Uploaded image for project: 'Nuxeo Enhanced Viewer'
  1. Nuxeo Enhanced Viewer
  2. NEV-257

ARender Docker Images don't start with a non root user

    XMLWordPrintable

    Details

      Description

      Context

      ARender Docker Images start when a non root user is used with critical errors.

      arender-document-converter
      docker run -it  --rm  -u 1500:0 docker-private-arondor-group.packages.nuxeo.com/arender-document-converter:4.0.8.NX1.2

Status: Downloaded newer image for docker-private-arondor-group.packages.nuxeo.com/arender-document-converter:4.0.8.NX1.2
cp: can't create '/etc/passwd': File exists
TKC - 2020-04-14 08:55:01,534 INFO [main] o.s.b.SpringApplication [SpringApplicationBannerPrinter.java:61]

​      /\ \             /\_\              /\ \
​      \_\ \           / / /  _          /  \ \
​      /\__ \         / / /  /\_\       / /\ \ \
​     / /_ \ \       / / /__/ / /      / / /\ \ \
​    / / /\ \ \     / /\_____/ /      / / /  \ \_\
   / / /  \/_/    / /\_______/      / / /    \/_/
  / / /          / / /\ \ \        / / /
 / / /          / / /  \ \ \      / / /________
/_/ /          / / /    \ \ \    / / /_________\
\_\/           \/_/      \_\_\   \/____________/

 (v4.0.8.NX1.2)


TKC - 2020-04-14 08:55:01,569 INFO [main] c.a.m.s.c.a.TaskConversionMicroServiceApplication [SpringApplication.java:655] The following profiles are active: security

      We can see cp: can't create '/etc/passwd': File exists which could leads to later errors. Furthermore the service boots even if there're errors in the entrypoint doing the configuration.

      arender-ui
      docker run -it  --rm  -u 1500:0 docker-private-arondor-group.packages.nuxeo.com/arender-ui:4.0.8.NX1.2

/!\Warning: 'ARENDERSRV_ARENDER_SERVER_RENDITION_HOSTS' is not set, ARender may not work
mkdir: cannot create directory ‘//profile’: Permission denied
mkdir: cannot create directory ‘//ARenderConfiguration’: Permission denied
./entrypoint.sh: line 35: //ARenderConfiguration/arender-custom-client-server.properties: No such file or directory
Using CATALINA_BASE:   /usr/local/tomcat
Using CATALINA_HOME:   /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME:        /usr/java/openjdk-13
Using CLASSPATH:       /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
NOTE: Picked up JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
14-Apr-2020 08:57:12.076 WARNING [main] org.apache.catalina.startup.ClassLoaderFactory.validateFile Problem with directory [/profile], exists: [false], isDirectory: [false], canRead: [false]

      On this one, we can see several things:

      • the message /!\Warning: 'ARENDERSRV_ARENDER_SERVER_RENDITION_HOSTS' is not set, ARender may not work: I think this not may not but won't so why starting the service?
      • two identical errors mkdir: cannot create directory ‘//profile’: Permission denied: here it seems that you don't define $HOME which makes ~/ fail in your entrypoint.sh
      • the last one ./entrypoint.sh: line 35: //ARenderConfiguration/arender-custom-client-server.properties: No such file or directory seems to be a result of the issue above
      nuxeo/arender-previewer

      I tested our image to have a jira ticket fitting with traces our ops see in production

      docker run -it  --rm  -u 1500:0 docker-private-arondor-group.packages.nuxeo.com/nuxeo/arender-previewer:10.2.3-RC1

Status: Downloaded newer image for docker-private-arondor-group.packages.nuxeo.com/nuxeo/arender-previewer:10.2.3-RC1
/!\Warning: 'ARENDERSRV_ARENDER_SERVER_RENDITION_HOSTS' is not set, ARender may not work
/usr/local/tomcat/entrypoint.sh: line 35: /home/arender/ARenderConfiguration/arender-custom-client-server.properties: Permission denied
Using CATALINA_BASE:   /usr/local/tomcat
Using CATALINA_HOME:   /usr/local/tomcat
Using CATALINA_TMPDIR: /usr/local/tomcat/temp
Using JRE_HOME:        /usr/java/openjdk-13
Using CLASSPATH:       /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
NOTE: Picked up JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED

      We still have the warning message about ARENDERSRV_ARENDER_SERVER_RENDITION_HOSTS which is expected as I didn't give one.
      We don't have the message about mkdir: cannot create directory ‘//ARenderConfiguration’ this is because we define $HOME in our docker image.

      We still have the permission error /usr/local/tomcat/entrypoint.sh: line 35: /home/arender/ARenderConfiguration/arender-custom-client-server.properties: Permission denied which should not happen and it should make the start fail.

      Request

      We want to be able to run the docker images with a non root user and the image shouldn't start if there's an error during the configuration (currently done in the entrypoint).

        Attachments

          Issue Links

          is caused by

          Bug - A problem which impairs or prevents the functions of the product. NEV-252 Previewer can't start with a non root user id

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          is required by

          Task - A task that needs to be done. NEV-255 Update ARender version to 4.0.8.NX1.5

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          Is referenced in

          [Captain Hook] PR for 10: #177 PR for 10: #177

          [Captain Hook] PR for 10: #209 PR for 10: #209

          [Captain Hook] PR for 10: #246 PR for 10: #246

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: