Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permissions to env file are not given to the running user if it's not root #45

Open
v4dkou opened this issue Jun 10, 2022 · 3 comments
Open

Permissions to env file are not given to the running user if it's not root #45

v4dkou opened this issue Jun 10, 2022 · 3 comments

Comments

@v4dkou
Copy link

v4dkou commented Jun 10, 2022

If the ansible_ssh_user is different from root (but still a sudoer), the created systemd service fails to start with this error
docker: open /etc/default/<container name>: permission denied.

My current workaround is to change permissions right after the included mhutter.docker-systemd-service role

    - name: Fix https://github.com/mhutter/ansible-docker-systemd-service/issues/45
      ansible.builtin.file:
        path: /etc/default/<container name>
        owner: '{{ ansible_user }}'
        mode: '0644'
@mhutter
Copy link
Owner

mhutter commented Jul 5, 2022

I'm a bit confused; which user starts the service?

@v4dkou
Copy link
Author

v4dkou commented Jul 7, 2022

@mhutter Oh, this is a tricky question.
Running ps aux | grep docker shows that the docker container I am starting via systemd is owned by "root"
The .service file for systemd generated by this Ansible role does not contain a User= directive, which makes me confused too as to how did this error appear.

All I know is:

  1. The Ansible playbook is being run with a user, let's say someuser that has sudo privileges.
  2. This playbook has a become: true directive

I can try setting up the minimal reproducible example on some DigitalOcean droplet and give you access to it and the playbooks.
Would you kindly contact me at [email protected], so I can send you access once I set everything up?

Target OS: Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-113-generic x86_64)

$ systemd --version
systemd 245 (245.4-4ubuntu3.15)
+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid

@mhutter
Copy link
Owner

mhutter commented Jul 8, 2022

A note about the workaround: What probably fixes the issue is mode: '0644', not owner: '{{ ansible_user }}'.

Running ps aux | grep docker shows that the docker container I am starting via systemd is owned by "root"

Okay, this is as expected (since the Docker daemon runs as root).

The .service file for systemd generated by this Ansible role does not contain a User= directive, which makes me confused too as to how did this error appear.

Yes, indeed, because without User, the process is started as root which is able to read the file.

One more thing I noticed: This line:

ansible-docker-systemd-service/templates/unit.j2

Line 17 in b0aa69e

EnvironmentFile={{ sysconf_dir }}/{{ container_name }}

is practically redundant; it sets the env for the process STARTING the container, not the container itself (this is handled by the --env-file parameter)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mhutter @v4dkou