search

kalaksi / docker-phpldapadmin

Docker container for phpLDAPadmin.
MIT License
7 stars 3 forks source link

rootless container #1

Open Eliav2 opened 1 year ago

Eliav2 commented 1 year ago

This does not seems to be rootless container as it is written in the readme

$  docker run --user 1000 -it --rm docker.io/kalaksi/phpldapadmin
Unable to find image 'kalaksi/phpldapadmin:latest' locally
latest: Pulling from kalaksi/phpldapadmin
bff3e048017e: Pull complete
ddf93b070b14: Pull complete
b08a99ffbe87: Pull complete
a74618c25e7c: Pull complete
66bcb28135fe: Pull complete
bec860703ad9: Pull complete
Digest: sha256:e721ba8ec03feb01de5622b09892941712461ca253baaabbc665d486a834cb4a
Status: Downloaded newer image for kalaksi/phpldapadmin:latest
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./add_attr_form.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./add_oclass_form.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./add_value_form.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./cmd.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./collapse.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./common.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./compare.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./compare_form.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./copy.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./copy_form.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./create.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./create_confirm.php': Permission denied
cp: cannot create directory '/usr/share/phpldapadmin/htdocs/./css': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./delete.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./delete_attr.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./delete_form.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./download_binary_attr.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./draw_tree_node.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./entry_chooser.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./expand.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./export.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./export_form.php': Permission denied
cp: cannot create directory '/usr/share/phpldapadmin/htdocs/./images': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./import.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./import_form.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./index.php': Permission denied
cp: cannot create directory '/usr/share/phpldapadmin/htdocs/./js': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./login.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./login_form.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./logout.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./mass_delete.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./mass_edit.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./mass_update.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./modify_member_form.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./monitor.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./password_checker.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./purge_cache.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./query_engine.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./rdelete.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./refresh.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./rename.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./rename_form.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./schema.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./server_info.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./show_cache.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./template_engine.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./update.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./update_confirm.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./view_jpeg_photo.php': Permission denied
cp: cannot create regular file '/usr/share/phpldapadmin/htdocs/./welcome.php': Permission denied
cp: preserving times for '/usr/share/phpldapadmin/htdocs/.': Operation not permitted
kalaksi commented 1 year ago

It is a rootless container and you can see the default uid (70859) and gid (70859) in the Dockerfile .

If you want to specify your own uid/gid, you need to do more than just run it, as you have seen. The permissions have to be correct for the PHP runtime directory and the htdocs. This means that you will need to rebuild the image with environment variables PHPLDAPADMIN_UID and PHPLDAPADMIN_GID set to your liking. It will then configure the ownerships during the build process since those can't be set during running without root privileges.

Eliav2 commented 1 year ago

this is actually not a rootless container.

when creating a pod in OpenShift uses a random UID user and if you don't have permissions on your OpenShift cluster you don't have control on the specific UID that would be used when running the container.

A rootless container is a container that all of the necessary files that is used to run the application are accessible by ANY USER.

the problem is that the base image you used is not rootless. see https://github.com/osixia/docker-light-baseimage/issues/31

you can verify it by running any of these commands:

# docker run --user 1000 -it --rm osixia/phpldapadmin:0.9.0 bash
# docker run --user 1000 -it --rm osixia/light-baseimage bash
# docker run --user 1000 -it --rm phusion/baseimage:jammy-1.0.1 bash

the process immedicably exits:

lousk@Eliavs-PC MINGW64 /c/Windows/system32
$ docker run --user 1000 -it --rm osixia/phpldapadmin:0.9.0 bash
*** CONTAINER_LOG_LEVEL = 3 (info)
*** Killing all processes...

This issue is not resolved. (but I'm not sure you can do anything about it except provide completely new image build that preferably don't use ubuntu because running rootless containers in ubuntu is quite hard)

kalaksi commented 1 year ago

Okay, sure. The readme doesn't talk about that, though, it just says that this container is run without root (which it is). Apparently, there are issues with OpenShift, or similar setups, which is not ideal.