-
Notifications
You must be signed in to change notification settings - Fork 463
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't start unifi container as non-root user #525
Comments
Hmm... If I set the environment variables RUNAS_UID0=false, UNIFI_UID=1001 and UNIFI_GID=1001 instead of the --user statement, it works fine. I thought --user would be equivalent since I understand the environment variable method is being deprecated (according to some of the other topics on here) but I guess not. |
The solution is to chown your unifi volume to be owned by the unifi uid.
Yes the environment variable option is being deprecated but it functions
quite differently from --user. The environment variable option launches as
root, chowns the folder then drops permissions.
I'm working on a solution to handle chowing the volume via a setuid binary.
It will probably show up in the beta tag soon.
…On Sun, Feb 13, 2022, 5:51 PM cinergi2 ***@***.***> wrote:
Hmm... If I set the environment variables RUNAS_UID0=false, UNIFI_UID=1001
and UNIFI_GID=1001 instead of the --user statement, it works fine. I
thought --user would be equivalent since I understand the environment
variable method is being deprecated (according to some of the other topics
on here) but I guess not.
—
Reply to this email directly, view it on GitHub
<#525 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAPDNAWIBI7X7EDXEGV7JDDU3A7YNANCNFSM5OJ2GU3Q>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Thanks! I'm not sure I understand. I did chown my unifi folder (the one with the data and log subfolders that's mapped using -v) to the unifi uid and gid 1001. Unifi is able to write to those folders - for example the system properties, mongodb.log, server.log, etc. all get written properly. It was complaining about /var/run/unifi and /usr/lib/unifi, which are not within that folder structure. |
Those folders are symlinked to /unifi/run and /unifi/data respectively
…On Sun, Feb 13, 2022, 6:12 PM cinergi2 ***@***.***> wrote:
The solution is to chown your unifi volume to be owned by the unifi uid.
Thanks! I'm not sure I understand. I did chown my unifi folder (the one
with the data and log subfolders that's mapped using -v) to the unifi uid
and gid 1001. Unifi is able to write to those folders - for example the
system properties, mongodb.log, server.log, etc. all get written properly.
It was complaining about /var/run/unifi and /usr/lib/unifi, which are not
within that folder structure.
—
Reply to this email directly, view it on GitHub
<#525 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAPDNARKKXFDR2H4HTVTBJTU3BCG3ANCNFSM5OJ2GU3Q>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you commented.Message ID:
***@***.***>
|
I think I must be looking in the wrong place. I've mapped /home/pi/docker/unifi in my host file system to /unifi in the Docker container using the I don't see any /unifi/run subfolder - just data and log. There are no .pid files anywhere in this folder hierarchy. |
It looks like the /unifi/run mappings didn't get moved from the old volume structure, it's just owned by 999:999, the default unifi uid so it's not an issue with the default |
Thanks. I would have used |
Just wanted to add that I found another way to do it without using the environment variables. I added a mapping using |
the run directory should now properly be placed into /unifi working on getting permset shoehorned in now |
I have the fixes for permissions on the |
Thank you! At this point, since 7.0.xx will be out of RC soon as you mentioned, I think I'll wait for that. It's been working fine for me with the manual mapping I added for By the way, the mongodb version is currently 3.4. Since Ubiquiti supports 3.6, any plans to upgrade it in an upcoming release? |
So it looks like mongo db 3.6 can install on ubuntu 18.04 so that's possible. I'm hesitant to touch much with mongodb because it's super fragile right now due to supporting Long term by the end of 2028 I have to drop What I am considering doing is picking an arbitrary release of Unifi and saying it will be the last one to support 32 bit arm (i've kind of been hoping Ubiquiti would do this for me) and use that point to bump up both mongodb to 3.6 (or newer if ubiquiti starts supporting a newer version by then) and ubuntu to 22.04 at the same time. What would be another good trigger for doing that break would also be if Ubiquiti started supporting a newer version of java, knock the trio of updates all out at once. Edit: https://github.com/jacobalberty/unifi-docker/projects/2 Here's a project to track the issues related to that. I'll add an issue for mongodb update to that. |
Thanks for the explanation. Yes, there are indeed many variables involved. Personally, I'd be OK if you drop |
I think this problem might be back with 7.0.25 on x86 amd64. |
Hello, This is with version 7.2.95 |
I am trying to setup a fresh new controller as docker container using docker compose and :lastest. I run into probably the same problem. It seems that even if the controller is given a user:group setting, mongodb is still creating everything as root.
Starting and stopping the container results in:
and in the mongodb log:
|
Answering myself, this one does launch:
Before |
* Remove value from PKGURL arg * Remove unneeded hotfixes for beta * Use permset to ensure /unifi is owned by the user specified in docker run command line see #525 * Remove unifi data dir for our symlink * [Beta] Update to 8.0.2 EA The new 8.x Network version is currently in EA and the beta branch hasn't been updated for a while. Rebasing to Master branch and updating to Network 8.0.2 * Update README.md Added beta branch info to readme. * Update 8.0.6-EA * Update README.md * Update README.md * 8.0.7-ea * Update README.md * Change to 8.0.7 Official * Update README.md * Update 8.0.24 Official * Update README.md --------- Co-authored-by: Jacob Alberty <[email protected]>
* Remove value from PKGURL arg * Remove unneeded hotfixes for beta * Use permset to ensure /unifi is owned by the user specified in docker run command line see jacobalberty#525 * Remove unifi data dir for our symlink * [Beta] Update to 8.0.2 EA The new 8.x Network version is currently in EA and the beta branch hasn't been updated for a while. Rebasing to Master branch and updating to Network 8.0.2 * Update README.md Added beta branch info to readme. * Update 8.0.6-EA * Update README.md * Update README.md * 8.0.7-ea * Update README.md * Change to 8.0.7 Official * Update README.md * Update 8.0.24 Official * Update README.md --------- Co-authored-by: Jacob Alberty <[email protected]>
* Remove value from PKGURL arg * Remove unneeded hotfixes for beta * Use permset to ensure /unifi is owned by the user specified in docker run command line see jacobalberty#525 * Remove unifi data dir for our symlink * [Beta] Update to 8.0.2 EA The new 8.x Network version is currently in EA and the beta branch hasn't been updated for a while. Rebasing to Master branch and updating to Network 8.0.2 * Update README.md Added beta branch info to readme. * Update 8.0.6-EA * Update README.md * Update README.md * 8.0.7-ea * Update README.md * Change to 8.0.7 Official * Update README.md * Update 8.0.24 Official * Update README.md --------- Co-authored-by: Jacob Alberty <[email protected]>
I am currently running the old lsio version, trying this instead of the new mongo+lsio version. I run all my containers with a custom non root user, when I run this container using Per readme it seems that it is either I see mention of |
My
This was created a while ago, but apparently my comment is to remind me that the container does a setuid so it needs to run as root, but the resulting process can be non-root. |
Looks like the dockerfile does:
Where the values are hardcoded in ENV to 999 at build time, so it looks as if the actual user and group cannot be changed. I may just stick with the LSIO version, at least until |
* Update to 8.0.24 Official (jacobalberty#697) * Remove value from PKGURL arg * Remove unneeded hotfixes for beta * Use permset to ensure /unifi is owned by the user specified in docker run command line see jacobalberty#525 * Remove unifi data dir for our symlink * [Beta] Update to 8.0.2 EA The new 8.x Network version is currently in EA and the beta branch hasn't been updated for a while. Rebasing to Master branch and updating to Network 8.0.2 * Update README.md Added beta branch info to readme. * Update 8.0.6-EA * Update README.md * Update README.md * 8.0.7-ea * Update README.md * Change to 8.0.7 Official * Update README.md * Update 8.0.24 Official * Update README.md --------- Co-authored-by: Jacob Alberty <[email protected]> * v8.0.26 (jacobalberty#715) * [TASK] Update controller to v8.0.28 (jacobalberty#720) * bumping controller to v8.0.28 * its released * [TASK] Update controller to v8.1.113 (jacobalberty#731) * Update README.md Updated from 8.0.28 to 8.1.113 Formatted a tag table a little by adding more spaces. * Update Dockerfile Updated the version 8.0.28 to 8.1.113 * Update README.md Corrected the URL * If CERT_IS_CHAIN or ca.pem and chain.pem don't exist, then just take the cert file as is. (jacobalberty#753) * Update README to list latest version only in the "Current Information" table (jacobalberty#750) so the document remains up-to-date (DRY - Don't Repeat Yourself) * Bump controller to 8.2.93 (jacobalberty#745) * updating to 8.1.127 * going to 8.2.93 * doc update * Bump controller to 8.3.32 (jacobalberty#755) * updating to 8.3.32 * doc update * Update to unifi v8.4.59 (jacobalberty#762) * Update to unifi v8.4.62 (jacobalberty#768) * Update to unifi v8.5.6 (jacobalberty#773) * Docker labels should be labels from metadata not tags (jacobalberty#775) * Bump to unifi 8.6.9 (jacobalberty#778) * Add info on device discovery (using port 10001). (jacobalberty#772) Required Ports Reference: https://help.ui.com/hc/en-us/articles/218506997-Required-Ports-Reference --------- Co-authored-by: Gamertech <[email protected]> Co-authored-by: Jacob Alberty <[email protected]> Co-authored-by: Daniel Carbone <[email protected]> Co-authored-by: Vest <[email protected]> Co-authored-by: Kelly Shutt <[email protected]> Co-authored-by: Rich Brown <[email protected]> Co-authored-by: waja <[email protected]> Co-authored-by: Jakub Dobry <[email protected]> Co-authored-by: Gavin Mogan <[email protected]> Co-authored-by: Michael H. <[email protected]>
Hello,
I'm trying to start the unifi-docker container ("latest" tag) on a Raspberry Pi 4 running Bullseye Arm64. It starts fine as the root user, but not as a custom non-root user that I've created:
docker run -d --restart=unless-stopped --net=host --name unifi --user="1001:1001" -e TZ='America/Toronto' -v /home/pi/docker/unifi:/unifi jacobalberty/unifi:latest
This results in the following error message in the mongodb.log file:
ERROR: Cannot write pid file to /usr/lib/unifi/run/mongod.pid: Permission denied
And a similar error in the Docker log:
rm: cannot remove '/var/run/unifi/unifi.pid': Permission denied
The issue is that the above system folders require root privileges for write access. How can I fix this without running unifi as root?
I'm a novice with Docker, so if I'm missing something obvious my apologies.
Thanks!
The text was updated successfully, but these errors were encountered: