search

jacobalberty / firebird-docker

Firebird Dockerfile
122 stars 94 forks source link

Image User Firebird in readonly non root environments #128

Closed awunnenb closed 4 days ago

awunnenb commented 3 weeks ago

We use the image on a readonly non root environment and the firebird user has an ID 87, i.e. less than 1000. Is it possible to change the ID or is it safe to create another user with ID greater than 1000 and run the firebird container under this user?

awunnenb commented 2 weeks ago

we have regular entries in the log file: … firebird terminated abnormally (-1) guardian starting.../firebrid Setsockopt: error setting IPV6_V6ONLY to 0 (the system does not have IPv6) Image 4.0.2

fdcastel commented 1 week ago

@awunnenb did you set the database mode to READ_ONLY?

https://www.firebirdsql.org/file/documentation/html/en/firebirddocs/gfix/firebird-gfix.html#gfix-dbmode

fdcastel commented 1 week ago

Also: Why do you need to change the user ID?

To the best of my knowledge, this should not change anything.

Using UID < 1000 for service accounts and >= 1000 for users is a simple convention.

fdcastel commented 1 week ago

we have regular entries in the log file: … firebird terminated abnormally (-1) guardian starting.../firebrid Setsockopt: error setting IPV6_V6ONLY to 0 (the system does not have IPv6) Image 4.0.2

This appears to be a docker-related misconfiguration. See #24.

awunnenb commented 1 week ago

@awunnenb did you set the database mode to READ_ONLY?

https://www.firebirdsql.org/file/documentation/html/en/firebirddocs/gfix/firebird-gfix.html#gfix-dbmode

not the database mode, the pod (container) is running in an non root readonly kubernetes environment. Only the volume mounted to /firebird ist writeable.

awunnenb commented 1 week ago

Also: Why do you need to change the user ID?

To the best of my knowledge, this should not change anything.

Using UID < 1000 for service accounts and >= 1000 for users is a simple convention.

correct, but in the kubernetes nonroot readonly enviroment i need a shell as firebird user to write in /firebird. user with id < 1000 are not allowed in this environment (shell). if i create another user he has no write access to the *.conf files and others. i have to delete SYSDBA.password in /firebird/etc, but i have no rights in the nonroot shell.

awunnenb commented 1 week ago

we have regular entries in the log file: … firebird terminated abnormally (-1) guardian starting.../firebrid Setsockopt: >> error setting IPV6_V6ONLY to 0 (the system does not have IPv6) Image 4.0.2

This appears to be a docker-related misconfiguration. See https://github.com/jacobalberty/firebird-docker/issues/24.

do you mean the IPv6 message or terminated abnormally. Which misconfiguration is causing the sporadic restart of the Firebird server? This sometimes happens every 20 minutes.

awunnenb commented 4 days ago

I have now built an image with FB4.0.4 without fbguard and configured it as Servermod Classic. The crashes are now gone. The only remaining problem is the IPv6 message in the log, which always causes problems and discussions with the administrators, but this is not a problem with the image. The issue can be closed.

fdcastel commented 4 days ago

@awunnenb The Classic server is a legacy option that will almost certainly cost you something in terms of performance (*). With FB 4+ you probably should use SuperServer or SuperClassic.

References:

That said, I'm working on a new set of Docker images. If you could, please test them in your environment and open a new issue in that repository.

(*) According to IB-Aid. Firebird official docs say otherwise. YMMV.