Rootless Container and external data dir (permission problems)

Configuration/Setup
1

Hi,

i downloaded BS Free as container and tried to run it under RHEL 8.9 (podman, not docker).

bluespice application/the bluespice container works without problems in the following constellations:

  • running the container as root without external data dir
  • running the container as root with external data dir
  • running the container as non-root user without external data dir

But when i run the container as non-root WITH external data dir, the container runs but mariadb and jetty fails to start:

$ podman run -d -p 80:80 --name bluespice -v /data:/data:Z -e DISABLE_PINGBACK=yes -e “BS_NAME=Test” -e “BS_LAN=en” -e “BS_URL=http://wikitest.domain” bluespice/bluespice-free:latest

root@wikitest

cat /data/logs/wiki.logs

Starting the container

  • Stopping Elasticsearch Server
    …done.
  • Starting Elasticsearch Server
    sysctl: setting key “vm.max_map_count”, ignoring: Read-only file system
    OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
    OpenJDK 64-Bit Server VM warning: UseAVX=2 is not supported on this CPU, setting it to UseAVX=0
    …done.
  • Stopping MariaDB database server mysqld
    …done.
  • Starting MariaDB database server mysqld
    …fail!
    restarting jetty…
  • Starting Jetty 9 Servlet Engine jetty9
  • /var/run/jetty9.pid exists, but jetty was not running. Ignoring /var/run/jetty9.pid
    …fail!
    restarted jetty
    Restarting memcached: start-stop-daemon: warning: failed to kill 26567: No such process
    memcached.
  • Restarting PHP 8.2 FastCGI Process Manager php-fpm8.2
    …done.
  • Restarting periodic command scheduler cron
  • Stopping periodic command scheduler cron
    …done.
  • Starting periodic command scheduler cron
    …done.
  • Restarting nginx nginx
    …done.
    —=== [ READY! ] ===—

the user namespace looks ok to me…

bluespice@wikitest:/home/bluespice
$ id
uid=50001(bluespice) gid=50002(bluespice) groups=50002(bluespice)

$ podman unshare cat /proc/self/uid_map
0 50001 1
1 165536 65536

$ ll /data
total 0
drwxr-xr-x. 5 bluespice bluespice 72 Jan 19 13:10 backups
drwxr-xr-x. 2 bluespice bluespice 72 Jan 19 12:32 logs
drwx------. 3 165636 165636 72 Jan 19 13:11 mysql
drwxr-xr-x. 3 165568 165568 23 Jan 19 13:10 www

IDs 165636 & 165568 seems to be correct (this corresponds to uids 101 (mysql) & 33 (www-data) in the container).

But there’s still something wrong. Can anyone point me to the right direction!?

thank you

2

Good News. I deleted all (/data, containers, images etc) and started from scratch. Now the container is working as expected…100% rootless, with SELinux & Firewalling enabled and https. Nice :smiling_face_with_three_hearts:

1 Like