Re: Running dscontainer as a non-root user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


> On 14 Jan 2022, at 15:24, Steve F <steve.falzon@xxxxxxxxxxx> wrote:
> 
> Sorry, ignore that example. I was doing something in that, that can be ignored. 
> 
> Here's my docker file:
> 
> ```
> ARG os_version
> 
> FROM oraclelinux:${os_version}
> 
> ARG version
> ARG build_timestamp
> 
> LABEL version=${version}
> LABEL build_timestamp=${build_timestamp}
> 
> RUN \
> 	groupadd -g 12345 ldapadmin && \
> 	useradd -c "Unprivileged user which runs ds-389" -e "" -g 12345 -u 12345 -s "/bin/nologon" ldapadmin && \
> 	yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \ 
> 	yum module enable 389-ds -y && \
> 	yum module install 389-directory-server:stable -y && \
> 	# yum update -y && \
> 	yum install -y \
> 		openldap-clients \
> 		nss-pam-ldapd \
> 		pam_yubico && \
> 	yum clean all && \
> 	mkdir -p /data/config && \
> 	mkdir -p /data/ssca && \
> 	mkdir -p /data/run && \
> 	mkdir -p /var/run/dirsrv && \
> 	chown -R ldapadmin:ldapadmin /data && \
> 	chown -R ldapadmin:ldapadmin /var/run/dirsrv && \
> 	ln -s /data/config /etc/dirsrv/slapd-localhost && \
> 	ln -s /data/ssca /etc/dirsrv/ssca && \ 
> 	ln -s /data/run /var/run/dirsrv 
> 
> COPY --chown=root:root run.sh /run.sh
> 
> RUN \
> 	chmod 0777 /run.sh
> 
> # run as a non privileged user
> USER ldapadmin
> 
> CMD [ "/run.sh" ]
> 
> ```
> 
> 
> With the above, getting the following error:
> ```
> d389_1  | INFO: The 389 Directory Server Container Bootstrap
> d389_1  | INFO: Inspired by works of: ITS, The University of Adelaide
> d389_1  | INFO: 389 Directory Server Version: 1.4.4.17
> d389_1  | INFO: Initialising 389-ds-container due to empty volume ...
> d389_1  | DEBUG: Running setup with verbose
> d389_1  | DEBUG: START: Starting installation ...
> d389_1  | DEBUG: READY: Preparing installation for localhost...
> d389_1  | INFO: Validate installation settings ...
> d389_1  | DEBUG: PASSED: using config settings 999999999
> d389_1  | DEBUG: PASSED: user / group checking
> d389_1  | DEBUG: PASSED: prefix checking
> d389_1  | DEBUG: list instance not found in /etc/dirsrv/slapd-localhost/dse.ldif: localhost
> d389_1  |
> d389_1  | DEBUG: PASSED: instance checking
> d389_1  | DEBUG: INFO: temp root password set to dk.LiQZElkfUgGaJCdfqDs.LIJb8goJwA8kAs9Um9mNIXxFJ9YyG.O2hiufeNxec5
> d389_1  | DEBUG: PASSED: root user checking
> d389_1  | DEBUG: PASSED: network avaliability checking
> d389_1  | DEBUG: READY: Beginning installation for localhost...
> d389_1  | DEBUG: ACTION: Creating dse.ldif
> d389_1  | INFO: Create file system structures ...
> d389_1  | DEBUG: ACTION: creating /data/bak
> d389_1  | DEBUG: ACTION: creating /etc/dirsrv/slapd-localhost
> d389_1  | DEBUG: ACTION: creating /data/db
> d389_1  | DEBUG: ACTION: creating /data/ldif
> d389_1  | DEBUG: ACTION: creating /data/run/lock
> d389_1  | DEBUG: ACTION: creating /data/logs
> d389_1  | DEBUG: ACTION: creating /data/run
> d389_1  | Traceback (most recent call last):
> d389_1  |   File "/usr/libexec/dirsrv/dscontainer", line 433, in <module>
> d389_1  |     begin_magic()
> d389_1  |   File "/usr/libexec/dirsrv/dscontainer", line 266, in begin_magic
> d389_1  |     if not sds.create_from_args(g2b.collect(), s2b.collect()):
> d389_1  |   File "/usr/lib/python3.6/site-packages/lib389/instance/setup.py", line 674, in create_from_args
> d389_1  |     self._install_ds(general, slapd, backends)
> d389_1  |   File "/usr/lib/python3.6/site-packages/lib389/instance/setup.py", line 783, in _install_ds
> d389_1  |     os.chown(db_parent, slapd['user_uid'], slapd['group_gid'])
> d389_1  | PermissionError: [Errno 1] Operation not permitted: '/data/db/..'
> ```
> 
> Unsure what I am missing?
> 

What command are you using to run the container? How are you creating the volume? It's pretty likely that's where the permission issue is ... 



--
Sincerely,

William Brown

Senior Software Engineer, Identity and Access Management
SUSE Labs, Australia
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux