search

theowni / Damn-Vulnerable-RESTaurant-API-Game

Damn Vulnerable Restaurant is an intentionally vulnerable Web API game for learning and training purposes dedicated to developers, ethical hackers and security engineers.
GNU General Public License v3.0
427 stars 65 forks source link

failures deploying ethical hacker docker compose from `start_app` script - `chown: /var/lib/postgresql/data: Permission denied` #2

Closed GangGreenTemperTatum closed 5 months ago

GangGreenTemperTatum commented 5 months ago

howdy!

➜  Damn-Vulnerable-RESTaurant-API-Game git:(main) ✗ system_profiler SPSoftwareDataType SPHardwareDataType
Software:

    System Software Overview:

      System Version: macOS 14.3.1 (23D60)
      Kernel Version: Darwin 23.3.0

note: using colima (Mac OS container runtime) instead of Docker desktop, follow the instructions "Running the Application - Ethical Hackers Approach"

➜  Damn-Vulnerable-RESTaurant-API-Game git:(main) ✗ chmod +x ./start_app.sh
➜  Damn-Vulnerable-RESTaurant-API-Game git:(main) ✗ sudo ./start_app.sh
WARN[0000] /Users/adam/git/Damn-Vulnerable-RESTaurant-API-Game/docker-compose.yml: `version` is obsolete
[+] Running 1/0
 ✔ Container damn-vulnerable-restaurant-api-game-db-1  Creat...                                                      0.0s
Attaching to db-1, web-1
db-1   | chown: /var/lib/postgresql/data: Permission denied
db-1 exited with code 1
dependency failed to start: container damn-vulnerable-restaurant-api-game-db-1 exited (1)

this looks to be an issue with postgres and not necessarily this docker compose.. i think the script requires updating to run elevated privileges on postgres, see:

https://github.com/zalando/postgres-operator/issues/676

any assistance much appreciated, tyia!

theowni commented 5 months ago

Hi @GangGreenTemperTatum, thanks for raising the issue.

Could you verify if the following docker-compose.yml works for you? Please, replace current content with the following content:

services:
  web:
    build: .
    command: bash -c "alembic upgrade head && uvicorn main:app --host 0.0.0.0 --port 8080 --workers 1 --reload"
    volumes:
      - ./app/:/app/
      - /app/.venv
    ports:
      - 8080:8080
    depends_on:
      db:
        condition: service_healthy
    privileged: true
    cap_add:
      - SYS_ADMIN
    environment:
      - POSTGRES_USER=admin
      - POSTGRES_PASSWORD=password
      - POSTGRES_SERVER=db
      - POSTGRES_PORT=5432
      - POSTGRES_DB=restaurant
  db:
    image: postgres:15.4-alpine
    volumes:
      - ./postgres_data:/var/lib/postgresql/data/
    environment:
      - POSTGRES_USER=admin
      - POSTGRES_PASSWORD=password
      - POSTGRES_DB=restaurant
      - PGDATA=/var/lib/postgresql/data/pgdata
    healthcheck:
      test: ["CMD", "sh", "-c", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      interval: 5s
      start_period: 5s
    expose: 
      - 5432
laucer commented 5 months ago

I had the same issue and can confirm that cleaning postgres_data and changing docker-compose.yml file solved the problem.

GangGreenTemperTatum commented 5 months ago

hey @theowni , thanks so much for the quick response! strongly assume this is me doing something wrong here...

i replaced the docker-compose.yml contents with the new code you kindly provided, but still getting the same error 🤔 

➜  Damn-Vulnerable-RESTaurant-API-Game git:(main) ✗ sudo ./start_app.sh
[+] Running 1/0
 ✔ Container damn-vulnerable-restaurant-api-game-db-1  Created                                                                                                                       0.0s
Attaching to db-1, web-1
db-1   | chown: /var/lib/postgresql/data/pgdata: Permission denied
db-1 exited with code 1
dependency failed to start: container damn-vulnerable-restaurant-api-game-db-1 exited (1)
Gracefully stopping... (press Ctrl+C again to force)

i also tried (since i am using colima) to update the ./start_app.sh script to include a prepended sudo to the docker command but no dice:

#!/bin/bash

mkdir -p postgres_data
sudo docker compose up $1

same results with docker-compose:

➜  Damn-Vulnerable-RESTaurant-API-Game git:(main) ✗ sudo docker-compose up
[+] Running 1/0
 ✔ Container damn-vulnerable-restaurant-api-game-db-1  Created                                                                                                                       0.0s
Attaching to db-1, web-1
db-1   | chown: /var/lib/postgresql/data/pgdata: Permission denied
db-1 exited with code 1
dependency failed to start: container damn-vulnerable-restaurant-api-game-db-1 exited (1)
➜  Damn-Vulnerable-RESTaurant-API-Game git:(main) ✗ sudo docker image ls
REPOSITORY                                                    TAG                                                                       IMAGE ID       CREATED        SIZE
damn-vulnerable-restaurant-api-game-web                       latest                                                                    d6961fef2132   27 hours ago   343MB
aquasec/trivy                                                 0.10.0                                                                    0e282587eaed   3 years ago    65.2MB
➜  Damn-Vulnerable-RESTaurant-API-Game git:(main) ✗ sudo docker ps
CONTAINER ID   IMAGE     COMMAND   CREATED   STATUS    PORTS     NAMES
➜  Damn-Vulnerable-RESTaurant-API-Game git:(main) ✗ ls -al
total 440
drwxr-xr-x   19 adam  staff     608  9 Apr 05:53 .
drwxr-xr-x  109 adam  staff    3488  9 Apr 05:29 ..
drwxr-xr-x   11 adam  staff     352  9 Apr 05:29 .git
drwxr-xr-x    3 adam  staff      96  9 Apr 05:29 .github
-rw-r--r--    1 adam  staff    3143  9 Apr 05:29 .gitignore
-rw-r--r--    1 adam  staff    1042  9 Apr 05:29 .pre-commit-config.yaml
-rw-r--r--    1 adam  staff    3210  9 Apr 05:29 CODE_OF_CONDUCT.md
-rw-r--r--    1 adam  staff    2340  9 Apr 05:29 CONTRIBUTING.md
-rw-r--r--    1 adam  staff    1079  9 Apr 05:29 Dockerfile
-rw-r--r--@   1 adam  staff   35148  9 Apr 05:29 LICENSE
-rw-r--r--    1 adam  staff    5859  9 Apr 05:29 README.md
drwxr-xr-x   13 adam  staff     416  9 Apr 05:29 app
-rwxr-xr-x    1 adam  staff     932 10 Apr 09:14 docker-compose.yml
-rw-r--r--    1 adam  staff  136586  9 Apr 05:29 poetry.lock
drwx------    3 adam  staff      96 10 Apr 09:15 postgres_data
-rw-r--r--    1 adam  staff     949  9 Apr 05:29 pyproject.toml
-rwxr-xr-x    1 adam  staff      62 10 Apr 09:16 start_app.sh
-rwxr-xr-x    1 adam  staff      75  9 Apr 05:29 start_game.sh
-rwxr-xr-x    1 adam  staff      33  9 Apr 06:36 stop_app.sh

anything i am doing obviously wrong here? tyia 🙏🏼

@laucer - apologies, what did you mean specifically here?

that cleaning postgres_data

theowni commented 5 months ago

I discussed this one with @laucer and he deleted postgres_data directory before launching the game with modified docker-compose. So, @GangGreenTemperTatum let's run the following commands and let me know what is the output:

docker compose down  # to tear down any running containers
sudo rm -rf postgres_data  # to remove directory with potentially "broken" permissions
# now, update the docker-compose if it's not updated
# and launch the app
./start_app.sh
GangGreenTemperTatum commented 5 months ago

ahhh i see, thanks again @theowni !

  Damn-Vulnerable-RESTaurant-API-Game git:(main) ✗ ./start_app.sh

[+] Running 3/3
 ✔ Network damn-vulnerable-restaurant-api-game_default  Created                                                                                                                      0.1s
 ✔ Container damn-vulnerable-restaurant-api-game-db-1   Created                                                                                                                      0.0s
 ✔ Container damn-vulnerable-restaurant-api-game-web-1  Created                                                                                                                      0.7s
Attaching to db-1, web-1
db-1   | chown: /var/lib/postgresql/data/pgdata: Permission denied
db-1 exited with code 1
dependency failed to start: container damn-vulnerable-restaurant-api-game-db-1 exited (1)
➜  Damn-Vulnerable-RESTaurant-API-Game git:(main) ✗ sudo ./start_app.sh

still getting the error unfortunately 🤔

theowni commented 5 months ago

Hi again @GangGreenTemperTatum,

I think I was able to reproduce the issue. The problem looks to be related with Colima. I used the following environment to reproduce the issue:

MacOS Sonoma 14.1
Colima version 0.6.8
Docker version 24.0.7

It looks like Colima doesn't have a proper permissions to your local directory to make changes in the directory. It's a kind of known issue which can be resolved in a non user-friendly way by modifying Colima configs. So, to make it more user-friendly, I modified docker-compose.yml to use named volumes instead of bind mounts. In this way, the database directory will be still persistent but in the directory managed by Docker (with proper permissions).

Here is the modified docker-compose.yml:

services:
  web:
    build: .
    command: bash -c "alembic upgrade head && uvicorn main:app --host 0.0.0.0 --port 8080 --workers 1 --reload"
    volumes:
      - ./app/:/app/
      - /app/.venv
    ports:
      - 8080:8080
    depends_on:
      db:
        condition: service_healthy
    privileged: true
    cap_add:
      - SYS_ADMIN
    environment:
      - POSTGRES_USER=admin
      - POSTGRES_PASSWORD=password
      - POSTGRES_SERVER=db
      - POSTGRES_PORT=5432
      - POSTGRES_DB=restaurant
  db:
    image: postgres:15.4-alpine
    volumes:
      - pg_volume:/var/lib/postgresql/data/
    environment:
      - POSTGRES_USER=admin
      - POSTGRES_PASSWORD=password
      - POSTGRES_DB=restaurant
      - PGDATA=/var/lib/postgresql/data/pgdata
    healthcheck:
      test: ["CMD", "sh", "-c", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      interval: 5s
      start_period: 5s
    expose: 
      - 5432
volumes:
  pg_volume:

Update the docker-compose.yml content and run the commands:

docker compose down  # to tear down any running containers
sudo rm -rf postgres_data  # to remove the directory which won't be used anyway
./start_app.sh

I hope, it will resolve the issue!

GangGreenTemperTatum commented 5 months ago

hey @theowni , wow, thank you so much!! 🎉 so quick 👏🏼 

➜  Damn-Vulnerable-RESTaurant-API-Game git:(main) ✗ sudo docker ps -a
Password:
CONTAINER ID   IMAGE                                     COMMAND                  CREATED          STATUS                    PORTS                                       NAMES
56f72be731de   damn-vulnerable-restaurant-api-game-web   "bash -c 'alembic up…"   26 seconds ago   Up 19 seconds             0.0.0.0:8080->8080/tcp, :::8080->8080/tcp   damn-vulnerable-restaurant-api-game-web-1
dce56440de69   postgres:15.4-alpine                      "docker-entrypoint.s…"   26 seconds ago   Up 25 seconds (healthy)   5432/tcp                                    damn-vulnerable-restaurant-api-game-db-1
➜  Damn-Vulnerable-RESTaurant-API-Game git:(main) ✗ curl http://localhost:8080/docs

    <!DOCTYPE html>
    <html>
    <head>
    <link type="text/css" rel="stylesheet" href="https://cdn.jsdelivr.net/npm/swagger-ui-dist@5/swagger-ui.css">
    <link rel="shortcut icon" href="https://fastapi.tiangolo.com/img/favicon.png">
    <title>Damn Vulnerable RESTaurant - Swagger UI</title>

👌🏼👌🏼👌🏼👌🏼👌🏼👌🏼