gosu failing under Proxmox 7 LXC

[SuperDarius-git]

Good day

Let's start at the beginning:
I am using a Proxmox server and created an LXC container with Ubuntu 22.04. On that container, I installed Azuracast on with their install Docker script. Everything worked well for very long, then I updated to the latest release and the following happened when updating, installing, and even reinstalling from scratch on a brand new LXC container. One note: The Proxmox server was on version 7 something, which were already not supported anymore. I installed a different Proxmox on a test machine, but this time the latest version 8 something. Everything worked perfectly with the new test machine.

This is the logs for the installation of Azuracast on the version 7 Proxmox LXC container:

** Running startup script '/etc/my_init.d/00_disable_mariadb.sh'...

** Startup script complete.

** Running startup script '/etc/my_init.d/00_disable_redis.sh'...

** Startup script complete.

** Running startup script '/etc/my_init.d/00_setup_user.sh'...

usermod: no changes

Docker 'azuracast' User UID: 1000

Docker 'azuracast' User GID: 1000

** Startup script complete.

** Running startup script '/etc/my_init.d/01_self_signed_ssl.sh'...

Generating self-signed certificate...

.....+...+..+.+...+...........+.+..+...+..........+........+..........+..+...+......+..........+...+......+..+....+...+.....+.+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+.+..+...+.+...+.....+...+...+....+........+............+............+...+......+.+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+........+....+........+....+.....+....+..+...+....+........+............+......+.........+..........+..+................+..+..........+.....+...+...+..........+...........+....+..+....+...+..+.........+.+......+...+..+....+...+..+.........+......+....+.........+.....+......+.......+........+......+...+.+..+....+.........+......+...+.................+...+................+......+.....+.+..+...+....+...+...+...+..+..........+.......................+....+...+...+....................+......+.........+......+......+..........+...+.....+........................+...+...+.......+..+......+.+......+...+.....+.......+..+......+.+.....+......+..........+.....+.........+.+..+.......+...+............+.........+.........+...+..+.+......+.....+.........+......+......+....+...+...........+....+...+............+......+.....+..........+.....+.......+..............+.+...+...........+.+.....+...+.+.....+.............+........+............+.+..+...+.........+...+.......+.....................+.....+....+..+.+..+..........+..+......+.......+.....+...+............+.+......+...........+...+.......+...+......+.....+.+..+.+..+....+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

.+......+.....+..........+...+.....+...+.........+...............+....+..+.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..........+.+.....+...+.+...+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.........+.+...+........+.........+....+..............+.+..+.......+..+....+......+.........+.....+....+..+................+..+.+..+.......+...+..+...+...+............+...+.......+.....+.........+..........+...+.....+.+.....+..........+.................+.......+........+...+.+......+........+......+...................+.....+.......+........+.+.....+.+........+.+......+...............+............+...+...+..+.........+.+.....+.......+......+......+..............+.+.....+.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

-----

** Startup script complete.

** Running startup script '/etc/my_init.d/02_install_extra_packages.sh'...

** Startup script complete.

** Running startup script '/etc/my_init.d/03_persist_dir.sh'...

Creating persist directories...

** Startup script complete.

** Running startup script '/etc/my_init.d/04_mariadb_conf.sh'...

** Startup script complete.

** Running startup script '/etc/my_init.d/05_centrifugo_conf.sh'...

** Startup script complete.

** Running startup script '/etc/my_init.d/05_nginx_conf.sh'...

Installing Nginx bot blocker...



Creating directory: /etc/nginx/bots.d



REPO = https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master



Downloading [FROM]=>  [REPO]/conf.d/globalblacklist.conf            [TO]=>  /etc/nginx/conf.d/globalblacklist.conf...OK

Downloading [FROM]=>  [REPO]/conf.d/botblocker-nginx-settings.conf  [TO]=>  /etc/nginx/conf.d/botblocker-nginx-settings.conf...OK



REPO = https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master



Downloading [FROM]=>  [REPO]/bots.d/blockbots.conf              [TO]=>  /etc/nginx/bots.d/blockbots.conf...OK

Downloading [FROM]=>  [REPO]/bots.d/ddos.conf                   [TO]=>  /etc/nginx/bots.d/ddos.conf...OK

Downloading [FROM]=>  [REPO]/bots.d/custom-bad-referrers.conf   [TO]=>  /etc/nginx/bots.d/custom-bad-referrers.conf...OK

Downloading [FROM]=>  [REPO]/bots.d/bad-referrer-words.conf     [TO]=>  /etc/nginx/bots.d/bad-referrer-words.conf...OK

Downloading [FROM]=>  [REPO]/bots.d/blacklist-ips.conf          [TO]=>  /etc/nginx/bots.d/blacklist-ips.conf...OK

Downloading [FROM]=>  [REPO]/bots.d/blacklist-user-agents.conf  [TO]=>  /etc/nginx/bots.d/blacklist-user-agents.conf...OK

Downloading [FROM]=>  [REPO]/bots.d/whitelist-domains.conf      [TO]=>  /etc/nginx/bots.d/whitelist-domains.conf...OK

Downloading [FROM]=>  [REPO]/bots.d/whitelist-ips.conf          [TO]=>  /etc/nginx/bots.d/whitelist-ips.conf...OK



REPO = https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master



Downloading [FROM]=>  [REPO]/setup-ngxblocker      [TO]=>  /usr/local/sbin/setup-ngxblocker...OK

Downloading [FROM]=>  [REPO]/update-ngxblocker     [TO]=>  /usr/local/sbin/update-ngxblocker...OK

WARN: /usr/local/sbin/setup-ngxblocker optionally requires: 'dig' => cannot whitelist public ip address.

Checking url: https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/include_filelist.txt



INFO:      /etc/nginx/conf.d/* detected               => /etc/nginx/nginx.conf

inserting: include /etc/nginx/bots.d/blockbots.conf;  => /etc/nginx/sites-available/default.vhost

inserting: include /etc/nginx/bots.d/ddos.conf;       => /etc/nginx/sites-available/default.vhost

Manual Whitelist: changelog.md    => /etc/nginx/bots.d/whitelist-domains.conf



Checking for missing includes:



Checking url: https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/include_filelist.txt



Nothing to update for directory: /etc/nginx/conf.d

Nothing to update for directory: /etc/nginx/bots.d

Nothing to update for directory: /usr/local/sbin

Setting mode: 700 => /usr/local/sbin/install-ngxblocker

Setting mode: 700 => /usr/local/sbin/setup-ngxblocker

Setting mode: 700 => /usr/local/sbin/update-ngxblocker

** Startup script complete.

** Running startup script '/etc/my_init.d/05_setup_db.sh'...

2024-11-13 14:10:22+00:00 [Note] [Entrypoint]: Initial DB setup...

2024-11-13 14:10:22+00:00 [Note] [Entrypoint]: Switching to dedicated user 'mysql'

Here it just stopped with nothing happened.

I created an issue on the Azruacast Github page:
AzuraCast/AzuraCast#7553

I then upgraded the Proxmox server to the latest version 8, but still no fix.

I now am trying to install Avideo on another LXC Ubuntu 24 container. Here is the Docker compose file:

services:
  avideo:
    build:
      context: .
      args:
        SOCKET_PORT: ${SOCKET_PORT}
        HTTP_PORT: ${HTTP_PORT}
        HTTPS_PORT: ${HTTPS_PORT}
        DB_MYSQL_HOST: ${DB_MYSQL_HOST}
        DB_MYSQL_PORT: ${DB_MYSQL_PORT}
        DB_MYSQL_NAME: ${DB_MYSQL_NAME}
        DB_MYSQL_USER: ${DB_MYSQL_USER}
        DB_MYSQL_PASSWORD: ${DB_MYSQL_PASSWORD}
        SERVER_NAME: ${SERVER_NAME}
        ENABLE_PHPMYADMIN: ${ENABLE_PHPMYADMIN}
        PHPMYADMIN_PORT: ${PHPMYADMIN_PORT}
        PHPMYADMIN_ENCODER_PORT: ${PHPMYADMIN_ENCODER_PORT}
        CREATE_TLS_CERTIFICATE: ${CREATE_TLS_CERTIFICATE}
        TLS_CERTIFICATE_FILE: ${TLS_CERTIFICATE_FILE}
        TLS_CERTIFICATE_KEY: ${TLS_CERTIFICATE_KEY}
        CONTACT_EMAIL: ${CONTACT_EMAIL}
        SYSTEM_ADMIN_PASSWORD: ${SYSTEM_ADMIN_PASSWORD}
        WEBSITE_TITLE: ${WEBSITE_TITLE}
        MAIN_LANGUAGE: ${MAIN_LANGUAGE}
    restart: "unless-stopped"
    environment:
      SOCKET_PORT: ${SOCKET_PORT:-2053}
      HTTP_PORT: ${HTTP_PORT:-80}
      HTTPS_PORT: ${HTTPS_PORT:-443}
      DB_MYSQL_HOST: "${DB_MYSQL_HOST:-database}"
      DB_MYSQL_PORT: ${DB_MYSQL_PORT:-3306}
      DB_MYSQL_NAME: "${DB_MYSQL_NAME:-avideo}"
      DB_MYSQL_USER: "${DB_MYSQL_USER:-avideo}"
      DB_MYSQL_PASSWORD: "${DB_MYSQL_PASSWORD:-avideo}"
      SERVER_NAME: "${SERVER_NAME:-localhost}"
      ENABLE_PHPMYADMIN: "${ENABLE_PHPMYADMIN:-yes}"
      PHPMYADMIN_PORT: ${PHPMYADMIN_PORT:-8081}
      PHPMYADMIN_ENCODER_PORT: ${PHPMYADMIN_ENCODER_PORT:-8082}
      CREATE_TLS_CERTIFICATE: "${CREATE_TLS_CERTIFICATE:-yes}"
      TLS_CERTIFICATE_FILE: "${TLS_CERTIFICATE_FILE:-/etc/apache2/ssl/localhost.crt}"
      TLS_CERTIFICATE_KEY: "${TLS_CERTIFICATE_KEY:-/etc/apache2/ssl/localhost.key}"
      CONTACT_EMAIL: "${CONTACT_EMAIL:-admin@localhost}"
      SYSTEM_ADMIN_PASSWORD: "${SYSTEM_ADMIN_PASSWORD:-password}"
      WEBSITE_TITLE: "${WEBSITE_TITLE:-AVideo}"
      MAIN_LANGUAGE: "${MAIN_LANGUAGE:-en_US}"
      NGINX_RTMP_PORT: "${NGINX_RTMP_PORT:-1935}"
      NGINX_HTTP_PORT: "${NGINX_HTTP_PORT:-8080}"
      NGINX_HTTPS_PORT: "${NGINX_HTTPS_PORT:-8443}"
      MEMCACHED_HOST: memcached
    env_file:
      - .env
    ports:
      - "${SOCKET_PORT:-2053}:${SOCKET_PORT:-2053}"
      - "${HTTP_PORT:-80}:80"
      - "${HTTPS_PORT:-443}:443"
    volumes:
      - "./.compose/HLS:/HLS"
      - "./:/var/www/html/AVideo"
      - "./.compose/videos:/var/www/html/AVideo/videos"
      - "./.compose/encoder:/var/www/html/AVideo/Encoder"
      - "./.compose/letsencrypt:/etc/letsencrypt/"
    depends_on:
      database:
        condition: service_healthy
      database_encoder:
        condition: service_healthy
      memcached:
        condition: service_started
    healthcheck:
      test: ["CMD-SHELL", "curl --silent --fail http://localhost || exit 1"]
      interval: 30s
      timeout: 10s
      retries: 3
    deploy:
      resources:
        limits:
          cpus: "${CPUS_LIMIT:-3}"
          memory: "${MEMORY_LIMIT:-8G}"
        reservations:
          cpus: "${CPUS_LIMIT:-1}"
          memory: "${MEMORY_LIMIT:-2G}"
    networks:
      - app_net

  live:
    build: 
      context: .
      dockerfile: Dockerfile.live
    restart: "unless-stopped"
    volumes:
      - "./.compose/HLS:/HLS"
      - "./.compose/letsencrypt:/etc/letsencrypt/"
    environment:
      SERVER_NAME: "${SERVER_NAME:-localhost}"
      CREATE_TLS_CERTIFICATE: "${CREATE_TLS_CERTIFICATE:-yes}"
      TLS_CERTIFICATE_FILE: "${TLS_CERTIFICATE_FILE:-/etc/apache2/ssl/localhost.crt}"
      TLS_CERTIFICATE_KEY: "${TLS_CERTIFICATE_KEY:-/etc/apache2/ssl/localhost.key}"
      NGINX_RTMP_PORT: "${NGINX_RTMP_PORT:-1935}"
      NGINX_HTTP_PORT: "${NGINX_HTTP_PORT:-8080}"
      NGINX_HTTPS_PORT: "${NGINX_HTTPS_PORT:-8443}"
      MEMCACHED_HOST: memcached
    env_file:
      - .env
    ports:
      - "${NGINX_RTMP_PORT:-1935}:1935"
      - "${NGINX_HTTP_PORT:-8080}:8080"
      - "${NGINX_HTTPS_PORT:-8443}:8443"
    depends_on:
      avideo:
        condition: service_healthy
      database:
        condition: service_healthy
      memcached:
        condition: service_started
    healthcheck:
      test: ["CMD-SHELL", "curl --silent --fail http://localhost:8080 || exit 1"]
      interval: 30s
      timeout: 10s
      retries: 3
    deploy:
      resources:
        limits:
          cpus: "2"
          memory: "4G"
        reservations:
          cpus: "1"
          memory: "2G"
    networks:
      - app_net

  database:
    build:
      context: .
      dockerfile: Dockerfile.mariadb
    restart: "unless-stopped"
    environment:
      MYSQL_RANDOM_ROOT_PASSWORD: "yes"
      MYSQL_INITDB_SKIP_TZINFO: 1
      MYSQL_DATABASE: "${DB_MYSQL_NAME}"
      MYSQL_USER: "${DB_MYSQL_USER}"
      MYSQL_PASSWORD: "${DB_MYSQL_PASSWORD}"
      MARIADB_AUTO_UPGRADE: 1
    volumes:
      - ./.compose/db:/var/lib/mysql
    healthcheck:
      test: "mariadb-admin ping -h localhost -u $DB_MYSQL_USER -p $DB_MYSQL_PASSWORD"
      interval: 30s
      timeout: 10s
      retries: 3
    deploy:
      resources:
        limits:
          cpus: "2"
          memory: "10G"
        reservations:
          cpus: '1'
          memory: '4G'
    networks:
      - app_net

  database_encoder:
    build:
      context: .
      dockerfile: Dockerfile.mariadb
    restart: "unless-stopped"
    environment:
      MYSQL_RANDOM_ROOT_PASSWORD: "yes"
      MYSQL_INITDB_SKIP_TZINFO: 1
      MYSQL_DATABASE: "${DB_MYSQL_NAME}_encoder"
      MYSQL_USER: "${DB_MYSQL_USER}"
      MYSQL_PASSWORD: "${DB_MYSQL_PASSWORD}"
      MARIADB_AUTO_UPGRADE: 1
    volumes:
      - ./.compose/db_encoder:/var/lib/mysql
    healthcheck:
      test: "mariadb-admin ping -h localhost -u $DB_MYSQL_USER -p $DB_MYSQL_PASSWORD"
      interval: 30s
      timeout: 10s
      retries: 3
    deploy:
      resources:
        limits:
          cpus: "0.5"
          memory: "1G"
    networks:
      - app_net

  phpmyadmin:
    image: "phpmyadmin/phpmyadmin"
    restart: "unless-stopped"
    environment:
      PMA_HOST: "${DB_MYSQL_HOST}"
      PMA_PORT: ${DB_MYSQL_PORT}
      PMA_CONTROLUSER: "${DB_MYSQL_USER}"
      PMA_CONTROLPASS: "${DB_MYSQL_PASSWORD}"
      HIDE_PHP_VERSION: "true"
    ports:
      - "${PHPMYADMIN_PORT:-8081}:80"
    depends_on:
      - database
    deploy:
      resources:
        limits:
          cpus: "0.25"
          memory: "1G"
    networks:
      - app_net

  phpmyadmin_encoder:
    image: "phpmyadmin/phpmyadmin"
    restart: "unless-stopped"
    environment:
      PMA_HOST: "${DB_MYSQL_HOST}_encoder"
      PMA_PORT: ${DB_MYSQL_PORT}
      PMA_CONTROLUSER: "${DB_MYSQL_USER}"
      PMA_CONTROLPASS: "${DB_MYSQL_PASSWORD}"
      HIDE_PHP_VERSION: "true"
    ports:
      - "${PHPMYADMIN_ENCODER_PORT:-8082}:80"
    depends_on:
      - database_encoder
    deploy:
      resources:
        limits:
          cpus: "0.25"
          memory: "1G"
    networks:
      - app_net

  memcached:
    image: memcached:alpine
    restart: "unless-stopped"
    command: >
      sh -c "memcached -m 128 -c 1024 -t ${NPROC:-2} -vv"
    ports:
      - "${MEMCACHE_PORT:-11211}:11211"
    deploy:
      resources:
        limits:
          cpus: '1'
          memory: "4G"
        reservations:
          cpus: '0.5'
          memory: '512M'
    networks:
      - app_net
    environment:
      - NPROC=${NPROC:-2}

networks:
  app_net:
    driver: bridge
    ipam:
      config:
        - subnet: "${NETWORK_SUBNET:-172.21.1.0/16}"

Here is the Dockerfile.mariadb file:

# File: Dockerfile.mariadb

FROM mariadb:latest

# Set correct permissions for /tmp directory
RUN chmod 1777 /tmp

RUN chown -R mysql:mysql /var/lib/mysql
RUN chmod -R 755 /var/lib/mysql

# Copy custom MySQL configuration file
COPY deploy/my.cnf /etc/mysql/my.cnf

These are the errors on all the databse containers:

2024-11-23 05:19:20+00:00 [Note] [Entrypoint]: Entrypoint script for MariaDB Server 1:11.5.2+maria~ubu2404 started.
2024-11-23 05:19:29+00:00 [Warn] [Entrypoint]: /sys/fs/cgroup///memory.pressure not writable, functionality unavailable to MariaDB
2024-11-23 05:19:29+00:00 [Note] [Entrypoint]: Switching to dedicated user 'mysql'

Please help me.

Thank you
Darius

[grooverdan]

2024-11-23 05:19:20+00:00 [Note] [Entrypoint]: Entrypoint script for MariaDB Server 1:11.5.2+maria~ubu2404 started.

FYI 11.5.2 is now EOL, and 11.6.2 is the latest. Probably won't change the issue you are facing.

2024-11-23 05:19:29+00:00 [Warn] [Entrypoint]: /sys/fs/cgroup///memory.pressure not writable, functionality unavailable to MariaDB

Note this is just a warning. As it gets to the next output its not stalling here. The memory pressure unavailable just means MariaDB won't respond to approaching OOM conditions by freeing some unused buffers.

2024-11-23 05:19:29+00:00 [Note] [Entrypoint]: Switching to dedicated user 'mysql'

I think this is the crux of the problem. The next statement after this is the actual switch:

exec gosu mysql "${BASH_SOURCE[0]}" "$@"

That is its re-executing the same script under the mysql user.

Lets just test a simpler case for your MariaDB service:

command: gosu mysql id -u

ref: command

So this simplified version will confirm its its a problem. Working output would be:

$ podman run --rm mariadb:11.5.2  gosu mysql id -u
999

I suspect the secomp filter of promox is interfering here. I couldn't see a compose option for privileged for a service.

If /var/lib/mysql is initialized then you can use user: mysql, but maybe this is the same problem as #621.

Unrelated questions on Dockerfile:

Set correct permissions for /tmp directory

RUN chmod 1777 /tmp

This isn't the case already?

RUN chown -R mysql:mysql /var/lib/mysql
RUN chmod -R 755 /var/lib/mysql

Its this the default?

Copy custom MySQL configuration file

COPY deploy/my.cnf /etc/mysql/my.cnf

note /etc/mysql/conf.d is the only documented working location https://hub.docker.com/_/mariadb/.

Also command version of the file are parsed so: command: --innodb-buffer-pool-size=20G --innodb-log-file-size=20G is an option.

[SuperDarius-git]

@grooverdan - I am so thankful for your reply and answer (and questions) on my issue post, but I am a supershort guy, so everything you just said went straight over my head! - 😂

I am just trying to install or run the different software. Is there something you can suggest me to do? Or direction in any way?

Where should I change the command for testing?

Thank you
Darius

[grooverdan]

Where should I change the command for testing?

As an addition line in the database service.

  database:
    build:
      context: .
      dockerfile: Dockerfile.mariadb
    restart: "unless-stopped"
    command:  gosu mysql id -u
    environment:
      MARIADB_RANDOM_ROOT_PASSWORD: "yes"
      MARIADB_INITDB_SKIP_TZINFO: 1
      MARIADB_DATABASE: "${DB_MYSQL_NAME}"
      MARIADB_USER: "${DB_MYSQL_USER}"
      MARIADB_PASSWORD: "${DB_MYSQL_PASSWORD}"
      MARIADB_AUTO_UPGRADE: 1
....

This only confirms the problem.

  database:
    build:
      context: .
      dockerfile: Dockerfile.mariadb
    restart: "unless-stopped"
    user: mysql

Might be the workaround once the data is initialized from the first start, if you manage the first start.

Other option is named volumes.

[SuperDarius-git]

@grooverdan - Thank you so much for your reply. I do understand it better, but can not test this yet, because I am having problems with my power at my home lab, it's been off for 48 hours now. I will test this as soon as power comes back on. I just don't want you to think I disappeared.

[SuperDarius-git]

Hi @grooverdan - when adding the line "command: gosu mysql id -u" to the docker compose file, now it gives me an error when starting up docker compose at the database container. I have not put it in the database-encoder section yet.

The logs just gives me "999" in a few lines.

[grooverdan]

ok. so it looks like it changed the user successfully and the functional failure is after that. I'm not sure what do do apart from replicate the environment and try myself.

[SuperDarius-git]

That's gonna be a huge job. I will see if I can find a way to get it to work. Thanks for all your help.

[grooverdan]

Debugging what happens after the volume permissions are changed:

user: mysql
command: bash -x -v /usr/local/bin/docker-entrypoint.sh mariadbd

That's gonna be a huge job. I will see if I can find a way to get it to work. Thanks for all your help.

I'd suggested --privileged or disabling secomp to see if that's sufficient.