search

tsightler / ring-mqtt

Ring devices to MQTT Bridge
MIT License
592 stars 106 forks source link

Bug: Container fails to start up beginning 5.0.3 #446

Closed aneisch closed 2 years ago

aneisch commented 2 years ago

Describe the Bug

Readonly container fails to start. This ability was introduced in response to #249

Steps to Reproduce

Upgrade to 5.0.3, set env S6_READ_ONLY_ROOT=1

Expected Behavior

Container runs in RO root mode

Log Output

s6-overlay-suexec: warning: unable to gain root privileges (is the suid bit set?)
/package/admin/s6-overlay/libexec/preinit: info: read-only root
/package/admin/s6-overlay/libexec/preinit: info: writable /run. Checking for executability.
/package/admin/s6-overlay/libexec/preinit: warning: unable to find /run in /proc/mounts, check that your container manager pre-mounts /proc, and that /run is a tmpfs. The container is likely to crash soon, if /run is (incorrectly) mounted noexec.
s6-linux-init: fatal: unable to copy /run/s6/basedir/run-image to /run: Operation not permitted

Screenshots

No response

Config File

ring-mqtt:
        container_name: ring-mqtt
        image: tsightler/ring-mqtt:5.0.3
        restart: 'always'
        user: '99'
        ports:
            - 8554:8554
        environment:
            - S6_READ_ONLY_ROOT=1
            - MQTTHOST=10.0.1.22
            - RINGTOKEN=XXX
            - ENABLEMODES=true
            - SNAPSHOTMODE=all
            - ENABLECAMERAS=true
        volumes:
            - '/opt/ring-mqtt:/data'


### Install Type

Docker

### Version

v5.0.3

### Operating System

Home Assistant

### Architecture

x86_64

### Machine Details

NUC
tsightler commented 2 years ago

Did you verify that tmpfs is mounted to /run like it says? This is a change in s6-overlay v3 vs prior versions which previously only required /var to be rw.

Unfortunately s6-overlay support for running as user other than root was always pretty limited and, based on their documentation, this seems to be even more true with v3. It does indicate that it should still be possible to get it to work based on the documentation, but I don't have the time or motivation to dig through it and figure it out at this time as it's just not important to 99.9% of users.

You can always just override the default entrypoint and run the script directly, completely bypassing the s6 supervision tree, then running as any user should be possible. If you'd like to dig into the s6-overlay changes yourself and figure it out, I'd be happy to entertain a PR.

aneisch commented 2 years ago

Thanks for the response. At this very moment I'm also lacking the time and motivation to look closely into this, just wanted to open an issue to document. If I get around to digging into it and find a fix I'll send a PR your way.

As always, thanks for everything you do to maintain this wonderful project!

tsightler commented 2 years ago

OK, I finally found the magical required options. As the message above states, /run must be executable in the container. Previously it would work with just 777 permissions on /run but the new version of s6-overlay is more strict on having secure permissions and wants the /run path to also be owned by the same uid as the USER directive.

After some playing around, I finally found the magical combination of specifying the uid of option for the tmpfs mount option, so for example, if you want to run as non-root user with read only root you now must also have Docker setup the tmpfs for /run as follows:

docker run -it --rm --mount type=bind,source=/home/notyouradmin/data,target=/data --tmpfs /run:exec,uid=1099 --user 1099 -e S6_READ_ONLY_ROOT=1 tsightler/ring-mqtt

This works right now, with existing 5.0.3 docker image, so no changes were required to the Docker image itself.