~tsileo/microblog.pub#7: 
make config stop with errors

Generating key...
Traceback (most recent call last):
  File "/app/scripts/config_wizard.py", line 95, in <module>
    main()
  File "/app/scripts/config_wizard.py", line 40, in main
    generate_key(_KEY_PATH)
  File "/app/app/key.py", line 14, in generate_key
    key_path.write_text(privkey_pem)
  File "/usr/local/lib/python3.10/pathlib.py", line 1154, in write_text
    with self.open(mode='w', encoding=encoding, errors=errors, newline=newline) as f:
  File "/usr/local/lib/python3.10/pathlib.py", line 1119, in open
    return self._accessor.open(self, mode, buffering, encoding, errors,
PermissionError: [Errno 13] Permission denied: '/app/data/key.pem'
make: [Makefile:11: config] Error 1 (ignored)
docker run --env MICROBLOGPUB_CONFIG_FILE=tests.toml --rm -it --volume `pwd`/data:/app/data --volume `pwd`/app/static:/app/app/static microblogpub/microblogpub inv configuration-wizard
Traceback (most recent call last):
  File "/opt/venv/.venv/bin/inv", line 8, in <module>
    sys.exit(program.run())
  File "/opt/venv/.venv/lib/python3.10/site-packages/invoke/program.py", line 384, in run
    self.execute()
  File "/opt/venv/.venv/lib/python3.10/site-packages/invoke/program.py", line 566, in execute
    executor.execute(*self.tasks)
  File "/opt/venv/.venv/lib/python3.10/site-packages/invoke/executor.py", line 129, in execute
    result = call.task(*args, **call.kwargs)
  File "/opt/venv/.venv/lib/python3.10/site-packages/invoke/tasks.py", line 127, in __call__
    result = self.body(*args, **kwargs)
  File "/app/tasks.py", line 128, in download_twemoji
    with open(f"app/static/twemoji/{emoji_name}", "wb") as f:
PermissionError: [Errno 13] Permission denied: 'app/static/twemoji/1f004.svg'
make: [Makefile:12: config] Error 1 (ignored)
Status
REPORTED
Submitter
~tangram
Assigned to
No-one
Submitted
2 years ago
Updated
1 year, 4 months ago
Labels
No labels applied.

~tangram (edited) 2 years ago*

I replaced in Makefile 'pwd' with $ (pwd) and the execution changed the errors to:

# Run and remove instantly
docker run --rm -it --volume /data:/app/data microblogpub/microblogpub inv configuration-wizard
Traceback (most recent call last):
  File "/opt/venv/.venv/bin/inv", line 8, in <module>
    sys.exit(program.run())
  File "/opt/venv/.venv/lib/python3.10/site-packages/invoke/program.py", line 384, in run
    self.execute()
  File "/opt/venv/.venv/lib/python3.10/site-packages/invoke/program.py", line 566, in execute
    executor.execute(*self.tasks)
  File "/opt/venv/.venv/lib/python3.10/site-packages/invoke/executor.py", line 129, in execute
    result = call.task(*args, **call.kwargs)
  File "/opt/venv/.venv/lib/python3.10/site-packages/invoke/tasks.py", line 127, in __call__
    result = self.body(*args, **kwargs)
  File "/app/tasks.py", line 49, in compile_scss
    build_favicon()
  File "/app/app/utils/favicon.py", line 20, in build_favicon
    im = Image.new("RGB", (32, 32), ImageColor.getrgb(_get_primary_color()))
  File "/app/app/utils/favicon.py", line 9, in _get_primary_color
    compiled = sass.compile(
  File "/opt/venv/.venv/lib/python3.10/site-packages/sass.py", line 738, in compile
    raise CompileError(v)
sass.CompileError: Error: File to import not found or unreadable: theme.scss.
        on line 14:1 of app/scss/main.scss
        from line 1:1 of stdin
>> @import "theme.scss";

   ^

make: [Makefile:11: config] Error 1 (ignored)
docker run --env MICROBLOGPUB_CONFIG_FILE=tests.toml --rm -it --volume /data:/app/data --volume /app/static:/app/app/static microblogpub/microblogpub inv configuration-wizard
Traceback (most recent call last):
  File "/opt/venv/.venv/bin/inv", line 8, in <module>
    sys.exit(program.run())
  File "/opt/venv/.venv/lib/python3.10/site-packages/invoke/program.py", line 384, in run
    self.execute()
  File "/opt/venv/.venv/lib/python3.10/site-packages/invoke/program.py", line 566, in execute
    executor.execute(*self.tasks)
  File "/opt/venv/.venv/lib/python3.10/site-packages/invoke/executor.py", line 129, in execute
    result = call.task(*args, **call.kwargs)
  File "/opt/venv/.venv/lib/python3.10/site-packages/invoke/tasks.py", line 127, in __call__
    result = self.body(*args, **kwargs)
  File "/app/tasks.py", line 128, in download_twemoji
    with open(f"app/static/twemoji/{emoji_name}", "wb") as f:
FileNotFoundError: [Errno 2] No such file or directory: 'app/static/twemoji/1f004.svg'
make: [Makefile:12: config] Error 1 (ignored)

~tsileo 2 years ago

Hey!

I think I know what is happening the Docker image is assuming the uid/gid is 1000.

Can run the id command and confirm that your uid and gid is not 1000?

If so tweaking the Dockerfile to replace 1000 with your current uid/gid should unblock you.

~tangram 2 years ago

id uid=0(root) gid=0(root) groups=0(root)

thanks for the answer!

~tangram 2 years ago

Step 12/19 : RUN groupadd --gid 0 microblogpub && useradd --uid 0 --gid microblogpub --shell /bin/bash microblogpub ---> Running in 618d057b90a8 groupadd: GID '0' already exists

~tangram 2 years ago

ok, I've deleted --gid 0 & --uid 0 but the build works well before that yet the problem is when run make config and the errors remain the same

~tangram 2 years ago

I've forget to say that I've changed chown too and the last error in make config that persist is : PermissionError: [Errno 13] Permission denied: 'app/static/twemoji/1f004.svg'

~tsileo 2 years ago*

I think you will need to delete these 3 lines to be able to run as root:

RUN groupadd --gid 1000 microblogpub \
  && useradd --uid 1000 --gid microblogpub --shell /bin/bash microblogpub
RUN chown -R 1000:1000 /app
USER microblogpub

~tsileo 2 years ago

I will try to think how/if we can support both running as root and running as a user (which is considered to be a best practice).

~tangram 2 years ago

you're right, it's my poor knowledge of linux security management

~tsileo 2 years ago

No problem, let me known if you have other issues. I will update the documentation to mention it assumes the current user isn't root until I find a solution.

~alxgsv 2 years ago

Similar problem for me, but with mounted data volume. Something isn't right with user management in Dockerfile. Running as root works.

~tsileo 2 years ago

Hey, can you run the id command?

If it's different from 1000 you will have to replace it with your actual uid/gid.

~steveblamey 2 years ago · edit

With rootless containers the uid/gid of processes inside the container are mapped to another uid/gid in the user namespace. Skipping the details, you can use the following command to allow the microblogpub processes inside the container to write to the static folder in the mounted volume:

$ docker unshare chown -R 1000:1000 $PWD/app/static

This article is based around podman and not docker, but it does describe how all this works.

Hope that helps someone.

~steveblamey 2 years ago · edit

Apologies everyone. It seems that the above will not work for you in docker, it is a podman specific way of running commands in the user namespace. For docker it seems to depend on how you have things set-up, https://docs.docker.com/engine/security/rootless/

I am running microblogpub in a container using rootless podman and no modifications to the source code. I will be writing that up soon and will put a link here for anyone interested.

~alxgsv 2 years ago

Ah this makes sense, thank you!

ZeroAurora 1 year, 4 months ago · edit

Hi,

Trying to configure microblog.pub under root and encountered this issue.

To my knowledge of containerized applications, running applications under root in a container does not impact security (at least not that much). It's also a common practice though.

So I'm commenting out the Dockerfile to make it work. Please let me know if there are any points that I ignored.

Register here or Log in to comment, or comment via email.