Thursday, January 13, 2022

[389-users] Re: Running dscontainer as a non-root user

Sorry, ignore that example. I was doing something in that, that can be ignored.

Here's my docker file:

```
ARG os_version

FROM oraclelinux:${os_version}

ARG version
ARG build_timestamp

LABEL version=${version}
LABEL build_timestamp=${build_timestamp}

RUN \
groupadd -g 12345 ldapadmin && \
useradd -c "Unprivileged user which runs ds-389" -e "" -g 12345 -u 12345 -s "/bin/nologon" ldapadmin && \
yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \
yum module enable 389-ds -y && \
yum module install 389-directory-server:stable -y && \
# yum update -y && \
yum install -y \
openldap-clients \
nss-pam-ldapd \
pam_yubico && \
yum clean all && \
mkdir -p /data/config && \
mkdir -p /data/ssca && \
mkdir -p /data/run && \
mkdir -p /var/run/dirsrv && \
chown -R ldapadmin:ldapadmin /data && \
chown -R ldapadmin:ldapadmin /var/run/dirsrv && \
ln -s /data/config /etc/dirsrv/slapd-localhost && \
ln -s /data/ssca /etc/dirsrv/ssca && \
ln -s /data/run /var/run/dirsrv

COPY --chown=root:root run.sh /run.sh

RUN \
chmod 0777 /run.sh

# run as a non privileged user
USER ldapadmin

CMD [ "/run.sh" ]

```


With the above, getting the following error:
```
d389_1 | INFO: The 389 Directory Server Container Bootstrap
d389_1 | INFO: Inspired by works of: ITS, The University of Adelaide
d389_1 | INFO: 389 Directory Server Version: 1.4.4.17
d389_1 | INFO: Initialising 389-ds-container due to empty volume ...
d389_1 | DEBUG: Running setup with verbose
d389_1 | DEBUG: START: Starting installation ...
d389_1 | DEBUG: READY: Preparing installation for localhost...
d389_1 | INFO: Validate installation settings ...
d389_1 | DEBUG: PASSED: using config settings 999999999
d389_1 | DEBUG: PASSED: user / group checking
d389_1 | DEBUG: PASSED: prefix checking
d389_1 | DEBUG: list instance not found in /etc/dirsrv/slapd-localhost/dse.ldif: localhost
d389_1 |
d389_1 | DEBUG: PASSED: instance checking
d389_1 | DEBUG: INFO: temp root password set to dk.LiQZElkfUgGaJCdfqDs.LIJb8goJwA8kAs9Um9mNIXxFJ9YyG.O2hiufeNxec5
d389_1 | DEBUG: PASSED: root user checking
d389_1 | DEBUG: PASSED: network avaliability checking
d389_1 | DEBUG: READY: Beginning installation for localhost...
d389_1 | DEBUG: ACTION: Creating dse.ldif
d389_1 | INFO: Create file system structures ...
d389_1 | DEBUG: ACTION: creating /data/bak
d389_1 | DEBUG: ACTION: creating /etc/dirsrv/slapd-localhost
d389_1 | DEBUG: ACTION: creating /data/db
d389_1 | DEBUG: ACTION: creating /data/ldif
d389_1 | DEBUG: ACTION: creating /data/run/lock
d389_1 | DEBUG: ACTION: creating /data/logs
d389_1 | DEBUG: ACTION: creating /data/run
d389_1 | Traceback (most recent call last):
d389_1 | File "/usr/libexec/dirsrv/dscontainer", line 433, in <module>
d389_1 | begin_magic()
d389_1 | File "/usr/libexec/dirsrv/dscontainer", line 266, in begin_magic
d389_1 | if not sds.create_from_args(g2b.collect(), s2b.collect()):
d389_1 | File "/usr/lib/python3.6/site-packages/lib389/instance/setup.py", line 674, in create_from_args
d389_1 | self._install_ds(general, slapd, backends)
d389_1 | File "/usr/lib/python3.6/site-packages/lib389/instance/setup.py", line 783, in _install_ds
d389_1 | os.chown(db_parent, slapd['user_uid'], slapd['group_gid'])
d389_1 | PermissionError: [Errno 1] Operation not permitted: '/data/db/..'
```

Unsure what I am missing?
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

No comments:

Post a Comment