I am facing issues while trying to run mule 3.5.3 as non root user in docker container. It works fine when the root user is used.
The Mule startup process is creating a file tx1.log during startup, this file does not have any permissions and later during the startup it tries to read this file which leads to (java.io.FileNotFoundException - Permission denied).
The file location is /.mule/.agent/queue-tx-log/tx1.log.
I also tried with umask 777 added to /mule and /launcher scripts, but it did not help.
Is there a do's and dont's for running mule as non root?
Any help/pointers are appreciated.
note: chown and chmod have been used where ever I felt necessary necessary.
Mule runs perfectly well as non root and that is the recommendation because of security best practices. The only issue I have seen is if it is started as root first, it creates files with root ownership, then a non privileged user is not able to use those files.
From the comments I can see that the problem seems to be on the operating system or docker/kubernetes. Mule just doesn't do weird things with permissions.
Aside that, note that Mule 3.5.x will reach it's end of life sat July 15, 2019. I recommend to migrate to a newer version.
Related
Steps to reproduce are very easy.
Create a Dockerfile.
My Dockerfile has many more lines, but I have trimmed them so we can focus in the source of the problem.
Said that, these two lines alone (without anything more) show the problem.
FROM microsoft/iis
SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue'; $VerbosePreference = 'Continue'; "]
Run docker build . and you get hcsshim::PrepareLayer - failed failed in Win32: Función incorrecta. (0x1).
Windows 10 Pro 1909 (but it happened too in 1903)
Docker version: 2.1.0.5
Engine: 19.03.5
Machine: 0.16.2
I have found the solution to the problem.
Reading all the https://github.com/docker/for-win/issues/3884 bug, some have found a simple solution: rename C:\windows\system32\driver\cbfsconnect2017.sys so it isn't loaded the next boot.
Disabling that driver enables me to do a docker build for the first time in windows containers in almost a year.
In my case Box Sync was the one using that driver.
EDIT: #GustavoTM have found that pCloud raises the same problem.
EDIT2: #VonC have noticed that some people in the issue in GitHub has solved it deleting this other file: C:\Windows\System32\drivers\cbfs6.sys. I haven't tried that, but i put it if it helps others.
The good thing is that I don't need to uninstall Box, but only rename that file.
This is still an issue (still open) with Win10.
Looks like uninstalling cloud storage providers with file system filters like Dropbox, Box, etc. as a workaround is an option for some users.
Deinstall cloud storage providers or virus scanners; if you identify which one is not working please share in https://github.com/docker/for-win/issues/3884
In my case was the problem similar but the file cbfs6.sys was placed somewhere in the rest of uninstalled application Jungle disk, somewhere in the folder c:\Program files\Jungle disk .... It's part of Callback File System signed by EldoS Corporation.
The folder could be rename only and not delete directly. So I could delete its immediately after the PC restart, before running the Docker. So it could be delete during the Docker service restart too.
I am using Hadoop 3.2.0 and trying to run a simple application in a docker container and I have made the required configuration changes both in yarn-site.xml and container-executor.cfg to choose LinuxContainerExecutor and docker runtime.
I use the example of distributed shell in one of the hortonworks blog. https://hortonworks.com/blog/trying-containerized-applications-apache-hadoop-yarn-3-1/
The problem I face here is when the application is submitted to YARN it fails with a reason related to directory creation issue with the below error
2019-02-14 20:51:16,450 INFO distributedshell.Client: Got application
report from ASM for, appId=2, clientToAMToken=null,
appDiagnostics=Application application_1550156488785_0002 failed 2
times due to AM Container for appattempt_1550156488785_0002_000002
exited with exitCode: -1000 Failing this attempt.Diagnostics:
[2019-02-14 20:51:16.282]Application application_1550156488785_0002
initialization failed (exitCode=20) with output: main : command
provided 0 main : user is myuser main : requested yarn user is
myuser Failed to create directory
/data/yarn/local/nmPrivate/container_1550156488785_0002_02_000001.tokens/usercache/myuser
- Not a directory
I have configured yarn.nodemanager.local-dirs in yarn-site.xml and I can see the same reflected in YARN web ui localhost:8088/conf
<property>
<name>yarn.nodemanager.local-dirs</name>
<value>/data/yarn/local</value>
<final>false</final>
<source>yarn-site.xml</source>
</property>
I do not understand why is it trying to create usercache dir inside the nmPrivate directory.
Note : I have verified the permissions for myuser to the directories and also have tried clearing the directories manually as suggested in a related post. But no fruit. I do not see any additional information about container launch failure in any other logs.
How do I debug why the usercache dir is not resolved properly??
Really appreciate any help on this.
Realized that this is all because of the users the services were started with and the permissions to the directories the services work on.
After making sure the required changes are done, I am able to seamlessly run the examples and other applications..
Thanks Hadoop user community for the direction. Adding the link here for more details.
http://mail-archives.apache.org/mod_mbox/hadoop-user/201902.mbox/browser
In the Docker best practices guide it states:
You are strongly encouraged to use VOLUME for any mutable and/or user-serviceable parts of your image.
And by looking at the source code for e.g. the cpuguy83/nagios image this can clearly be seen done, as everything from nagios to apache config directories are made available as volumes.
However, looking at the same image the apache service (and cgi-scripts for nagios) are run as the nagios user by default. So now I'm in a pickle, as I can't seem to figure how to add my own config files in order to e.g. define more hosts for nagios monitoring. I've tried:
FROM cpuguy83/nagios
ADD my_custom_config.cfg /opt/nagios/etc/conf.d/
RUN chown nagios: /opt/nagios/etc/conf.d/my_custom_config.cfg
CMD ["/opt/local/bin/start_nagios"]
I build as normal, and try to run it with docker run -d -p 8000:80 <image_hash>, however I get the following error:
Error: Cannot open config file '/opt/nagios/etc/conf.d/my_custom_config.cfg' for reading: Permission denied
And sure enough, the permissions in the folder looks like (whist the apache process runs as nagios):
# ls -l /opt/nagios/etc/conf.d/
-rw-rw---- 1 root root 861 Jan 5 13:43 my_custom_config.cfg
Now, this has been answered before (why doesn't chown work in Dockerfile), but no proper solution other than "change the original Dockerfile" has been proposed.
To be honest, I think there's some core concept here I haven't grasped (as I can't see the point of declaring config directories as VOLUME nor running services as anything other than root) - so provided a Dockerfile as above (which follows Docker best practices by adding multiple volumes) is the solution/problem:
To change NAGIOS_USER/APACHE_RUN_USER to 'root' and run everything as root?
To remove the VOLUME declarations in the Dockerfile for nagios?
Other approaches?
How would you extend the nagios dockerfile above with your own config file?
Since you are adding your own my_custom_config.cfg file directly into the container at build time just change the permissions of the my_custom_config.cfg file on your host machine and then build your image using docker build. The host machine permissions are copied into the container image.
I've installed Trac .10.5, configured the trac.htpasswd file, and am able to log in and view/create tickets.
The problem is that I am currently unable to administer ticket components such as the versions that appear in the drop list on New Ticket.
From command line, I issued the following command:
trac-admin /foo/bar/trac/ permission add myusername TRAC_ADMIN
User "myusername" is listed in /foo/bar/trac/conf/trac.htpasswd, and I am able to successfully log in with that account.
Is there another step I'm missing in order to get access to a system configuration area? (for instance, setting up version numbers)
EDIT:
I discovered that version .10.* and below do not have web admin capabilities installed by default. http://trac.edgewall.org/wiki/WebAdmin
I downloaded the plugin source:
svn export http://svn.edgewall.com/repos/trac/plugins/0.10/webadmin/
Then ran setup.py, which generated a dist/TracWebAdmin-0.1.2dev-py2.6.egg file.
I then issued
easy_install TracWebAdmin-0.1.2dev-py2.6.egg.
Here's the output:
Processing TracWebAdmin-0.1.2dev-py2.6.egg
removing '/usr/lib/python2.6/site-packages/TracWebAdmin-0.1.2dev-py2.6.egg' (and everything under it)
creating /usr/lib/python2.6/site-packages/TracWebAdmin-0.1.2dev-py2.6.egg
Extracting TracWebAdmin-0.1.2dev-py2.6.egg to /usr/lib/python2.6/site-packages
TracWebAdmin 0.1.2dev is already the active version in easy-install.pth
Installed /usr/lib/python2.6/site-packages/TracWebAdmin-0.1.2dev-py2.6.egg
Processing dependencies for TracWebAdmin==0.1.2dev
Finished processing dependencies for TracWebAdmin==0.1.2dev
My trac/conf/trac.ini file has this section:
[components]
webadmin.* = enabled
I restarted the httpd server (trac uses Apache), and still have no Admin button.
Help greatly appreciated.
You're a bit too hastily seeking advice. Quoting my recent replies to trac-users mailing-list here:
This is most probably a permission issue and will continue with any more
recent Trac environment. Do something like
trac-admin permission add TRAC_ADMIN
to grant full permission to an admin user account, that is usable for
administration tasks. As known elsewhere, you should create a less
privileged account for your regular work to just use Trac.
But please note: Because you've got Python2.6, go for Trac-1.0, don't dare to use anything before this current stable version for a new project, really. Trac-0.10 has been abandoned long ago and 0.11 is unchanged since 2010 too.
You'll have no luck on almost any issue you may encounter, and you miss
a truck-load of great features that have been introduced. Trac 0.11 had
major API changes in many respects, 0.12 went for full i18n support, if
you care for that, and 1.0 is just on the edge, supporting the new db
access API as well as retaining compatibility code for not-yet-updated
plugins (quite a lot to be honest).
I had a similar issue with 0.11.x (minus the plug-in installation), and it turned out that the user account I was logging into via the shell was not the user account that owned the installation. This meant that the changes I was making did not have the right permissions - it is a requirement that all trac-admin changes are made by the installation owner.
Let's say the user that installed Trac was "jim", and I'd logged in as "bob" to use trac-admin in interactive mode. Reapplying a pre-existing permission to a will cause Python to throw an error and kick you off trac-admin. You have to remove the permission first, then reapply it as the other shell user.
The solution was to:
log back in as "bob" via the shell (e.g. "ssh -l bob trac.url.com")
trac-admin path/to/my/project
permission remove TRAC_ADMIN
exit (trac-admin)
exit (ssh)
log in as "jim" via the shell (e.g. "ssh -l jim trac.url.com")
trac-admin path/to/my/project
permission add TRAC_ADMIN
exit (trac-admin)
exit (ssh)
Now when you log into Trac as via a web browser, hopefully you should see the Admin button top right.
I have a build step that is part of my deployment configuration. My coworker told me it had worked once in a blue moon
I kept on getting this error consistently when I ran this build step:
Deleting dirPath (qa.comedy.net\aspnet_client\system_web\4_0_30319). [15:22:22]:
[VSMSDeploy] C:\Program Files (x86)\MSBuild\Microsoft\VisualStudio\v10.\We
\Microsoft.Web.Publishing.targets(3588, 5): Web deployment task failed.((3/28/2012 3:22:22 PM) An error occurred when the request was processed on the remote computer.)
Attempt to perform an unauthorized operation on file '4_0_30319'.
It seems that it is trying to delete the folder
aspnet_client\system_web\4_0_30319 , but has no permission to.
we run this build on a virtual machine.
Any suggestions on how to resolve this?
All help is greatly appreciated.
Thanks
I had this issue deploying as site with msdeploy and teamcity. I resolved it by deleteing these folders from my website aspnet_client\system_web\4_0_30319
Yes you can delete this folder and the next deploy will work, but with the next windows update that runs the asp.net registration tool as part of it's install will add this folder back to all asp.net sites on IIS (with the incorrect permissions) - so your deployment will fail again. You can avoid this by
Giving the deploy user elevated privileges (not a great solution for
obvious reasons)
Add the folder structure to your SC so it gets
deployed instead of the deployment trying to delete it (not ideal, but easiest)
Stop automatic windows updates (not sensible)
You might be able to do
something like this
http://blog.richardszalay.com/2012/12/18/demystifying-msdeploy-skip-rules/
to ignore the folder in deployment (I've not tried this)
As MemeDeveloper mentions in their answer, one way to fix this is to simply ignore that directory. Indeed, this is the easiest fix and doesn't require adding anything to your source control repository or build output. Just add the following to your msdeploy.exe command:
-skip:Directory="aspnet_client"
I wasn’t using TeamCity but I think I also had this issue. I was trying to deploy to Discount ASP.NET using VS2010 WebDeploy. After reading what doglin and Dan posted, I found I could workaround this problem by checking the “Leave extra files on destination (do not delete)” box. That may not be an option for everyone but it worked for me.
I faced the same problem during WebDeploy in TeamCity. I end up elevating privileges for WebDeploy account under which I do WebDeploy task. So the account have enough power to delete those folder (local admin role).