docker-openldap-fusiondirectory
docker-openldap-fusiondirectory copied to clipboard
Published
20 hours ago •
tiredofit
tiredofit
execution of assets/custom-scripts throws "permission denied"
Summary
After setting up this container we were also spinning up a fusiondirectory container pointing to that openldap-fusiondirectory backend. With the openldap-fusiondirectory container version 1.4-7.1.5 the custom init scripts are not executed.
Steps to reproduce
First spin up the openldap-fusiondirectory setup:
apiVersion: v1
kind: Secret
metadata:
name: openldap-passwords
namespace: fusiondirectory
data:
ADMIN_PASS: <pw>
CONFIG_PASS: <pw>
FUSIONDIRECTORY_ADMIN_PASS: <pw>
type: Opaque
---
apiVersion: v1
kind: Secret
metadata:
name: openldap-readonly-password
namespace: fusiondirectory
data:
secretKey: <ro-pw>
type: Opaque
---
apiVersion: v1
kind: Service
metadata:
name: openldap-headless
namespace: fusiondirectory
labels:
app: openldap
ver: v1
spec:
ports:
- port: 389
name: ldap
selector:
app: openldap
ver: v1
---
apiVersion: v1
kind: Service
metadata:
name: openldap-writer
namespace: fusiondirectory
labels:
app: openldap-writer
ver: v1
spec:
ports:
- port: 389
name: ldap
selector:
statefulset.kubernetes.io/pod-name: openldap-0
ver: v1
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
labels:
app: openldap
ver: v1
name: openldap
namespace: fusiondirectory
spec:
replicas: 1
serviceName: openldap-headless
selector:
matchLabels:
app: openldap
ver: v1
volumeClaimTemplates:
- metadata:
name: openldap-data
spec:
accessModes: [ "ReadWriteOnce" ]
storageClassName: "fusiondirectory-data-pv"
resources:
requests:
storage: 1000Mi
- metadata:
name: openldap-config
spec:
accessModes: [ "ReadWriteOnce" ]
storageClassName: "fusiondirectory-config-pv"
resources:
requests:
storage: 500Mi
template:
metadata:
labels:
app: openldap
ver: v1
spec:
containers:
- image: tiredofit/openldap-fusiondirectory:1.4-7.1.5
imagePullPolicy: IfNotPresent
name: openldap
volumeMounts:
- mountPath: /var/lib/openldap
name: openldap-data
- mountPath: /etc/openldap/slapd.d
name: openldap-config
env:
# Container ############################################
- name: ENABLE_CRON
value: "TRUE"
- name: ENABLE_ZABBIX
value: "FALSE"
- name: CONTAINER_LOG_LEVEL
value: "NOTICE"
- name: DEBUG_MODE
value: "FALSE"
# Settings ###############################################
- name: INTERNAL_HOSTNAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: HOSTNAME
#TODO Setting the fqdn automatically
value: "$(INTERNAL_HOSTNAME).openldap-headless.fusiondirectory.svc.cluster.local"
- name: BACKEND
value: "mdb"
- name: ULIMIT_N
value: "21000"
- name: LOG_LEVEL
value: "256"
- name: DOMAIN
value: "example.com"
- name: ADMIN_PASS
valueFrom:
secretKeyRef:
name: openldap-passwords
key: ADMIN_PASS
- name: CONFIG_PASS
valueFrom:
secretKeyRef:
name: openldap-passwords
key: CONFIG_PASS
- name: KEEP_EXISTING_CONFIG
value: "FALSE"
# FUSIONDIRECTORY ACCESS #################################
- name: FUSIONDIRECTORY_ADMIN_USER
value: "admin"
- name: FUSIONDIRECTORY_ADMIN_PASS
valueFrom:
secretKeyRef:
name: openldap-passwords
key: FUSIONDIRECTORY_ADMIN_PASS
- name: ORGANIZATION
value: "organization"
# LDAP Settings ##########################################
- name: BASE_DN
value: "dc=example,dc=com"
- name: ENABLE_READONLY_USER
value: "TRUE"
- name: READONLY_USER_USER
value: "reader"
- name: READONLY_USER_PASS
valueFrom:
secretKeyRef:
name: openldap-readonly-password
key: secretKey
# TLS ######################################################
- name: ENABLE_TLS
value: "FALSE"
# REPLICATION ##############################################
- name: ENABLE_REPLICATION
value: "FALSE"
# Replication without tls tls_reqcert=never
# - name: REPLICATION_CONFIG_SYNCPROV
# value: "binddn=\"cn=config\" bindmethod=simple credentials=$(CONFIG_PASS) searchbase=\"cn=config\" type=refreshAndPersist retry=\"5 5 60 +\" timeout=1 filter=\"(!(objectclass=olcGlobal))\" tls_reqcert=never"
# # Replication without tls tls_reqcert=never
# - name: REPLICATION_DB_SYNCPROV
# value: "binddn=\"cn=admin,$(BASE_DN)\" bindmethod=simple credentials=$(ADMIN_PASS) searchbase=\"$(BASE_DN)\" type=refreshAndPersist interval=00:00:00:10 retry=\"60 +\" timeout=1 tls_reqcert=never"
#
# #TODO Scaling of the Statefulset won't work -> olcServerID in the config database has to be changed!
# # Please use the correct fqdn
# - name: REPLICATION_HOSTS
# value: "ldap://openldap-0.openldap-headless.fusiondirectory.svc.cluster.local ldap://openldap-1.openldap-headless.fusiondirectory.svc.cluster.local"
- name: REMOVE_CONFIG_AFTER_SETUP
value: "FALSE"
# ZABBIX #################################################
- name: ZABBIX_HOSTNAME
value: "openldap-fusiondirectory-app"
- name: REAPPLY_PLUGIN_SCHEMAS
value: "TRUE"
- name: PLUGIN_ARGONAUT
value: "TRUE"
- name: PLUGIN_MAIL
value: "TRUE"
- name: PLUGIN_ALIAS
value: "TRUE"
- name: PLUGIN_PERSONAL
value: "TRUE"
- name: PLUGIN_POSIX
value: "TRUE"
- name: PLUGIN_DNS
value: "TRUE"
- name: PLUGIN_SUDO
value: "TRUE"
- name: PLUGIN_SYSTEMS
value: "TRUE"
- name: PLUGIN_NEXTCLOUD
value: "TRUE"
- name: PLUGIN_POSTFIX
value: "TRUE"
- name: PLUGIN_DOVECOT
value: "TRUE"
- name: PLUGIN_DHCP
value: "TRUE"
- name: PLUGIN_FUSIONINVENTORY
value: "TRUE"
- name: PLUGIN_GPG
value: "TRUE"
- name: PLUGIN_REPOSITORY
value: "TRUE"
- name: PLUGIN_SPAMASSASSIN
value: "TRUE"
- name: PLUGIN_SSH
value: "TRUE"
- name: PLUGIN_USER_REMINDER
value: "TRUE"
ports:
- containerPort: 389
restartPolicy: Always
Then spin up the fusiondirectory UI:
apiVersion: v1
kind: Service
metadata:
name: fusiondirectory
namespace: fusiondirectory
labels:
app: fusiondirectory
ver: v1
spec:
type: NodePort
ports:
- port: 80
targetPort: 80
nodePort: 30067
protocol: TCP
name: http-fusiondirectory
selector:
app: fusiondirectory
ver: v1
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: fusiondirectory
ver: v1
name: fusiondirectory
namespace: fusiondirectory
spec:
replicas: 1
selector:
matchLabels:
app: fusiondirectory
ver: v1
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
labels:
app: fusiondirectory
ver: v1
spec:
volumes:
- name: apachelogs
emptyDir: {}
containers:
- image: tiredofit/fusiondirectory:1.4-2.7.11
imagePullPolicy: IfNotPresent
name: fusiondirectory
resources:
limits:
memory: 500Mi
cpu: "0.5"
requests:
memory: 100Mi
cpu: "0.1"
volumeMounts:
- mountPath: /www/logs
name: apachelogs
env:
#- name: DEBUG_SMTP
#value: TRUE
#- name: DEBUG_MODE
#value: TRUE
- name: VIRTUAL_HOST
value: "directory.example.com"
- name: VIRTUAL_PORT
value: "80"
- name: ENABLE_ZABBIX
value: "FALSE"
- name: PLUGIN_ARGONAUT
value: "TRUE"
- name: PLUGIN_MAIL
value: "TRUE"
- name: PLUGIN_ALIAS
value: "TRUE"
- name: PLUGIN_PERSONAL
value: "TRUE"
- name: PLUGIN_POSIX
value: "TRUE"
- name: PLUGIN_DNS
value: "TRUE"
- name: PLUGIN_SUDO
value: "TRUE"
- name: PLUGIN_SYSTEMS
value: "TRUE"
- name: PLUGIN_NEXTCLOUD
value: "TRUE"
- name: PLUGIN_POSTFIX
value: "TRUE"
- name: PLUGIN_DOVECOT
value: "TRUE"
- name: PLUGIN_DHCP
value: "TRUE"
- name: PLUGIN_FUSIONINVENTORY
value: "TRUE"
- name: PLUGIN_GPG
value: "TRUE"
- name: PLUGIN_REPOSITORY
value: "TRUE"
- name: PLUGIN_SPAMASSASSIN
value: "TRUE"
- name: PLUGIN_SSH
value: "TRUE"
- name: PLUGIN_USER_REMINDER
value: "TRUE"
- name: PLUGIN_LDAPDUMP
value: "TRUE"
- name: PLUGIN_LDAPMANAGER
value: "TRUE"
- name: PLUGIN_WEBSERVICE
value: "TRUE"
# Connect to only one openldap server
# in case of a openldap replication setup
- name: LDAP1_HOST
value: "openldap-writer"
- name: LDAP1_TLS
value: "FALSE"
- name: LDAP1_SSL
value: "FALSE"
- name: LDAP1_BASE_DN
value: "dc=example,dc=com"
- name: LDAP1_ADMIN_DN
value: "cn=admin,dc=example,dc=com"
# Defined in the openldap-fusiondirectory
# kubernetes exampel installation
# using the same password/secret
- name: LDAP1_ADMIN_PASS
valueFrom:
secretKeyRef:
name: openldap-passwords
key: ADMIN_PASS
- name: LDAP1_PORT
value: "389"
- name: LDAP1_NAME
value: "ldap"
- name: ENABLE_SMTP
value: "FALSE"
# - name: ENABLE_SMTP
# value: "TRUE"
# - name: SMTP_HOST
# value: "smtp.example.net"
# - name: SMTP_PORT
# value: "25"
# - name: SMTP_DOMAIN
# value: "example.net"
# - name: SMTP_MAILDOMAIN
# value: "example.net"
# - name: SMTP_TLS
# value: "off"
ports:
- containerPort: 80
restartPolicy: Always
What is the expected correct behavior?
The login through the fusiondirectory UI is possible. The scripts being executed, so that the fusiondirectory UI can actually access.
Relevant logs and/or screenshots
While starting the docker container the first time, the logs show:
2021-10-20-05:30:08 [NOTICE] ** [openldap] Found custom scripts to execute
/assets/functions/10-openldap: line 558: /assets/custom-scripts/001-install-fusiondirectory.sh: Permission denied
/assets/functions/10-openldap: line 558: /assets/custom-scripts/002-update-schemas.sh: Permission denied
After getting a listing of the custom-scripts directory within the container it shows that the scripts are not executable:
total 36K
drwxr-xr-x 2 root root 4.0K Oct 16 17:06 .
drwxr-xr-x 1 root root 4.0K Oct 20 05:30 ..
-rw-r--r-- 1 root root 19K Oct 16 17:06 001-install-fusiondirectory.sh
-rw-r--r-- 1 root root 969 Oct 16 17:06 002-update-schemas.sh
Environment
- Image version / tag: 1.4-7.1.5
- Host OS:
- Ubuntu (5.4.0-73-generic #82-Ubuntu SMP Wed Apr 14 17:39:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux)
- k8s (v1.22.2)
Any logs | docker-compose.yml
Possible fixes
Not only chmod +x /usr/sbin/fusiondirectory-insert-schema but also chmod +x the other necessary scripts.
Actually, adding the line in the Dockerfile worked for me:
chmod +x /assets/custom-scripts/*.sh && \
