Permissions to env file are not given to the running user if it's not root

mhutter / ansible-docker-systemd-service

Ansible role for creating Systemd services for docker containers

https://galaxy.ansible.com/mhutter/docker-systemd-service

MIT License

49 stars 30 forks source link

Permissions to env file are not given to the running user if it's not root #45

Open v4dkou opened 2 years ago

v4dkou commented 2 years ago

If the ansible_ssh_user is different from root (but still a sudoer), the created systemd service fails to start with this error docker: open /etc/default/<container name>: permission denied.

My current workaround is to change permissions right after the included mhutter.docker-systemd-service role

    - name: Fix https://github.com/mhutter/ansible-docker-systemd-service/issues/45
      ansible.builtin.file:
        path: /etc/default/<container name>
        owner: '{{ ansible_user }}'
        mode: '0644'

mhutter commented 2 years ago

I'm a bit confused; which user starts the service?

v4dkou commented 2 years ago

@mhutter Oh, this is a tricky question. Running ps aux | grep docker shows that the docker container I am starting via systemd is owned by "root" The .service file for systemd generated by this Ansible role does not contain a User= directive, which makes me confused too as to how did this error appear.

All I know is:

The Ansible playbook is being run with a user, let's say someuser that has sudo privileges.
This playbook has a become: true directive

I can try setting up the minimal reproducible example on some DigitalOcean droplet and give you access to it and the playbooks. Would you kindly contact me at vadkou@wave909.com, so I can send you access once I set everything up?

Target OS: Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-113-generic x86_64)

$ systemd --version
systemd 245 (245.4-4ubuntu3.15)
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid

mhutter commented 2 years ago

A note about the workaround: What probably fixes the issue is mode: '0644', not owner: '{{ ansible_user }}'.

Running ps aux | grep docker shows that the docker container I am starting via systemd is owned by "root"

Okay, this is as expected (since the Docker daemon runs as root).

The .service file for systemd generated by this Ansible role does not contain a User= directive, which makes me confused too as to how did this error appear.

Yes, indeed, because without User, the process is started as root which is able to read the file.

One more thing I noticed: This line:

https://github.com/mhutter/ansible-docker-systemd-service/blob/b0aa69efa074402379c8965c72d23211e6fd6af7/templates/unit.j2#L17

is practically redundant; it sets the env for the process STARTING the container, not the container itself (this is handled by the --env-file parameter)