search

tianon / gosu

Simple Go-based setuid+setgid+setgroups+exec
Apache License 2.0
4.68k stars 312 forks source link

Running gosu in docker-entrypoint.sh on UBI 8 just returns "Success" but doesn't continue. #146

Closed paisley closed 2 months ago

paisley commented 2 months ago

I am trying to build an image of MongoDB 7.0 on UBI 8, and have copied the docker-entrypoint.sh script from https://github.com/docker-library/mongo/tree/master/7.0 with the only change being how the script gets the current architecture (switched dpkg to uname -m). When I build the official MongoDB 7 on Ubuntu, the container runs as expected. However, when running it on UBI8, the docker-entrypoint.sh seems to stop as soon as the gosu command is called. Here is the output of the failing container:

$ docker logs ubi8-mongo
+ '[' m = - ']'
+ originalArgOne=mongod
+ [[ mongod == mongo* ]]
++ id -u
+ '[' 0 = 0 ']'
+ '[' mongod = mongod ']'
+ find /data/configdb /data/db '!' -user mongodb -exec chown mongodb '{}' +
+ chown --dereference mongodb /proc/1/fd/1 /proc/1/fd/2
+ exec gosu mongodb /usr/local/bin/docker-entrypoint.sh mongod
/usr/local/bin/docker-entrypoint.sh: line 22: /usr/local/bin/gosu: Success

Running the gosu directly as root doesn't do anything either:

[root@4d03aacbb268 db]# gosu mongodb:mongodb id
[root@4d03aacbb268 db]# echo $?
0

Is there some inherent difference with how the gosu utility runs on RHEL OSes?

tianon commented 2 months ago

switched dpkg to uname -m

https://github.com/tianon/gosu/blob/dcb68b295a3e0a5c686e477e14494a9cfd0e1861/INSTALL.md#from-centosoraclelinuxubi-rpm-based-distro :eyes:

Is there some inherent difference with how the gosu utility runs on RHEL OSes?

Nope, there shouldn't be; it's distributed as a fully static ELF binary for this reason.

I tested the following successfully:

FROM redhat/ubi9-minimal

RUN microdnf install -y wget

ENV GOSU_VERSION 1.17
RUN set -eux; \
    \
    rpmArch="$(rpm --query --queryformat='%{ARCH}' rpm)"; \
    case "$rpmArch" in \
        aarch64) dpkgArch='arm64' ;; \
        armv[67]*) dpkgArch='armhf' ;; \
        i[3456]86) dpkgArch='i386' ;; \
        ppc64le) dpkgArch='ppc64el' ;; \
        riscv64 | s390x) dpkgArch="$rpmArch" ;; \
        x86_64) dpkgArch='amd64' ;; \
        *) echo >&2 "error: unknown/unsupported architecture '$rpmArch'"; exit 1 ;; \
    esac; \
    wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
    wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
    \
# verify the signature
    export GNUPGHOME="$(mktemp -d)"; \
    gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
    gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
    gpgconf --kill all; \
    rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
    \
    chmod +x /usr/local/bin/gosu; \
# verify that the binary works
    gosu --version; \
    gosu nobody true
$ docker build --pull .
...
Successfully built 32ef9c634579
$ docker run --rm 32ef9c634579 gosu nobody id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
paisley commented 2 months ago

It turns out the issue was on my end with how I was identifying the host architecture then downloading the Gosu release. It turns out after running file gosu and it reported empty, that I wasn't always using the correct URL. I resolved this in my Dockerfile by using an if statement where, for example, if the uname -m reports x86_64, then download the -amd64 release. Apologies for the mistake. I'm closing this issue. Thank you!