rdt-client icon indicating copy to clipboard operation
rdt-client copied to clipboard
verified publisher icon rogerfar

Docker container wont start with stricter security set up

Open Serverfrog opened this issue 1 year ago • 2 comments

I try to run this container inside a k8s environment (so the Docker Version). There it will run with the given user and group id and as nonroot

What version are you using? 2.0.59@sha256:c7e93705edb333c707f28077d04ca6a1518d71dd6c824eec6b4a9c188e97c7ed

Wat OS are you running? Linux

Are you using Docker or as a service? Docker (inside k3s Kubernetes)

Which debrid provider are you using? none as it wont start

Which downloader are you using? none as it wont start

** ENV ** TZ: ${TIMEZONE} (which results in Europe/Berlin) PUID: 568 PGID: 568

Please attach a log file here with the log setting set to debug


/run/s6/basedir/scripts/rc.init: line 26: /docker-mods: Permission denied
/run/s6/basedir/scripts/rc.init: warning: hook /docker-mods exited 126
[migrations] started
[migrations] no migrations found
groupmod: /etc/group.77: Permission denied
groupmod: cannot lock /etc/group; try again later.
usermod: /etc/passwd.78: Permission denied

usermod: cannot lock /etc/passwd; try again later.
───────────────────────────────────────
  _____ __ __ _____ _____ _____ _____ 
 |     |  |  |   __|_   _|     |     |
 |   --|  |  |__   | | | |  |  | | | |
 |_____|_____|_____| |_| |_____|_|_|_|
       _____ __ __ _ __    ____  
      | __  |  |  | |  |  |    \ 
      | __ -|  |  | |  |__|  |  |
      |_____|_____|_|_____|____/ 

  Based on images from linuxserver.io

  Based on images from linuxserver.io
───────────────────────────────────────

To support LSIO projects visit:
https://www.linuxserver.io/donate/

───────────────────────────────────────
GID/UID
───────────────────────────────────────

User UID:    911
User GID:    1001
───────────────────────────────────────

/etc/s6-overlay/s6-rc.d/init-adduser/run: line 44: lsiown: command not found
/etc/s6-overlay/s6-rc.d/init-adduser/run: line 45: lsiown: command not found
/etc/s6-overlay/s6-rc.d/init-adduser/run: line 46: lsiown: command not found
s6-rc: warning: unable to start service init-adduser: command exited 127

Serverfrog avatar Jan 26 '24 14:01 Serverfrog

The thing i found so far was https://github.com/linuxserver/docker-jellyfin/issues/184#issuecomment-1382578624

We don't test, support or go out of our way to ensure our images (and mods) works in a rootless environment.

Serverfrog avatar Jan 26 '24 14:01 Serverfrog

For people searching for a quick fix:

...

            securityContext:
              allowPrivilegeEscalation: false

...

        pod:
          securityContext:
            runAsUser: 0
            runAsGroup: 0
            runAsNonRoot: false
...

Serverfrog avatar Jan 26 '24 15:01 Serverfrog