Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permission denied when using external mounts #139

Open
1 task done
joerg opened this issue Jul 26, 2023 · 3 comments
Open
1 task done

Permission denied when using external mounts #139

joerg opened this issue Jul 26, 2023 · 3 comments

Comments

@joerg
Copy link

joerg commented Jul 26, 2023

Disclaimer: This is a copy of bitwarden/server#2989, since the Docker part moved to this repo

Steps To Reproduce

  1. Install according to official documentation
  2. Use an external storage mount for the data directory /etc/bitwarden. Examples:
    i. Official Docker docs for NFS: https://docs.docker.com/storage/volumes/#create-a-service-which-creates-an-nfs-volume
    ii. EFS Volume on AWS Fargate: https://docs.aws.amazon.com/AmazonECS/latest/userguide/efs-volumes.html
    Expected Result
    Regular working Service with a highly available and easy to backup storage solution in the background.

Actual Result

The logs show a "permission denied" error when trying to set the permissions for /etc/bitwarden. This happens in the unified and the regular containers.
The exact line of code producing the error is for the regular installation this https://github.com/bitwarden/server/blob/master/src/Admin/entrypoint.sh#L33 and for the unified this https://github.com/bitwarden/server/blob/master/docker-unified/entrypoint.sh#L97.

After some investiagation the underlying problem seems to be that the application user is created in the entrypoint.sh script and thus the /etc/bitwarden directory is owned by root:root during the container creation when the mount is happening. Changing permissions to a mounted directory is not possible afterwards, thus the application does not have permissions to /etc/bitwarden during runtime and does not work.

Screenshots or Videos

No response

Additional Context

Best practice by Docker seems to be to create the user with an explicit UID/GID during the image creation and not during container startup. Source: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user
A change of this explicit UID/GID should then not be done in the entrypoint script but utilizing a remap as suggested by Docker: https://docs.docker.com/engine/security/userns-remap/

Build Version

bitwarden/server@8d9ca424a1ec2079cc2508be5c23a4883987ea69-dirty and 2023.4.3

Environment

Self-Hosted

Environment Details

Tested on various Setups including:

  • Server installation on Ubuntu LTS 22.04 and 20.04 using an external NFS storage mount.
  • AWS ECS Fargate installation with and EFS share

Issue Tracking Info

  • I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.
@Krychaz
Copy link
Member

Krychaz commented Jul 26, 2023

Hello there,

I am passing this to engineering team based on the previous issue that was opened.

@joerg
Copy link
Author

joerg commented Aug 1, 2023

Just as a heads up: The same problem/error exists for all other docker images, especially the key-connector which is not included in the unified build and also the separate images.

@yggdrasil-tynor
Copy link

Same here when hosting on Azure App Service with external mount (Storage --> File Share)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@joerg @Krychaz @yggdrasil-tynor