Ossec docker not starting up with the mounted/linked file /var/ossec/data/etc/shared/ar.conf - says permission denied ( on MAC)

[avisri]

Thanks for creating the docker ossec .

To reproduce : On a MAC Docker version : 1.12.0-rc4

• create dir mkdir ~/ossec_mnt
• git clone and build the image : docker build -t ossec_server
• The image builds sucessfully
• Launch using the readme instructions : docker run --name ossec-server -d -p 1514:1514/udp -p 1515:1515 -e SYSLOG_FORWARDING_ENABLED=true -e SYSLOG_FORWARDING_SERVER_IP=127.0.0.1 -v ~/ossec_mnt:/var/ossec/data -t ossec_server:latest
  • Confirmed ossec user/group was able to change the link file permissions.
  • However during startup /var/ossec/bin/ossec-control start ( after chrooting to /var/ossec ) The ossec always comes back with permission denied !
  • was also able to confirm this by open a bash shell to docker , installing strace and looking at strace logs.

What worked for me : Once I unlinked /var/ossec/etc --> data/etc and used /var/ossec/etc_template moved to /var/ossec/etc : rm -f /var/ossec/etc && mv /var/ossec/etc_template /var/ossec/etc.

[tkent]

@avisri

I think you're probably running into a situation created by Docker for Mac's use of osxfs, but I'll need a little more information to be sure.

Using the following setup

Docker for Mac: 1.3.0
OS X: 10.12.2
xetusoss/ossec-server: latest

I saw a few permission errors locally, but they may not be what you're seeing. Can you include the output from the container (docker logs ossec-server)?

[avisri]

@tkent thanks for looking into this issue.

I'm attaching the log file. ( There are sure some permission errors and I'm reading up the link you sent . Meantime thought I will send the logs out)

ossec-server-orig.logs.txt

[avisri]

@tkent Sorry my knowledge on debian is limited . As you suspected the perm issues are happening in OSX . I'm attaching some more logs and findings . Hope this helps.

My versions ( upgraded OSX and docker to latest and greatest and I was always on latest for docker-ossec-server ) :

$> sw_vers
ProductName:    Mac OS X
ProductVersion: 10.12
BuildVersion:   16A323
$> docker -v
Docker version 1.13.0, build 49bf474
$> git log -1
commit e7f6dd1d19ae5315eda4de3eb131f2dc85873102
Author: Terence Kent <tkent@xetus.com>
Date:   Mon Jan 16 16:01:36 2017 -0800

    Download the wazuh apt PGP key via HTTPS, to avoid MITM attacks that could occur at build time. Fixes #4

I was able employ set -o errexit strace

to dig this up so far . I'm seeing the reconfigure has issues with /var/ossec/rules ( being a mount !!?? )

 9500 [pid    29] execve("/usr/sbin/dpkg-reconfigure", ["dpkg-reconfigure", "-f", "noninteractive",        "ossec-hids"], [/* 8 vars */]) = 0

.
.
23989 [pid   109] brk(0)                      = 0x1d93000
 23990 [pid   109] brk(0x1db4000)              = 0x1db4000
 23991 [pid   109] open("/proc/filesystems", O_RDONLY) = 3
 23992 [pid   109] fstat(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
 23993 [pid   109] mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =               0x7fec36948000
 23994 [pid   109] read(3, "nodev\tsysfs\nnodev\trootfs\nnodev\tt"..., 1024) = 476
 23995 [pid   109] read(3, "", 1024)           = 0
 23996 [pid   109] close(3)                    = 0
 23997 [pid   109] munmap(0x7fec36948000, 4096) = 0
 23998 [pid   109] mkdir("/var/ossec//rules/backup-rules.66", 0777) = -1 EACCES (Permission denied)
 23999 [pid   109] open("/usr/lib/charset.alias", O_RDONLY|O_NOFOLLOW) = -1 ENOENT (No such file or         directory)
 24000 [pid   109] write(2, "mkdir: ", 7mkdir: )      = 7
 24001 [pid   109] write(2, "cannot create directory '/var/os"..., 59cannot create directory '/var/         ossec//rules/backup-rules.66') = 59
 24002 [pid   109] write(2, ": Permission denied", 19: Permission denied) = 19
 24003 [pid   109] write(2, "\n", 1
 24004 )           = 1

Full log here docker-ossec-server-orig.1486107463.log.txt

My diff ( so far): diffs.diff.txt

PS: I did take out chown ossec:ossec /var/ossec but error happens before it .

My strace extry point script :

$> cat run-strace.bash
#!/bin/bash
strace -f bash -c "eval '/run.bash 2>&1 >/var/ossec/data/bash-trace.log' " 2>&1 | tee /var/ossec/data/strace.log

[tkent]

@avisri

Thanks for the follow up - this issue is definitely specific to the osxfs integration with Docker for Mac.

Since Docker for Mac is under such active development, I'm hesitant to even try to chase this down. My current opinion is that it will be best to just work around the problem using a data container when on OS X. I'm going to confirm that works as I expect and then I'll write up OS X-specific instructions.

[avisri]

Thanks again @tkent .

I have a not so pretty workaround for now : ( felt like some of my time just vanished into space :P ) .

• install vagrant with docker on OSX
• run docker inside vagrant