SSH docker container issue after running Apache on Alpine - apache

I have an issue in my SSH session with a docker container.
Actually can't execute any command because of a running process that never gives me hand on the terminal, see output:
[Thu Apr 02 19:39:46.056749 2020] [mpm_prefork:notice] [pid 7] AH00163: Apache/2.4.43 (Unix) PHP/7.3.16 configured -- resuming normal operations
[Thu Apr 02 19:39:46.057465 2020] [core:notice] [pid 7] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
Dockerfile install Apache on Alpine and ends:
ENTRYPOINT [ "/opt/entrypoint.sh" ]
entrypoint.sh:
/usr/sbin/httpd -D FOREGROUND
Any hint how I can get my SSH session working and gives me hand to execute other commands? Thank you.

The container paradigm does not promote usage of things like ssh servers. The core concept is that you are only hosting a single isolated process inside the container, in your case 'httpd'.
in other words, there is no ssh server running inside the apache container, it is only hosting the web server process.
You can use a command like docker exec <container_name> <command>, to execute another process in the same container. For example:
docker exec myhttpd ls -la
Which will list the content of the configured working directory in the container.
docker exec will connect the stdout and stderr in your current terminal session to the stdout and stderr of the container, and execute your command in the environment of the container.
This is a good solution for trouble shooting and trying things out. But look for alternatives if you are seeking to permanently change the environment of your contained application. Such as using the Dockerfile.
If you supply some more information about your usecase, I will be happy to make a suggestion.

Actually moving command from my dockerfile to the procfile provided by my hosting provider solved the issue.
Dockerfile after this change:
FROM alpine
# install apache
# other installation requirements
EXPOSE 80
# commented the line below
# ENTRYPOINT ["/opt/entrypoint.sh"]
And moved the last instruction to Procfile. After this change the process will be a service published from my container and not an entrypoint that will be executed each time the image built or restarted.

Related

How to get a more detailed log from nextcloud docker container

I followed the guide on https://blog.ssdnodes.com/blog/installing-nextcloud-docker/ and got the docker containers running.
I changed the port mappings of nextcloud-proxy to 7443:443, 780:80, since my server already has an apache running.
When I open the page foo.bar.com:7443, it shows me a server error 500 page by nginx.
docker logs --details nextcloud-proxy only shows me, that the error-500-page was successfully delivered.
docker logs --details nextcloud-app does not show any errors regarding the request. It only shows some messages during startup:
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.19.0.5. Set the 'ServerName' directive globally to suppress this message
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.19.0.5. Set the 'ServerName' directive globally to suppress this message
[Mon Mar 04 19:23:01.413561 2019] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.25 (Debian) PHP/7.2.15 configured -- resuming normal operations
[Mon Mar 04 19:23:01.413653 2019] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'
It is pretty clear, that there is an error with apache or php (both should be logged by nextcloud-app). But I need to see the error log entries. How do I do this?
Logs are redirected to nextcloud's data folder.
From your nextcloud's root, try with:
$ tail nextcloud/data/nextcloud.log
(or the folder you set for data storage).
It's even better if you run the nextcloud with this switch to mount it to a folder on your host, edit config/config.php to have finer-grained logs through setting loglevel, the run tail -f data/nextcloud.logs
docker run -v ~/Projects/nextcloud:/var/www/html -d -p 8080:80 nextcloud
<?php
$CONFIG = array (
'htaccess.RewriteBase' => '/',
...
...
...
'loglevel' => 0,
);
Restart the docker image by running docker restart YOUR_INSTNANCE_ID
Then docker exec -it YOUR_INSTNANCE_ID bash -c "tail -f /var/www/html/data/nextcloud.log"
In my case, it helped to configure Nextcloud to use stdout instead of a dedicated logfile for its logging output.
This allows you to see all the logs instead of just the php fpm output in the if you execute docker logs <yourcontainerid> or view it in Portainer or some other management software.
Just add the following to your config.php
"logfile" => "/dev/stdout",

Docker container fails to start

I have this container: 5.6.21-apache from https://hub.docker.com/_/php/
I have installed all I need and my application but I made a mistake doing something wrong with Apache configs.
When I try start my container I get this message:
docker start -ai my-container
[Mon May 02 19:46:33.358838 2016] [core:warn] [pid 1] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
[Mon May 02 19:46:33.365305 2016] [core:warn] [pid 1] AH00111: Config variable ${APACHE_LOG_DIR} is not defined
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
(2)No such file or directory: AH02291: Cannot access directory '/etc/apache2/${APACHE_LOG_DIR}/' for main error log
AH00014: Configuration check failed
How can I solve this? I want drop this configs. I can't just lose this container.
Since you haven't given enough information to go on, I'm just going to guess. Feel free to add more info to your questions so that it will be easier to help you.
If you search your apache config file and look for APACHE_LOG_DIR, it will probably point to your issue.
This line in the logs is interesting:
Cannot access directory '/etc/apache2/${APACHE_LOG_DIR}/'
Not sure why you would have a log directory under /etc/apache2, but look in that directory to see what you have in there, and set APACHE_LOG_DIR accordingly.
Another thing you can try is to do the following
docker commit (container name or Id) myimage
docker run -it myimage /bin/bash
Then commit changes again to create the fixed image and try to start it up like normal.
docker commit (container Id or name) myimage2
docker run -d -p 80:80 myimage2
Basically save the current container state as an image so you can start it up in a shell and fix the issues. Then once you have fixed the issues you can create a new image and use that to run your container.
I usually avoid this pain by not making changes directly in the containers, I only make changes in my dockerfiles and then when I need to make, I change the dockerfile. If there is an issue, I just need to fix the dockerfile, and the containers don't get in this bad state.
In my case after rebooting computer (or sleeping/restarting system) I have a problem with starting a container.
Before run start I use docker exec command.
Example:
docker exec -ti CONTAINER_NAME /bin/bash
(Have a message that container is not running and then)
docker start CONTAINER_NAME

boot2docker windows 10, unable to access container via browser

I am trying to use docker on Windows 10 via boot2docker and VB.
boot2docker ssh
boot2docker ip => 192.168.59.103
docker run -tip 80:80 tutum/apache-php bash
ping 192.168.59.103 from host machine
It is sounds working pretty good exepts :
via the browser, when I go to http://192.168.59.103 the page is not found
Do you have some idea about my issue ?
Thanks.
Edit : my logs
docker#boot2docker:~$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ecb75ba8f5f9 tutum/apache-php "/run.sh" 20 minutes ago Up 20 minutes 0.0.0.0:80->80/tcp ecstatic_galileo
docker#boot2docker:~$ docker logs ec
==> /var/log/apache2/access.log <==
==> /var/log/apache2/error.log <==
==> /var/log/apache2/other_vhosts_access.log <==
==> /var/log/apache2/error.log <==
[Mon Aug 17 10:18:25.361931 2015] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.11 configured -- resuming normal operations
[Mon Aug 17 10:18:25.363857 2015] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'
docker#boot2docker:~$
You've told the container to run a bash shell, not a web server.
Try changing the run command to:
docker run -d -p 80:80 tutum/apache-php
Then accessing the URL. The should run the default command for the container, which will presumably start apache. In your case you overrode the default command to be "bash", which won't start apache.

(13)Permission denied: access to /~me denied

I am trying to configure Apache httpd.conf (on my CentOS 6.4) to allow access to my user directory (i.e. ~me/public_html/index.html).
I changed the original httpd.conf (i.e. out-of-the-box) as follows:
[root#myhost www]# diff /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.orig.out-of-the-box
366c366
< #UserDir disabled
---
> UserDir disabled
373c373
< UserDir public_html
---
> #UserDir public_html
This should in principle provide access to http://myhost/~me but instead, I am getting the dreaded error:
You don't have permission to access /~me on this server.
I checked the file /var/log/httpd/error_log and, sure enough, it reads:
(13)Permission denied: access to /~me denied
The first weird thing I noticed is that a / is prepended to ~me.
Where does that leading / come from?
Is it only a "red herring"?
Or is this pointing to the root cause of the problem (i.e. something else I need to modify in httpd.conf)?
Most importantly, since I know that my ~me/public_html is has world-readable permissions, how do I troubleshoot a problem like this?
Is there a way to find out why "access to /~me denied"?
SELinux?
httpd.conf?
directory permissions?
all of the above?
Update 1, answering the 2 questions in the comments by #UlrichSchwarz below:
The home directory does seem to have the 'x' permission:
[root#myhost ~]# ls -lad /home/me
drwxr-xr-x. 33 me me 4096 Feb 8 16:30 /home/me
SELinux info on public_html:
[root#myhost ~]# ls -Z -d /home/me/public_html/
drwxrwxr-x. me me unconfined_u:object_r:file_t:s0 /home/me/public_html/
Update 2, after I verified that this is indeed an SELinux issue (thanks to the tip by #Scolytus):
I ran the command:
chcon -R -t httpd_user_content_t /home/me/public_html/
Still no go.
[root#myhost ~]# ls -Z -d /home/me/public_html/
drwxrwxr-x. me me unconfined_u:object_r:httpd_user_content_t:s0 /home/me/public_html/
Then I ran "Allow HTTPD to read home directories" from the command line:
setsebool -P httpd_enable_homedirs=1
Still no go.
/var/log/httpd/error_log now shows (in addition to the (13)permission denied error) the following:
[notice] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[notice] Digest: generating secret for digest authentication ...
[notice] Digest: done
[notice] Apache/2.2.15 (Unix) DAV/2 configured -- resuming normal operations
Perhaps the problem lies in the discrepancy between context_system_u and httpd_user_content_t?
What else do I need to do? (without disabling SELinux completely, that is)
Update 3, thanks to information in #lserni's answer, I discovered the ausearch command:
ausearch -m avc --start today
Which provided the following output:
time->Fri Jul 4 09:16:44 2014
type=SYSCALL msg=audit(1404479804.256:1312): arch=40000003 syscall=196 success=no exit=-13 a0=12c2c80 a1=bfeb1d00 a2=a34ff4 a3=2008171 items=0 ppid=5880 pid=5886 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=193 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1404479804.256:1312): avc: denied { getattr } for pid=5886 comm="httpd" path="/home/me" dev=dm-3 ino=2 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
Huh? Why /home/me and not /home/me/public_html?
Here is the output of ls -Zd /home/me/:
drwxr-xr-x. me me system_u:object_r:file_t:s0 /home/me/
Should I run the chcon -t httpd_user_content_t on /home/me, too?
Continuing to research...
Update 4: Success!
I ran the command:
chcon -t httpd_user_content_t /home/me/
And all is well now.
[root#myhost sa]# ls -Z -d /home/me/
drwxr-xr-x. me me system_u:object_r:httpd_user_content_t:s0 /home/me/
I've seen a slightly different version of the command you gave, supplied by sealert:
SELinux denied access to /var/www/html/file1 requested by httpd.
/var/www/html/file1 has a context used for sharing by different
program. If you would like to share /var/www/html/file1 from httpd
also, you need to change its file context to public_content_t. If
you did not intend to this access, this could signal a intrusion
attempt.
Allowing Access:
You can alter the file context by executing chcon -t public_content_t
'/var/www/html/file1'
Fix Command:
chcon -t public_content_t '/var/www/html/file1'
how do I troubleshoot a problem like this?
Most SELinux-related information is generally in the auditd logs, but you probably want some tool such as sealert to decode it for you. I've done a brief search and came up with this tool that I didn't know of, but seems interesting: SELinux GUI.
Addendum: Some examples with semanage
I can't check immediately, but I recall that commenting out the UserDir disabled isn't the same as enabling!
More specifically, I think you need to include a line in your https.conf file
Userdir enabled me

Can't connect to Apache server on RHEL6

The issue
Now, I am a complete n00b on Apache, and I could certainly use some help with my current issue. I have installed the httpd rpm's on 3 different systems (all Advantech computers, 1 Box PC, 1 Advanced TCA blade, 1 Compact PCI blade, and all have RHEL6 installed). I have configured Apache with files used earlier, on other installations. When I issue the command
# service httpd restart
All goes well and I get this output:
Stopping httpd: [ OK ]
Starting httpd: httpd: apr_sockaddr_info_get() failed for <PC_Name>
httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[ OK ]
Now, when I try to connect to the machine via Apache, I get the log-in screen asking for the username and password, as you would expect. However, it fails to log-in. When I look at the error_log in /var/log/httpd/, it shows this error message:
[Thu Sep 15 14:24:40 2011] [error] [client 192.168.10.175] (13)Permission denied: Could not open password file: /etc/shadow
[Thu Sep 15 14:24:40 2011] [error] [client 192.168.10.175] PAM: user 'root' - not authenticated: System error
It seems to me that this is either a configuration error, or it has something to do with permissions. Yet I can't seem to find out which. Another interesting fact is, that this only applies to the last two installations(Advanced TCA & Compact PCI), and not the first (Box PC), while all 3 installations are exactly the same.
Additional Info
The way I installed it was install httpd from yum,
# yum install httpd
Next install mod_auth_pam, which is needed by the configuration,
# yum install mod_auth_pam
Then I configured Apache with the files I got from previous installations (which basically is just replacing the configuration files from the standard Apache install), and after that I restarted the Apache service.
For this error "apr_sockaddr_info_get() failed"
You need to properly set your hostname.
hostname actual-non-expired-domain-name.com
Don't forget to set the name in your httpd.conf and in /etc/hosts as well.
I have been able to solve this by setting SELinux to allow Apache requests. This is done by issuing the following command:
semanage permissive -a http_t
Semanage is a utility from the policycoreutils-python package. This should come with the installation medium.