docker-duplicacy
docker-duplicacy copied to clipboard
ehough
user: 1000:1000 doesn't work
Perhaps not related to this project at all, more like a docker/linux issue in general, but I'm unable to create any files when using the cap_drop: ALL feature.
Is the the intent that all config files should be already created before adding the cap_drop switch?
duplicacy:
image: "erichough/duplicacy:1.1.0"
container_name: duplicacy
env_file:
- secrets/file-permissions.env # PGID = 1000; PUID = 1000
cap_drop:
- ALL
ports:
- 3875:3875
restart: always
volumes:
- "/etc/localtime:/etc/localtime:ro"
- "/etc/timezone:/etc/timezone:ro"
- "/mnt/Software/Linux/duplicacy/duplicacy-config:/etc/duplicacy"
command: "touch /etc/duplicacy/123"
lilja@devnode:~/homelab$ docker-compose up duplicacy
Recreating duplicacy ...
Recreating duplicacy ... done
Attaching to duplicacy
duplicacy | touch: /etc/duplicacy/123: Permission denied
And removing the cap_drop with the touch, it works:
lilja@devnode:~/homelab$ docker-compose up duplicacy
Recreating duplicacy ...
Recreating duplicacy ... done
Attaching to duplicacy
duplicacy exited with code 0
Running ls -l /etc/duplicacy with cap_drop.
lilja@devnode:~/homelab$ docker-compose up duplicacy
Removing duplicacy
Recreating f5bea9e64d8e_duplicacy ...
Recreating f5bea9e64d8e_duplicacy ... done
Attaching to duplicacy
duplicacy | total 4
duplicacy | drwxr-xr-x 2 1000 1000 0 Jan 19 16:13 .
duplicacy | drwxr-xr-x 1 root root 4096 Jan 22 20:03 ..
duplicacy exited with code 0
The PGID and PUID environment variables aren't recognized by the image. Instead you should use the user option in your docker-compose.yml file. e.g.
user: '1000:1000'
That should fix it! Without that line, and with cap_drop, the container will run as UID 0 but without any privileges normally granted to root. So your touch command (running as UID 0) can't write to a directory owned by UID 1000. If you remove cap_drop, root is again granted its ability to bypass file/dir ownership.
Please give it a try and let us know.
One more thing. If you run the image from a UID other than 0, you'll also need to bind-mount a machine-id into /var/lib/dbus/machine-id. e.g.
volumes:
...
- /host/path/to-machine-id.txt:/var/lib/dbus/machine-id:ro
You can generate a random, 32-character machine ID with:
cat /dev/urandom | tr -dc 'a-f0-9' | fold -w 32 | head -n 1
Looks to be working great! Thanks for your help 😃
A bit unrelated but is this the correct syntax for getting the machine id as an environmental variable? I think there is a syntax error there?
https://i.imgur.com/nOakClV.png
Looks to be working great!
Fantastic! Glad it's working for you.
A bit unrelated but is this the correct syntax for getting the machine id as an environmental variable? I think there is a syntax error there?
That looks correct to me, unless I'm missing something? environment docs are here. Please let me know if I've got a typo in there that I'm not seeing!
duplicacy:
image: "erichough/duplicacy:1.1.0"
container_name: duplicacy
env_file:
- secrets/file-permissions.env
environment:
MACHINE_ID: some-random-string
cap_drop:
- ALL
user: '1000:1000'
ports:
- 3875:3875
restart: always
volumes:
#- "/machine-id.txt:/var/lib/dbus/machine-id:ro"
- "/etc/localtime:/etc/localtime:ro"
- "/etc/timezone:/etc/timezone:ro"
lilja@devnode:~/homelab$ docker-compose up duplicacy
Recreating duplicacy ...
Recreating duplicacy ... done
Attaching to duplicacy
duplicacy | /usr/local/bin/entrypoint.sh: line 43: can't create /var/lib/dbus/machine-id: Permission denied
duplicacy | ----> container hostname is e9156662c4d2
duplicacy | ----> using machine-id from MACHINE_ID environment variable: some-random-string
duplicacy exited with code 0
Gotcha. That syntax is correct, but what's happening is that if you use the MACHINE_ID environment variable, the container will write its value to /var/lib/dbus/machine-id. In your case, you're running the container as an unprvileged user (cap_drop=ALL and UID 1000) that doesn't have the proper write permission.
In short, given your specific configuration you'll need to stick with your bind-mount of /var/lib/dbus/machine-id. i.e.
volumes:
- /machine-id.txt:/var/lib/dbus/machine-id:ro
...
Hope that clears it up.
I spoke too soon, the container actually is not responding to my http calls.
lilja@devnode:~/homelab$ make stop-containers && make build^C
lilja@devnode:~/homelab$ curl http://localhost:3875
curl: (52) Empty reply from server
duplicacy:
image: "erichough/duplicacy:1.1.0"
container_name: duplicacy
env_file:
- secrets/file-permissions.env
cap_drop:
- ALL
user: '1000:1000'
ports:
- 3875:3875
restart: always
volumes:
- "/machine-id.txt:/var/lib/dbus/machine-id:ro"
- "/etc/localtime:/etc/localtime:ro"
- "/etc/timezone:/etc/timezone:ro"
- "~/.ssh/ssh-key.pub:/etc/duplicacy/ssh-key.pub"
- "~/.ssh/ssh-key:/etc/duplicacy/ssh-key"
- "/mnt/Software/Linux/duplicacy/duplicacy-config:/etc/duplicacy"
- "/mnt/Software/Linux/duplicacy/duplicacy-stats:/var/cache/duplicacy"
- "/duplicacy:/root-external-drive"
labels:
- "temp=true"
lilja@devnode:~/homelab$ docker logs duplicacy
----> container hostname is e8a4ea1e8682
----> /var/lib/dbus/machine-id is bind-mounted
----> starting duplicacy_web
Duplicacy Web Edition 1.1.0 (818F2B)
Starting the web server at http://127.0.0.1:3875
Commenting out user: '1000:1000 makes it work
~Perhaps related?~
lilja@devnode:~/homelab$ docker exec -it duplicacy /bin/sh
/ $ whoami
whoami: unknown uid 1000
I don't think the above is related. Something in the image seems fishy:
I changed the image from erichough/duplicacy:1.1.0 to python:3.7-slim
And added the command: python3 -m http.server 3875 --bind 0.0.0.0 (listens to 3875 on 0.0.0.0)
with erichough/duplicacy:1.1.0:
lilja@devnode:~/homelab$ curl localhost:3875
curl: (52) Empty reply from server
with python:3.7-slim and python3 -m http.server 3875 --bind 0.0.0.0
lilja@devnode:~/homelab$ curl localhost:3875
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Directory listing for /</title>
</head>
<body>
<h1>Directory listing for /</h1>
<hr>
<ul>
<li><a href=".dockerenv">.dockerenv</a></li>
<li><a href="bin/">bin/</a></li>
<li><a href="boot/">boot/</a></li>
<li><a href="dev/">dev/</a></li>
<li><a href="etc/">etc/</a></li>
<li><a href="home/">home/</a></li>
<li><a href="lib/">lib/</a></li>
<li><a href="lib64/">lib64/</a></li>
<li><a href="media/">media/</a></li>
<li><a href="mnt/">mnt/</a></li>
<li><a href="opt/">opt/</a></li>
<li><a href="proc/">proc/</a></li>
<li><a href="root/">root/</a></li>
<li><a href="root-external-drive/">root-external-drive/</a></li>
<li><a href="run/">run/</a></li>
<li><a href="sbin/">sbin/</a></li>
<li><a href="srv/">srv/</a></li>
<li><a href="sys/">sys/</a></li>
<li><a href="tmp/">tmp/</a></li>
<li><a href="usr/">usr/</a></li>
<li><a href="var/">var/</a></li>
</ul>
<hr>
</body>
</html>
I managed to reduce it
test2:
image: "erichough/duplicacy:1.1.0"
cap_drop:
- ALL
user: '1000:1000'
container_name: test2
ports:
- 3875:3875
restart: always
environment:
TZ: America/New_York
MACHINE_ID: 4c601d79a045519397ade28a2f79e3d3
lilja@devnode:~/homelab$ docker logs test2
/usr/local/bin/entrypoint.sh: line 43: can't create /var/lib/dbus/machine-id: Permission denied
----> container hostname is aeb949ec45e9
----> using machine-id from MACHINE_ID environment variable: 4c601d79a045519397ade28a2f79e3d3
/usr/local/bin/entrypoint.sh: line 43: can't create /var/lib/dbus/machine-id: Permission denied
----> container hostname is aeb949ec45e9
----> using machine-id from MACHINE_ID environment variable: 4c601d79a045519397ade28a2f79e3d3
/usr/local/bin/entrypoint.sh: line 43: can't create /var/lib/dbus/machine-id: Permission denied
----> container hostname is aeb949ec45e9
----> using machine-id from MACHINE_ID environment variable: 4c601d79a045519397ade28a2f79e3d3
Uncomment user: '1000:1000' to have the web server running. But the volumes are created as root.
I docker exec -it duplicacy /bin/sh into the container. It seems like there some issue with that it binds to 127.0.0.1 instead of 0.0.0.0.
It's like the image doesn't have the configuration ~/.duplicacy-web/*.json files/folders.
/ $ ls -al /
total 84
drwxr-xr-x 1 root root 4096 Feb 2 16:37 .
drwxr-xr-x 1 root root 4096 Feb 2 16:37 ..
-rwxr-xr-x 1 root root 0 Feb 2 16:37 .dockerenv
drwxr-xr-x 2 root root 4096 Dec 24 15:04 bin
drwxr-xr-x 5 root root 340 Feb 2 16:37 dev
drwxr-xr-x 1 root root 4096 Feb 2 16:37 etc
drwxr-xr-x 2 root root 4096 Dec 24 15:04 home
drwxr-xr-x 1 root root 4096 Dec 24 15:04 lib
drwxr-xr-x 5 root root 4096 Dec 24 15:04 media
drwxr-xr-x 2 root root 4096 Dec 24 15:04 mnt
drwxr-xr-x 2 root root 4096 Dec 24 15:04 opt
dr-xr-xr-x 138 root root 0 Feb 2 16:37 proc
drwxr-xr-x 10 1000 1000 4096 Jan 19 17:26 read-only-data
drwx------ 1 root root 4096 Dec 30 21:52 root
drwxr-xr-x 2 root root 4096 Jan 18 16:25 root-external-drive
drwxr-xr-x 2 root root 4096 Dec 24 15:04 run
drwxr-xr-x 2 root root 4096 Dec 24 15:04 sbin
drwxr-xr-x 2 root root 4096 Dec 24 15:04 srv
-rw------- 1 1000 1000 1675 Jan 23 20:33 ssh-key
-rw------- 1 1000 1000 395 Jan 23 20:33 ssh-key.pub
dr-xr-xr-x 13 root root 0 Jan 18 16:26 sys
drwxrwxrwt 1 root root 4096 Dec 30 21:52 tmp
drwxr-xr-x 1 root root 4096 Dec 24 15:04 usr
drwxr-xr-x 1 root root 4096 Dec 24 15:04 var
/ $ find . 2>/dev/null | grep 'web'
./usr/local/bin/duplicacy_web
./var/log/duplicacy_web.log
AH. I got it.
Because ehough/docker-duplicacy is pre-built when users docker pull, the $USER is root. When I specify that the user should be 1000:1000, there is no ~/.duplicacy-web because it exists in /root/.duplicacy-web. When duplicacy doesn't see that path, it defaults to bind address 127.0.0.1 and thus unaccessible from the docker host.
A solution would be to link those files during the entrypoint of the container.