search

voxpupuli / container-puppetdb

Container image for PuppetDB
Apache License 2.0
9 stars 10 forks source link

Permission denied on ENTRYPOINT when running on Red Hat Openshift #61

Closed bschonec closed 4 months ago

bschonec commented 4 months ago

Somewhat related to #60.

When creating an application using the Docker image (not a full build), the pod fails with:

/docker-entrypoint.sh: line 6: /etc/puppetlabs/puppetdb/conf.d/.dockerenv: Permission denied

Steps to reproduce:

  1. As user, "Developer" in the desired project, click "+Add", "Container Images"
  2. In the Image name from external registry" box, enter the desired Docker image of container-puppetdb. In my case, I used: "ghcr.io/voxpupuli/container-puppetdb:8.3.0-latest"
  3. Scroll down and click "Deployment"
  4. Enter any environment variables necessary for your environment. In my case, I had to enter the FQDN to my $PUPPETSERVER_HOSTNAME server.

Again, I'm novice at Openshift but I believe this may be something related to rootless containers. The /docker-entrypoint.sh runs as a non-root, non-puppetdb user (in my case, UID 1001650000). Since /etc/puppetlabs/puppetdb directory and children are owned by puppetdb:puppetdb, the /docker-entrypoint.sh script fails.

1001650000@container-puppetdb2-6cfc5d7b6c-r6rhz-debug-mrvlq:/$ bash -x /docker-entrypoint.sh
+ set -e
+ . /etc/puppetlabs/puppetdb/conf.d/.dockerenv
/docker-entrypoint.sh: line 6: /etc/puppetlabs/puppetdb/conf.d/.dockerenv: Permission denied
1001650000@container-puppetdb2-6cfc5d7b6c-r6rhz-debug-mrvlq:/$ ls -l /etc/puppetlabs/puppetdb/ -d
drwxr-x---. 1 puppetdb puppetdb 20 Mar 21 10:13 /etc/puppetlabs/puppetdb/
1001650000@container-puppetdb2-6cfc5d7b6c-r6rhz-debug-mrvlq:/$ id
uid=1001650000(1001650000) gid=0(root) groups=0(root),1001650000

This behavior does not happen with Podman on the command line as the only users that are running processes are root and puppetdb.

This behavior happens on both ghcr.io/voxpupuli/container-puppetdb:8.3.0-latest and ghcr.io/voxpupuli/container-puppetdb:7.16.0-latest images.

rwaffen commented 4 months ago

I'll take a look at this.

bschonec commented 4 months ago

I found this article that explains what's happening. I don't yet have enough OpenShift experience to make any recommendations or changes but I'll continue to investigate a possible fix.

Is Kubernetes close enough to OpenShift that that Kubernetes users would be experiencing the same problem?

rwaffen commented 4 months ago

hmm don't know if K8S is close to OS. I removed the file and added the vars to the Dockerfile. I hope this will fix this issue.

rwaffen commented 4 months ago

you can test this with 7.16.0-main or 8.3.0-main container tag. build should finish any minute.