search

yuzutech / kroki

Creates diagrams from textual descriptions!
https://kroki.io
MIT License
2.87k stars 211 forks source link

Docker container permission error #1766

Open maxwai opened 1 month ago

maxwai commented 1 month ago

The gateway docker container (named "core") can't resolve the hostnames of the other helper container (mermaid, excalidraw, bpmn) because of permission errors with the default user.

When starting the container we get following error from the core container (formatted)

{
  "timestamp": "1722935824662",
  "level": "WARN",
  "thread": "main",
  "logger": "io.netty.resolver.HostsFileEntriesProvider$Parser",
  "message": "Failed to load and parse hosts file at /etc/hosts",
  "context": "default",
  "exception": "java.io.FileNotFoundException: /etc/hosts (Permission denied)
                at java.base/java.io.FileInputStream.open0(Native Method)
                at java.base/java.io.FileInputStream.open(Unknown Source)
                at java.base/java.io.FileInputStream.<init>(Unknown Source)
                at io.netty.resolver.HostsFileEntriesProvider$ParserImpl.parse(HostsFileEntriesProvider.java:192)
                at io.netty.resolver.HostsFileEntriesProvider$ParserImpl.parseSilently(HostsFileEntriesProvider.java:295)
                at io.netty.resolver.HostsFileEntriesProvider$ParserImpl.parseSilently(HostsFileEntriesProvider.java:284)
                at io.netty.resolver.DefaultHostsFileEntriesResolver.parseEntries(DefaultHostsFileEntriesResolver.java:146)
                at io.netty.resolver.DefaultHostsFileEntriesResolver.<init>(DefaultHostsFileEntriesResolver.java:65)
                at io.netty.resolver.DefaultHostsFileEntriesResolver.<init>(DefaultHostsFileEntriesResolver.java:58)
                at io.netty.resolver.HostsFileEntriesResolver.<clinit>(HostsFileEntriesResolver.java:28)
                at io.netty.resolver.dns.DnsNameResolverBuilder.<init>(DnsNameResolverBuilder.java:67)
                at io.vertx.core.impl.resolver.DnsResolverProvider.<init>(DnsResolverProvider.java:105)
                at io.vertx.core.impl.resolver.DnsResolverProvider.create(DnsResolverProvider.java:43)
                at io.vertx.core.spi.resolver.ResolverProvider.factory(ResolverProvider.java:40)
                at io.vertx.core.impl.AddressResolver.<init>(AddressResolver.java:78)
                at io.vertx.core.impl.VertxImpl.<init>(VertxImpl.java:220)
                at io.vertx.core.impl.VertxBuilder.vertx(VertxBuilder.java:229)
                at io.vertx.core.impl.launcher.commands.ClasspathHandler.create(ClasspathHandler.java:114)
                at io.vertx.core.impl.launcher.commands.BareCommand.startVertx(BareCommand.java:284)
                at io.vertx.core.impl.launcher.commands.BareCommand.run(BareCommand.java:192)
                at io.vertx.core.impl.launcher.commands.RunCommand.run(RunCommand.java:246)
                at io.vertx.core.impl.launcher.VertxCommandLauncher.execute(VertxCommandLauncher.java:248)
                at io.vertx.core.impl.launcher.VertxCommandLauncher.dispatch(VertxCommandLauncher.java:402)
                at io.vertx.core.impl.launcher.VertxCommandLauncher.dispatch(VertxCommandLauncher.java:346)
                at io.vertx.core.Launcher.main(Launcher.java:45)"
}

Looking at the permission of the file we can see that only root can read that file and the default user (kroki) can't read that file:

root@a8e4ba3069ab:/# ls -la /etc/hosts
-rw-r-----+ 1 root root 198 Aug  6 09:17 /etc/hosts

Since the file is not readable by the user running in the docker container, the application can't resolve the hostname of the other docker container.

ggrossetie commented 1 month ago

Hey! I guess we could add read permission to other (644) when building the Docker image. I'm not a security expert but I think it's fine to make that file readable from the main process.