Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow the entry point script to execute the app hooks as script owner #2064

Closed
cyberpower678 opened this issue Sep 11, 2023 · 9 comments
Closed

Allow the entry point script to execute the app hooks as script owner #2064

cyberpower678 opened this issue Sep 11, 2023 · 9 comments
Labels
enhancement feature: auto config (hooks) user Running containers under a different user

Comments

@cyberpower678
Copy link

The entry point is a useful feature for added customization for NextCloud owners. Unfortunately, I still need to execute mine manually as some require root level permissions to actually execute. It would be great to allow the scripts to execute as the same user that owns it, on the condition that it probably can be only read, written, or executed by the user only. I am aware that this has security implications, but I believe it should be feasible to implement in a secure manner, maybe even adding an environment variable that must be set to 1 to even allow the scripts to execute as root in the first place?
@dcwestra
Copy link

dcwestra commented Sep 15, 2023
edited
Loading

Also having this problem. Here is a specific example of the problem.

I use watchtower to update my instance automatically, whenever that happens, smbclient needs to be reinstalled. I created a script called smbclient.sh and placed it into the before-starting hook folder. Nextcloud sees this and tries to execute, but every command in the script returns a 13: Permission denied error.

The script is as follows:

#!/bin/sh
apt update
apt install smbclient libsmbclient-dev -y
pecl install smbclient
docker-php-ext-enable smbclient

@dcwestra
Copy link

I did some digging. Apparently this how it is supposed to work.

The workaround involves adding an entrypoint option to your docker-compose file. Here is an example:

entrypoint: ["/bin/bash", "-c" , "apt update && apt install smbclient libsmbclient-dev -y && pecl install smbclient && docker-php-ext-enable smbclient && /entrypoint.sh apache2-foreground"]

@cyberpower678
Copy link
Author

I don't have that option since my container lives on TrueNAS, and there doesn't exist an option to do that.

@joshtrichards joshtrichards added enhancement user Running containers under a different user feature: auto config (hooks) labels Oct 28, 2023
@Korvenwin
Copy link

I did some digging. Apparently this how it is supposed to work.

The workaround involves adding an entrypoint option to your docker-compose file. Here is an example:

entrypoint: ["/bin/bash", "-c" , "apt update && apt install smbclient libsmbclient-dev -y && pecl install smbclient && docker-php-ext-enable smbclient && /entrypoint.sh apache2-foreground"]

This solution works but the Autoconfiguration via hook folder lost its utility.

Anyone have a idea about how to run this scripts as root?

@joshtrichards
Copy link
Member

This solution works but the Autoconfiguration via hook folder lost its utility.

#1964 (comment)

For auto-configuring Nextcloud (i.e. via occ) they work as designed because they run under the appropriate uid.

I understand the idea of wanting to use them for other custom changes, but there are at least other ways of doing those still (e.g. entrypoint overrides, Dockerfile changes/builds). The Dockerfile method is probably the most appropriate, since root -level changes are generally changes to the underlying image rather than config changes for Nextcloud (and also are the most likely to break during underlying image changes such as OS base upgrades).

There was some discussion about different run_as user support for hooks in prior PRs (e.g. see #1260).

@cyberpower678
Copy link
Author

This solution works but the Autoconfiguration via hook folder lost its utility.

#1964 (comment)

For auto-configuring Nextcloud (i.e. via occ) they work as designed because they run under the appropriate uid.

I understand the idea of wanting to use them for other custom changes, but there are at least other ways of doing those still (e.g. entrypoint overrides, Dockerfile changes/builds). The Dockerfile method is probably the most appropriate, since root -level changes are generally changes to the underlying image rather than config changes for Nextcloud (and also are the most likely to break during underlying image changes such as OS base upgrades).

There was some discussion about different run_as user support for hooks in prior PRs (e.g. see #1260).

Unfortunately, not really much of an option if you run TrueNAS as those docker files are auto-generated. I can mount a host path to the entry points folder and add something to before-starting, but that's about it.

@joshtrichards
Copy link
Member

Fair enough (I'm not using TrueNAS). It at least looks like TrueNAS should still permit entrypoint command overrides from a cursory documentation search. Also I'd think you could point at a private/alternative image if you build it (Dockerfile) and upload it to an accessible image repo.

Other option is to revive some of the un-merged run_as functionality (as mentioned in #1260) for hooks and propose an implementation adjustment in a PR that supports both the current mode + a root/equivalent override.

@sync-by-unito sync-by-unito bot mentioned this issue Feb 16, 2024
Closed
@joshtrichards
Copy link
Member

The described use case was fixed in truenas/apps#96. Closing this out since the original use case seems addressed.

@joshtrichards joshtrichards closed this as not planned Won't fix, can't repro, duplicate, stale Oct 14, 2024
@cyberpower678
Copy link
Author

The described use case was fixed in truenas/apps#96. Closing this out since the original use case seems addressed.

Where do you see that this was fixed? There still is no option to execute an entry point script as root.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement feature: auto config (hooks) user Running containers under a different user
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@cyberpower678 @joshtrichards @Korvenwin @dcwestra