[BUG] Non-root user refuses to create or use boltdb db file

[Shikachuu]

Running rr with a non-root user refuses to create the db file using key-value plugin with boltdb.

I tried this Dockerfile:

FROM spiralscout/roadrunner:2.4.1 as rr

FROM composer:2 AS autoloader
COPY . /app
WORKDIR /app
# Install composer dependencies
RUN composer install --quiet --no-scripts --optimize-autoloader --ignore-platform-reqs
# Remove sensitive informations
RUN rm auth.json custom.ini Dockerfile .rr.yaml

FROM php:8.0.10-cli-alpine3.14
RUN apk --no-cache add curl ca-certificates \
# Create a system user name app
    && addgroup -S app && adduser -S -g app app \
# Install PHP extensions for RoadRunner
    && docker-php-ext-install opcache sockets

COPY --from=autoloader /app /home/app

# Append the custom.ini to the loaded php.ini files
COPY custom.ini /usr/local/etc/php/conf.d/

# Copy the RoadRunner binary from the road runner container
COPY --from=rr /usr/bin/rr /usr/bin/rr
COPY .rr.yaml /etc/.rr.yaml

RUN chown -R app:app /home/app

WORKDIR /home/app

USER app:app

# HTTP worker endpoint
EXPOSE 8080
# Metrics endpoint
EXPOSE 2112
# Health check endpoint
EXPOSE 2114

# Checks the health endpoint with curl
HEALTHCHECK CMD curl --fail http://localhost:2114/health?plugin=http || exit 1

ENTRYPOINT ["/usr/bin/rr", "serve", "-c", "/etc/.rr.yaml"]

I expected to see this happen: Creates a boltdb db file to the specified location (/home/app/rr.db)

Instead, this happened: Breaks with permission denied error

The version of RR used: 2.4.1

My .rr.yaml configuration is:

server:
  command: "php /home/app/index.php"

logs:
  mode: production
  encoding: json
  output: stdout

rpc:
  listen: "tcp://0.0.0.0:6001"

http:
  address: :8080
  pool:
    num_workers: 1
    max_jobs: 8

metrics:
  address: :2112

status:
  address: :2114

reload:
  interval: 1s
  patterns: [ ".php" ]
  services:
    http:
      recursive: true
      dirs: [ "/home/app" ]

kv:
  boltdb:
    driver: boltdb
    file: "rr.db"
    dir: "/home/app"
    bucket: "rr"
    interval: 86400

Errortrace, Backtrace or Panictrace

handle_serve_command: Serve error:
     endure_start:
     endure_serve_internal: Function call error:
     endure_call_serve_fn: got initial serve error from the Vertex kv.Plugin, stopping execution, error: kv_plugin_serve:
     boltdb_plugin_provide:
     new_boltdb_driver: open rr.db: permission denied

[rustatian]

Hey, @Shikachuu . Please, use the permissions key in the boltdb configuration. Try to set to 0644 or some other permissions suitable for you :)

[Shikachuu]

Hey, @rustatian . Thanks for the fast response! I just tried it and still throws the same error even with 0777. The current config:

kv:
  boltdb:
    driver: boltdb
    file: "rr.db"
    dir: "/home/app"
    permissions: 0777
    bucket: "rr"
    interval: 86400

[Shikachuu]

Even if I use a non-existing path, which should trigger a different error throws the same.

kv:
  boltdb:
    driver: boltdb
    file: "rr.db"
    dir: "/non/existing/path"
    permissions: 0777
    bucket: "rr"
    interval: 86400

[rustatian]

@Shikachuu Could you please try to use 0666 ?

[Shikachuu]

@Shikachuu Could you please try to use 0666 ?

Sure, sadly the same error with the following kv config:

kv:
  boltdb:
    driver: boltdb
    file: "rr.db"
    dir: "/home/app"
    permissions: 0666
    bucket: "rr"
    interval: 86400

[rustatian]

Sad to hear that 😞 . Does this problem blocking you?

[Shikachuu]

Sad to hear that disappointed . Does this problem blocking you?

Sadly yes, at the moment I have to run the container as root or use the memory driver and I think neither of them safe enough to deploy this even to the staging/uac server.

[rustatian]

Ok, got u. Will try to fix that issue ASAP. I guess that version 2.4.2 will be till today's evening (GMT+3).

[rustatian]

Transferring this issue to the roadrunner-plugins repo.

[rustatian]

@Shikachuu Found the issue. For some reason, viper (library we use to parse yaml configuration) doesn't parse leading 0 in the permissions key. So, 0777 becomes 511. Could you please try to use just 777 ?

[Shikachuu]

@rustatian thats a nice news, but I am affraid 777 throws the same. Config:

kv:
  boltdb:
    driver: boltdb
    file: "rr.db"
    dir: "/home/app"
    permissions: 777
    bucket: "rr"
    interval: 86400

[rustatian]

Ok, got u.

[rustatian]

This is def issue in the parser, direct passing os.FileMode works well. I'll notify you when the fix is ready.

[Shikachuu]

Thank you very much! :smile:

[Shikachuu]

@rustatian the same problem occures also with jobs using the bolt db dirver in the same config/container. With the followin config:

boltdb:
  permissions: 0777

jobs:
  num_pollers: 4
  pipeline_size: 100000
  pool:
    num_workers: 1
    max_jobs: 8
  consume: [ "empty-http-bucket" ]
  pipelines:
    empty-http-bucket:
      driver: boltdb
      file: queue.db

[rustatian]

yeah, jobs use the same driver under the hood. Working on the fix....

[rustatian]

@Shikachuu Could you please show the ls -la output (especially rr.db permission bits)?

[Shikachuu]

The file doesn't exist, so I can't really send you the output :(

On 2021. Sep 23., Thu at PM 2:20, Valery Piashchynski < @.***> wrote:

@Shikachuu https://github.com/Shikachuu Could you please show the ls -la output (especially rr.db permission bits)?

[rustatian]

I guess, that you can't create a file, because the user has no permissions to create a file (not in the group for example). I guessed, that the problem is somewhere else, but when I started RR process and it created a file (0777) permissions, the ls -la shows me correct permission bits - - rwx r-x r-x. RR process owns the file (2-3-4 bits) and thus can manipulate the data. Might be you should add the --user <user> with proper user to your docker command.

[Shikachuu]

I think it is, but you can check the Dockerfile in the issue itself, I am currently running the exact same one.

[rustatian]

I already tried on the dev Dockerfile https://github.com/spiral/roadrunner-binary/blob/master/dev/Dockerfile.local, no errors.

[rustatian]

Dockerfile in the issue is non-reproducible since there are a lot of user-specific folders in it.

[Shikachuu]

There is only one folder which contains the composer.json and an index.php, those files are currently irrelevant. There is also a custom.ini file, which is currently an empty ini file.

[Shikachuu]

There is only one folder which contains the composer.json and an index.php, those files are currently irrelevant. There is also a custom.ini file, which is currently an empty ini file.

I can provide the files if it helps the process move forward.

I already tried on the dev Dockerfile https://github.com/spiral/roadrunner-binary/blob/master/dev/Dockerfile.local, no errors.

@rustatian, If I am not mistaken, this container runs the rr binary as root, so this is irrelevant too, since the root version is working for me as well.

[rustatian]

I removed all irrelevant files, np. And I see your issue. I'll try to dig into it, but it seems, that the issue doesn't relate to the RR. But I'll try to help you.

[Shikachuu]

Thank you very much! Let me know if I can help you with anything or you need any aditional information.

[rustatian]

@Shikachuu Try to use this config:

    file: "/home/app/rr.db"

W/o dir.

[Shikachuu]

@Shikachuu Try to use this config:

    file: "/home/app/rr.db"

W/o dir.

Thanks, this is working with both k/v and jobs. But why? :thinking:

[rustatian]

We don't use dir, just file with full path. This is also valid for the jobs. https://github.com/spiral/roadrunner-binary/blob/stable/.rr.yaml#L214 The dir key was used in the past in the old configuration. This is completely my bad, I forgot to mention this in the release notes 😞