Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Setting UID/GID/USER is broken #76

Open
noillt opened this issue Jun 11, 2024 · 7 comments
Open

Setting UID/GID/USER is broken #76

noillt opened this issue Jun 11, 2024 · 7 comments

Comments

@noillt
Copy link

noillt commented Jun 11, 2024

We had an issue where the docker image gameservermanagers/gameserver:css was setting UID and GID to 1000 which was the wrong user (even if user linuxgsm existed for example on id 1006) on our server and the volume (dir) would get chowned for the wrong user.

After noticing that it's set through ENV we added variable overrides to docker-compose.yml (some data is redacted):

version: "3.8"
services:
  linuxgsm-css-bind:
    image: gameservermanagers/gameserver:css
    volumes:
      - /home/combat/combat-css-server:/data
    environment:
      - USER=combat
      - UID=1005
      - GID=1005

But the docker image would still fail with:

combat-css-server  | Switch to user combat
combat-css-server  | =================================
combat-css-server  | error: failed switching to "combat": unable to find user combat: no matching entries in passwd file
combat-css-server  | 
combat-css-server  | Check Permissions
combat-css-server  | =================================
combat-css-server  | setting UID to 1005
combat-css-server  | setting GID to 1005
combat-css-server  | updating permissions for /data
combat-css-server  | chown: invalid user: ‘combat:combat’
combat-css-server  | updating permissions for /app
combat-css-server  | chown: invalid user: ‘combat:combat’

The problem is that the user exists

# combat@noil:~$ id
uid=1005(combat) gid=1005(combat) groups=1005(combat),100(users),994(docker)

We are not and will not run docker or any other similar daemons or commands with sudo. The combat user is part of the docker group and is able to run docker images without sudo.

How should we proceed to start the linuxgsm (gameserver) on our combat user, so that the volume and the start scripts would get the correct UID/GID ?

Or is it only possible to start as non-root is with linuxgsm user and then deal with dir/file permissions so that combat user could modify files owned by linuxgam user ? (As it worked to start the docker image with user=linuxgsm,id=1006,gid=1006)

chmod 775 is not a solution, as everytime the docker container is started it overrides all ownerships and permissions

@successtheman
Copy link

successtheman commented Jun 26, 2024

I tried to make a user with the same UID and GID as the ones it was chowning the files to and then added my user to that group. Unfortunately when it detected that the user existed it would then chown all the files to a different UID and GID, I believe this is similar to what you are saying? I wish there was a flag to just make it run as root instead of linuxgsm user to bypass all this trouble because honestly I just start it when I want to play l4d2 (not CSS like in your case but it should still be similar) so I don't really care about how secure it is or not

Try using a bind mount as per https://docs.docker.com/storage/bind-mounts/#mount-into-a-non-empty-directory-on-the-container, this seemed to work for me and it sets the UID/GID I specified
Bind mount didn't actually work nevermind

@WildPenquin
Copy link

Maybe I'm a bit lost here, but I'm confused what you've done outside and what you've done inside the container.

Care to elaborate, why do you need another user besides linuxgsm? Why isn't the linuxgsm user enough? Where/how have you exactly determined, it is setting the wrong UID/GID? When running inside the container, or are you trying to access the files outside the container (on the host)?

It seems like you have created a user "combat" inside the container, want to run the container as user "combat", and expect the UIDs and GIDs to match?

Please note that the idea of a container is that it has a totally different namespace. The whole point is that the UIDs, GIDs don't match with anything on the host. The user accounts are separate.

Bind mounts have nothing to do with UID nor GID management, really.

Or, sorry if I'm misinterpreting totally what you have done and asking help for =).

@successtheman
Copy link

successtheman commented Jul 14, 2024

Maybe I'm a bit lost here, but I'm confused what you've done outside and what you've done inside the container.

Care to elaborate, why do you need another user besides linuxgsm? Why isn't the linuxgsm user enough? Where/how have you exactly determined, it is setting the wrong UID/GID? When running inside the container, or are you trying to access the files outside the container (on the host)?

It seems like you have created a user "combat" inside the container, want to run the container as user "combat", and expect the UIDs and GIDs to match?

Please note that the idea of a container is that it has a totally different namespace. The whole point is that the UIDs, GIDs don't match with anything on the host. The user accounts are separate.

Bind mounts have nothing to do with UID nor GID management, really.

Or, sorry if I'm misinterpreting totally what you have done and asking help for =).

Forgetting the bind mounts as I said it didn't make a difference, as I said I tried to set the UID and GID to the same thing the container was chowning the mounted folders to but when the container starts it then picks a different UID/GID. It's nice that linuxgsm thinks it needs to chown all mounted files/folders every time the container starts (which is completely unnecessary but it still does it). Thing is I need to be able to edit the files that are mounted or I can't set up the server, call me crazy. None of the https://www.linuxserver.io/ images have this issue and they allow the user to run the image with whatever permissions they want for the mounted files/folders. For some reason all L4D2/srcds images think they need to chown everything. In fact I run most docker containers with root UID/GID 0 (within the container not on the host system) to avoid permission issues so that the container can access the mounted files without issues (spare me the speech about this being a bad idea I do it anyway), but this image thinks it needs to chmod/chown my files every time to some random user no matter which UID/GID I specify.

I spent hours trying different things with no luck so it's nice the namespaces are separate but when I can't edit the files for the server or add new things to the server, that's a problem. Either there is a permissions issue like this with all the srcds/steamcmd images I tried or the server simply doesn't start and says some error which won't resolve no matter what you try. Because of all this I gave up running srcds servers with docker images and on Linux as a whole and moved to Windows server within proxmox where I don't have to deal with this. It's nicer too because with RDP I can just drag and drop files into the server. Wish the others best of luck though. Maybe some day the container will not chown every file when it isn't necessary, who knows.

@doomhound188
Copy link

I am also having the same issue, I can't actually create a backup of Palworld server because the user doesn't have permissions to create directories in the host directory.

the issue seems to stem from the linuxgsm userid of 1000 and the default/first user created on the host gets userid 1000.

what is the best of changing this to prevent issues moving forward?

@successtheman
Copy link

successtheman commented Aug 9, 2024

I am also having the same issue, I can't actually create a backup of Palworld server because the user doesn't have permissions to create directories in the host directory.

the issue seems to stem from the linuxgsm userid of 1000 and the default/first user created on the host gets userid 1000.

what is the best of changing this to prevent issues moving forward?

Not running it in a docker container and just running it on host is the only real option I can see unless they fix this (which I doubt will happen any time soon, if ever), but I opted to run my server on windows host instead of linux

The issue is in the linuxgsm dependency container I think which docker-gameserver depends on as shown in the Dockerfile, and it's just not worth the time for me to fuss with it.

@doomhound188
Copy link

doomhound188 commented Aug 9, 2024

I fixed it by creating the linuxgsm user on the host and adding my user account to the linuxgsm group, container starts fine now, but I am unable to run backups using podman exec -it --user linuxgsm pwserver ./pwserver b

podman exec -it --user linuxgsm pwserver ./pwserver b
[ INFO ] Backing up pwserver: Starting backup: Previous backups found

  • Previous backup was created less than 1 day ago, total size 0
    [ WARN ] Backing up pwserver: pwserver will be restarted
    [ OK ] Stopping pwserver: Graceful: CTRL+c: 3: OK
    [ .... ] Backing up pwserver: Backup (3.1G) pwserver-2024-08-09-125907.tar.gz, in progress.../bin/sh: 1: pigz: not found
    tar: /app/lgsm/backup/pwserver-2024-08-09-125907.tar.gz: Cannot write: Broken pipe
    tar: Child returned status 127
    tar: Error is not recoverable: exiting now
    FAIL
    [ FAIL ] Backing up pwserver: Starting backup
    [ OK ] Updating pwserver: Checking for update: SteamCMD

No update available

[ OK ] Backing up pwserver: Palword Server

@saedrin
Copy link

saedrin commented Dec 10, 2024

This is very frustrating for me as well. I run a ton of containers on this host and this container essentially requiring UID 1000 is making a mess. I'm not sure what the solution is, but maybe something like a config check it can reference on start to switch the UID/GID would be very welcome.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants