Generating key...
Traceback (most recent call last):
File "/app/scripts/config_wizard.py", line 95, in <module>
main()
File "/app/scripts/config_wizard.py", line 40, in main
generate_key(_KEY_PATH)
File "/app/app/key.py", line 14, in generate_key
key_path.write_text(privkey_pem)
File "/usr/local/lib/python3.10/pathlib.py", line 1154, in write_text
with self.open(mode='w', encoding=encoding, errors=errors, newline=newline) as f:
File "/usr/local/lib/python3.10/pathlib.py", line 1119, in open
return self._accessor.open(self, mode, buffering, encoding, errors,
PermissionError: [Errno 13] Permission denied: '/app/data/key.pem'
make: [Makefile:11: config] Error 1 (ignored)
docker run --env MICROBLOGPUB_CONFIG_FILE=tests.toml --rm -it --volume `pwd`/data:/app/data --volume `pwd`/app/static:/app/app/static microblogpub/microblogpub inv configuration-wizard
Traceback (most recent call last):
File "/opt/venv/.venv/bin/inv", line 8, in <module>
sys.exit(program.run())
File "/opt/venv/.venv/lib/python3.10/site-packages/invoke/program.py", line 384, in run
self.execute()
File "/opt/venv/.venv/lib/python3.10/site-packages/invoke/program.py", line 566, in execute
executor.execute(*self.tasks)
File "/opt/venv/.venv/lib/python3.10/site-packages/invoke/executor.py", line 129, in execute
result = call.task(*args, **call.kwargs)
File "/opt/venv/.venv/lib/python3.10/site-packages/invoke/tasks.py", line 127, in __call__
result = self.body(*args, **kwargs)
File "/app/tasks.py", line 128, in download_twemoji
with open(f"app/static/twemoji/{emoji_name}", "wb") as f:
PermissionError: [Errno 13] Permission denied: 'app/static/twemoji/1f004.svg'
make: [Makefile:12: config] Error 1 (ignored)
I replaced in Makefile 'pwd' with $ (pwd) and the execution changed the errors to:
# Run and remove instantly docker run --rm -it --volume /data:/app/data microblogpub/microblogpub inv configuration-wizard Traceback (most recent call last): File "/opt/venv/.venv/bin/inv", line 8, in <module> sys.exit(program.run()) File "/opt/venv/.venv/lib/python3.10/site-packages/invoke/program.py", line 384, in run self.execute() File "/opt/venv/.venv/lib/python3.10/site-packages/invoke/program.py", line 566, in execute executor.execute(*self.tasks) File "/opt/venv/.venv/lib/python3.10/site-packages/invoke/executor.py", line 129, in execute result = call.task(*args, **call.kwargs) File "/opt/venv/.venv/lib/python3.10/site-packages/invoke/tasks.py", line 127, in __call__ result = self.body(*args, **kwargs) File "/app/tasks.py", line 49, in compile_scss build_favicon() File "/app/app/utils/favicon.py", line 20, in build_favicon im = Image.new("RGB", (32, 32), ImageColor.getrgb(_get_primary_color())) File "/app/app/utils/favicon.py", line 9, in _get_primary_color compiled = sass.compile( File "/opt/venv/.venv/lib/python3.10/site-packages/sass.py", line 738, in compile raise CompileError(v) sass.CompileError: Error: File to import not found or unreadable: theme.scss. on line 14:1 of app/scss/main.scss from line 1:1 of stdin >> @import "theme.scss"; ^ make: [Makefile:11: config] Error 1 (ignored) docker run --env MICROBLOGPUB_CONFIG_FILE=tests.toml --rm -it --volume /data:/app/data --volume /app/static:/app/app/static microblogpub/microblogpub inv configuration-wizard Traceback (most recent call last): File "/opt/venv/.venv/bin/inv", line 8, in <module> sys.exit(program.run()) File "/opt/venv/.venv/lib/python3.10/site-packages/invoke/program.py", line 384, in run self.execute() File "/opt/venv/.venv/lib/python3.10/site-packages/invoke/program.py", line 566, in execute executor.execute(*self.tasks) File "/opt/venv/.venv/lib/python3.10/site-packages/invoke/executor.py", line 129, in execute result = call.task(*args, **call.kwargs) File "/opt/venv/.venv/lib/python3.10/site-packages/invoke/tasks.py", line 127, in __call__ result = self.body(*args, **kwargs) File "/app/tasks.py", line 128, in download_twemoji with open(f"app/static/twemoji/{emoji_name}", "wb") as f: FileNotFoundError: [Errno 2] No such file or directory: 'app/static/twemoji/1f004.svg' make: [Makefile:12: config] Error 1 (ignored)
Hey!
I think I know what is happening the Docker image is assuming the uid/gid is 1000.
Can run the
id
command and confirm that youruid
andgid
is not 1000?If so tweaking the Dockerfile to replace 1000 with your current
uid
/gid
should unblock you.
id uid=0(root) gid=0(root) groups=0(root)
thanks for the answer!
Step 12/19 : RUN groupadd --gid 0 microblogpub && useradd --uid 0 --gid microblogpub --shell /bin/bash microblogpub ---> Running in 618d057b90a8 groupadd: GID '0' already exists
ok, I've deleted --gid 0 & --uid 0 but the build works well before that yet the problem is when run make config and the errors remain the same
I've forget to say that I've changed chown too and the last error in make config that persist is : PermissionError: [Errno 13] Permission denied: 'app/static/twemoji/1f004.svg'
I think you will need to delete these 3 lines to be able to run as root:
RUN groupadd --gid 1000 microblogpub \ && useradd --uid 1000 --gid microblogpub --shell /bin/bash microblogpub RUN chown -R 1000:1000 /app USER microblogpub
I will try to think how/if we can support both running as root and running as a user (which is considered to be a best practice).
you're right, it's my poor knowledge of linux security management
No problem, let me known if you have other issues. I will update the documentation to mention it assumes the current user isn't root until I find a solution.
Similar problem for me, but with mounted
data
volume. Something isn't right with user management in Dockerfile. Running as root works.
Hey, can you run the
id
command?If it's different from
1000
you will have to replace it with your actual uid/gid.
With rootless containers the uid/gid of processes inside the container are mapped to another uid/gid in the user namespace. Skipping the details, you can use the following command to allow the microblogpub processes inside the container to write to the static folder in the mounted volume:
$ docker unshare chown -R 1000:1000 $PWD/app/static
This article is based around podman and not docker, but it does describe how all this works.
Hope that helps someone.
Apologies everyone. It seems that the above will not work for you in docker, it is a podman specific way of running commands in the user namespace. For docker it seems to depend on how you have things set-up, https://docs.docker.com/engine/security/rootless/
I am running microblogpub in a container using rootless podman and no modifications to the source code. I will be writing that up soon and will put a link here for anyone interested.
Ah this makes sense, thank you!
Hi,
Trying to configure microblog.pub under root and encountered this issue.
To my knowledge of containerized applications, running applications under root in a container does not impact security (at least not that much). It's also a common practice though.
So I'm commenting out the Dockerfile to make it work. Please let me know if there are any points that I ignored.