bunkerweb
bunkerweb copied to clipboard
bunkerity
**Rootless** docker or podman machine id issue on RPi4 (arm64) [BUG]
Description Hi, Following the docker integration docs I am trying to run with rootless docker/podman on Ubuntu server on RPi4 (arm64). I get the error in the logs below for both rootless docker and podman.
Please note:
-
Here it is mentioned that this runs as UID/GID 101. But I seem to already have user and group using ID 101:
systemd-timesync:x:100:101:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:101:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin - I have tried the following permissions for local
wwwandcertsdirs:
-
chown root:101 www certs -
chown abc:101 www certs -
chown abc:abc www certs
where abc is the user running rootless docker or podman. The rights are set as 750 for www and 770 for certs as in the linked docs.
- Removing the
certsvolume map produces the same error for thewwwvolume. Removing both seems to to run the container fine as I can reach it over http (resulting in the expected 403 error).
How to reproduce
docker run -d --rm -p 80:8080 -p 443:8443 -v "${PWD}/www:/www:ro" -v "${PWD}/certs:/etc/letsencrypt" --name bnginx bunkerity/bunkerized-nginx
Just trying to run without a domain or automatic letsencrypt for now
Logs [2021-11-10 17:41:40] entrypoint - INFO - starting bunkerized-nginx ... [2021-11-10 17:41:40] entrypoint - INFO - configuring bunkerized-nginx ... [!] ERROR - wrong permissions on /etc/letsencrypt
Is there an issue with running this container with rootless docker/podman or are there any further settings that need to be configured?
Update: After a lot of experimentation, it turns out that the problem was not really a bug, but how the UID mapping works in rootless mode, including a slight difference in docker and podman rootless mode, with consequences for the chown commands for the files/dirs. So that was not a bug, just something not yet in the documentation.
However, now that I understand how the UID mappings work, I get the following error from the logs (for rootless podman) when I try on RPi4 (arm64) using dir mapping:
nginx: [error] [REMOTE API] USE_REMOTE_API is set to yes but machine ID is not generated - communication with https://api.bunkerity.com/bunkerized won't work
I have checked that the machine-id is properly configured at /etc/machine-id.
Docker throws another error:
docker: Error response from daemon: failed to create endpoint serene_johnson on network bridge: failed to add the host (veth29559d7) <=> sandbox (veth9311141) pair interfaces: operation not supported.
Importantly, this does not happen if
- I just use a volume instead of a dir map, when it somehow seems to find the machine-id (but I much prefer working with local dirs).
- Using an Intel machine, where I now seem to be able to run this in rootless podman without a problem.
Hello @sensharma,
Thanks for sharing your experimentation. I think that we need to document the docker and podman rootless case.
Update: After a lot of experimentation, it turns out that the problem was not really a bug, but how the UID mapping works in rootless mode, including a slight difference in docker and podman rootless mode, with consequences for the chown commands for the files/dirs. So that was not a bug, just something not yet in the documentation.
Would you please mind to share how you end up setting up Bunkerweb in rootless Podman?
Hello @sensharma and @alexanderadam,
We now have some tips about rootless Docker and podman. More info here : https://docs.bunkerweb.io/1.4/integrations/
Hello @sensharma and @alexanderadam,
We now have some tips about rootless Docker and podman. More info here : https://docs.bunkerweb.io/1.4/integrations/
Thank you. I'm going to experiment with this in a few weeks. Will get back to you in case of any issues.