-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Permission denied when using external mounts #139
Comments
Hello there, I am passing this to engineering team based on the previous issue that was opened. |
Just as a heads up: The same problem/error exists for all other docker images, especially the key-connector which is not included in the unified build and also the separate images. |
Same here when hosting on Azure App Service with external mount (Storage --> File Share) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Disclaimer: This is a copy of bitwarden/server#2989, since the Docker part moved to this repo
Steps To Reproduce
i. Official Docker docs for NFS: https://docs.docker.com/storage/volumes/#create-a-service-which-creates-an-nfs-volume
ii. EFS Volume on AWS Fargate: https://docs.aws.amazon.com/AmazonECS/latest/userguide/efs-volumes.html
Expected Result
Regular working Service with a highly available and easy to backup storage solution in the background.
Actual Result
The logs show a "permission denied" error when trying to set the permissions for /etc/bitwarden. This happens in the unified and the regular containers.
The exact line of code producing the error is for the regular installation this https://github.com/bitwarden/server/blob/master/src/Admin/entrypoint.sh#L33 and for the unified this https://github.com/bitwarden/server/blob/master/docker-unified/entrypoint.sh#L97.
After some investiagation the underlying problem seems to be that the application user is created in the entrypoint.sh script and thus the /etc/bitwarden directory is owned by root:root during the container creation when the mount is happening. Changing permissions to a mounted directory is not possible afterwards, thus the application does not have permissions to /etc/bitwarden during runtime and does not work.
Screenshots or Videos
No response
Additional Context
Best practice by Docker seems to be to create the user with an explicit UID/GID during the image creation and not during container startup. Source: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user
A change of this explicit UID/GID should then not be done in the entrypoint script but utilizing a remap as suggested by Docker: https://docs.docker.com/engine/security/userns-remap/
Build Version
bitwarden/server@8d9ca424a1ec2079cc2508be5c23a4883987ea69-dirty and 2023.4.3
Environment
Self-Hosted
Environment Details
Tested on various Setups including:
Issue Tracking Info
The text was updated successfully, but these errors were encountered: