bin/otobo.SetPermission.pl doesn't work in docker container

[StefanRother-OTOBO]

Hi,

if I execute /opt/otobo/bin/otobo.SetPermission.pl in a docker container, the permissions are wrong.

I change the behavior and check now before, if otobo runs on docker (Check Environment OTOBO_RUNS_UNDER_DOCKER).
If yes, I try to get the user and group info from environment too.

Please, can you check if this is the right procedure?

Thanks!

Stefan

[StefanRother-OTOBO]

Hi,

I fix this issue in 3fcca9d

@Bernhard: Please can you check if the way is right for docker?
And I add hooks/build in otobo.SetPermission.pl to the executable files, I hope that's right? hooks/post_push is not executable at the moment.

[bschmalhofer]

@StefanRother-OTOBO I think that this needs more thought.

The execute bit on hooks/post_push is apparently not required. At least it isn't mentioned in https://docs.docker.com/docker-hub/builds/advanced/ . And adding the label :latest did work for the OTOBO 10.0.3. release.

When the Docker image is built, bin/docker/set_permissions.pl is executed. set_permissions,pl is basically a simplified version of bin/otobo.SetPermissions.pl . The idea was that the script could be simplified further and eventually be integrated into otobo.web.dockerfile.

How to proceed depends on whether permissions need to be set after installation. If not, then I propose to revert the patch and to put both scripts into .dockignore. If a set permission script is needed after installation then I propose to merge set_permissions.pl into otobo.SetPermiissions.pl.

[StefanRother-OTOBO]

Hi @bschmalhofer,

The execute bit on hooks/post_push is apparently not required. At least it isn't mentioned in
https://docs.docker.com/docker-hub/builds/advanced/ . And adding the label :latest did work for the OTOBO 10.0.3. release.

OK, I set the execute bit only for hooks/build, cause after execute otobo.SetPermissions.pl the rights where different.

How to proceed depends on whether permissions need to be set after installation. If not, then I propose to revert the patch and to put both scripts into .dockignore. If a set permission script is needed after installation then I propose to merge set_permissions.pl into otobo.SetPermiissions.pl.

We need the script otobo.SetPermission.pl. That's a extremely important tool (using docker or not).
For me it's not a good idea to add new scripts like bin/docker/set_permissions.pl with nearly the same code like otobo.SetPermission.pl. Please remove bin/docker/set_permissions.pl and use bin/otobo.SetPermission.pl if possible and when you have time. I think some problems based on the wrong permissions after using bin/otobo.SetPermission.pl.

The important think is, that OTOBO Admins and Consultants can use the known tools.

Thanks,

Stefan

[bschmalhofer]

Yes, I'll merge bin/otobe.SetPermission.pl and bin/docker/set_permission.pl. In order to be explicit I'll add a flag --runs-under-docker so that the call in otobo.web.dockerfile won't have to rely on the environment variable.

[bschmalhofer]

Scripts are merged, but not tested yet.

[StefanRother-OTOBO]

Hi,

how das it work for docker environment without user root now?

Thanks,

Stefan

[bschmalhofer]

Hi @StefanRother-OTOBO ,

the short answer is that it does not work under Docker.

It even does not work when one is root in the running otobo_web_1 container. Being root can be achieved by docker exec -it --user root otobo_web_1 bash. But otobo.SetPermissions.pl internally calls the Perl commands chmod and chown. The chown does not succeed because root has limited Linux capabilities in the container. There are workarounds for running that command with full capabilities. But I think that first we need to clarify what the use cases for 'otobo.SetPermissions.pl`are.

One use case is when building the Docker image. But calling it in otobo.web.dockerfile is really overkill, as the required funtionality could probably be done in a couple of shell commands.

So,I think that this needs to be discussen in a devel-meeting.

[svenoe]

This is not a bug, we will discuss somewhen, whether we need this functionality, but I guess not for 10.0.5.

[bschmalhofer]

Let's close this issue as there is nothing to do.