$vpn_password \
           -e PIA_OPENVPN_CONFIG_BUNDLE=openvpn-tcp \
           -e DNS=1.1.1.1 \
           -e LAN=192.168.0.0/16 \
           -v "${V_data}/downloads/qbittorrent":/downloads \
           -v "${V_data}/configs/qbittorrent":/config \
           -v /etc/localtime:/etc/localtime:ro \
           -p 8080:8080 \
           --net=htpc \
           --dns 1.1.1.1 \
           --dns 8.8.8.8 \
           guillaumedsde/alpine-qbittorrent-openvpn:latest

Attempted Fix(es)

What you have tried in order to fix the issue (if anything)

Rolled back to previous container tag: d6b9285. That fixes everything. I tried running with different PUID PGID variables and confirmed file permissions at all mount points. That doesn't seem to be the problem. The problem appears to be with s6 and permissions inside the container. I also tried the python tag, and 66dc184. They also fail. The development tag also works fine as of this very moment, but I will stick with the fixed tag for now since it won't get the new update.

Mibo5354 commented 2 years ago

I can confirm that the same issue exists on Ubuntu 20.04. Reverting back to https://github.com/guillaumedsde/alpine-qbittorrent-openvpn/commit/d6b9285e298bd8a192928e124ee198e7bdefee45 solves the issue.

Moonlight63 commented 2 years ago

Good, it's not just me then!

nomisunrider commented 2 years ago

Need to add executable bit to rootfs/etc/

cont-init.d/01-setup-permissions cont-init.d/02-setup-openvpn cont-init.d/03-setup-iptables

openvpn/modify-openvpn-config.sh

Maybe this too:

openvpn/modify-openvpn-config.sh

Hukuma1 commented 2 years ago

Woke up to this. Thanks for submitting it!

Moonlight63 commented 2 years ago

Need to add executable bit to rootfs/etc/

cont-init.d/01-setup-permissions cont-init.d/02-setup-openvpn cont-init.d/03-setup-iptables

openvpn/modify-openvpn-config.sh

Maybe this too:

openvpn/modify-openvpn-config.sh

Is there a way for me to change the file permissions without modifying the docker container or creating a new one? In my case, I am kind of relying on my script pulling the container straight from docker hub, I'd rather not have to clone the repo and keep a local copy of the docker files. It would be simple enough to solve if I was able to make a fork and change what I need, but I'm not. Maybe if there is a way to run a command in the container before the container runs its init?

GNUGradyn commented 2 years ago

Just switched my docker installation from snapcraft to apt. Started seeing this

guillaumedsde commented 2 years ago

Hi everyone, apologies for that, I had not pinned the s6 overlay's version, so rebuilding the image upgade it to 3.x which deprecates modifying permissions at runtime.

This project lacks any form of automated testing which is why this change was committed a bit too blindly.

Permission management is something that needs refactoring, in the meantime, I've reverted back to installing the s6 overlay version 2.x from the github releases (as Alpine repositories don't keep older releases). I've tested it locally and everything seems to work correctly as of this commit.

Apologies again for the troubles, let me know if everything is fixed, I will close the issue

Mibo5354 commented 2 years ago

@guillaumedsde No issues with latest on my end.

guillaumedsde commented 2 years ago

perfect, thanks for the feedback, closing the issue, but don't hesitate to repost/reopen if the issue arises again :)

nomisunrider commented 2 years ago

Working for me as well.