Thursday, January 13, 2022

[389-users] Re: Running dscontainer as a non-root user

> On 14 Jan 2022, at 15:24, Steve F <steve.falzon@outlook.com> wrote:
>
> Sorry, ignore that example. I was doing something in that, that can be ignored.
>
> Here's my docker file:
>
> ```
> ARG os_version
>
> FROM oraclelinux:${os_version}
>
> ARG version
> ARG build_timestamp
>
> LABEL version=${version}
> LABEL build_timestamp=${build_timestamp}
>
> RUN \
> groupadd -g 12345 ldapadmin && \
> useradd -c "Unprivileged user which runs ds-389" -e "" -g 12345 -u 12345 -s "/bin/nologon" ldapadmin && \
> yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \
> yum module enable 389-ds -y && \
> yum module install 389-directory-server:stable -y && \
> # yum update -y && \
> yum install -y \
> openldap-clients \
> nss-pam-ldapd \
> pam_yubico && \
> yum clean all && \
> mkdir -p /data/config && \
> mkdir -p /data/ssca && \
> mkdir -p /data/run && \
> mkdir -p /var/run/dirsrv && \
> chown -R ldapadmin:ldapadmin /data && \
> chown -R ldapadmin:ldapadmin /var/run/dirsrv && \
> ln -s /data/config /etc/dirsrv/slapd-localhost && \
> ln -s /data/ssca /etc/dirsrv/ssca && \
> ln -s /data/run /var/run/dirsrv
>
> COPY --chown=root:root run.sh /run.sh
>
> RUN \
> chmod 0777 /run.sh
>
> # run as a non privileged user
> USER ldapadmin
>
> CMD [ "/run.sh" ]
>
> ```
>
>
> With the above, getting the following error:
> ```
> d389_1 | INFO: The 389 Directory Server Container Bootstrap
> d389_1 | INFO: Inspired by works of: ITS, The University of Adelaide
> d389_1 | INFO: 389 Directory Server Version: 1.4.4.17
> d389_1 | INFO: Initialising 389-ds-container due to empty volume ...
> d389_1 | DEBUG: Running setup with verbose
> d389_1 | DEBUG: START: Starting installation ...
> d389_1 | DEBUG: READY: Preparing installation for localhost...
> d389_1 | INFO: Validate installation settings ...
> d389_1 | DEBUG: PASSED: using config settings 999999999
> d389_1 | DEBUG: PASSED: user / group checking
> d389_1 | DEBUG: PASSED: prefix checking
> d389_1 | DEBUG: list instance not found in /etc/dirsrv/slapd-localhost/dse.ldif: localhost
> d389_1 |
> d389_1 | DEBUG: PASSED: instance checking
> d389_1 | DEBUG: INFO: temp root password set to dk.LiQZElkfUgGaJCdfqDs.LIJb8goJwA8kAs9Um9mNIXxFJ9YyG.O2hiufeNxec5
> d389_1 | DEBUG: PASSED: root user checking
> d389_1 | DEBUG: PASSED: network avaliability checking
> d389_1 | DEBUG: READY: Beginning installation for localhost...
> d389_1 | DEBUG: ACTION: Creating dse.ldif
> d389_1 | INFO: Create file system structures ...
> d389_1 | DEBUG: ACTION: creating /data/bak
> d389_1 | DEBUG: ACTION: creating /etc/dirsrv/slapd-localhost
> d389_1 | DEBUG: ACTION: creating /data/db
> d389_1 | DEBUG: ACTION: creating /data/ldif
> d389_1 | DEBUG: ACTION: creating /data/run/lock
> d389_1 | DEBUG: ACTION: creating /data/logs
> d389_1 | DEBUG: ACTION: creating /data/run
> d389_1 | Traceback (most recent call last):
> d389_1 | File "/usr/libexec/dirsrv/dscontainer", line 433, in <module>
> d389_1 | begin_magic()
> d389_1 | File "/usr/libexec/dirsrv/dscontainer", line 266, in begin_magic
> d389_1 | if not sds.create_from_args(g2b.collect(), s2b.collect()):
> d389_1 | File "/usr/lib/python3.6/site-packages/lib389/instance/setup.py", line 674, in create_from_args
> d389_1 | self._install_ds(general, slapd, backends)
> d389_1 | File "/usr/lib/python3.6/site-packages/lib389/instance/setup.py", line 783, in _install_ds
> d389_1 | os.chown(db_parent, slapd['user_uid'], slapd['group_gid'])
> d389_1 | PermissionError: [Errno 1] Operation not permitted: '/data/db/..'
> ```
>
> Unsure what I am missing?
>

What command are you using to run the container? How are you creating the volume? It's pretty likely that's where the permission issue is ...



--
Sincerely,

William Brown

Senior Software Engineer, Identity and Access Management
SUSE Labs, Australia
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

No comments:

Post a Comment