Project

General

Profile

Actions
Copy link

Defect #2642

closed

When mounting data and backup directories to bcv-czechidm container, container does not ensure correct privileges on them

Added by Petr Fišer almost 4 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Petr Fišer
Target version:
bcv-czechidm:10.7.0-r1
Start date:
01/14/2021
Due date:
% Done:

0%

Estimated time:
Affected versions:
bcv-czechidm:10.1.0-r1, bcv-czechidm:10.2.0-r0, bcv-czechidm:10.3.1-r0, bcv-czechidm:10.6.3-r0, bcv-czechidm:10.7.0-r0
Owner:

Description

When data and/or backup directories (/opt/czechidm/{data,backup} inside container) are mounted from host, they are mounted with some privileges.
Container does not ensure they are chown-ed to tomcat user during start, meaning IdM cannot use them for writing.
There is even a stacktrace during fresh IdM start becuase IdM cannot create temp directory:

czechidm     | 2021-01-13 12:25:34.216 ERROR 172447 --- [scheduling-1] o.s.s.s.TaskUtils$LoggingErrorHandler.handleError : Unexpected error occurred in scheduled task.
czechidm     | eu.bcvsolutions.idm.core.api.exception.ResultCodeException: Creating directory for default temp storage [/opt/czechidm/data/temp] in temp directory failed.
czechidm     |     at eu.bcvsolutions.idm.core.ecm.config.DefaultAttachmentConfiguration.getTempPath(DefaultAttachmentConfiguration.java:68)
...
czechidm     |     at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
czechidm     |     at java.base/java.lang.Thread.run(Thread.java:834)
czechidm     | Caused by: java.io.IOException: Unable to create directory /opt/czechidm/data/temp
czechidm     |     at org.apache.commons.io.FileUtils.forceMkdir(FileUtils.java:2491)
czechidm     |     at eu.bcvsolutions.idm.core.ecm.config.DefaultAttachmentConfiguration.getTempPath(DefaultAttachmentConfiguration.java:65)
czechidm     |     ... 18 common frames omitted

Bad privileges:

[root@czechidm czechidm]# ll
total 0
drwxr-xr-x. 2 root root     6 Jan 13 12:08 backup
drwxr-xr-x. 3 root root    18 Jan 13 12:32 data
drwxr-xr-x. 1 root tomcat 194 Jan 13 12:22 etc
drwxr-xr-x. 2 root tomcat   6 Dec 18 14:46 lib

Correct privileges:

[root@czechidm czechidm]# ll
total 0
drwxr-xr-x. 2 tomcat root     6 Jan 13 12:08 backup
drwxr-xr-x. 3 tomcat root    18 Jan 13 12:32 data
drwxr-xr-x. 1 root   tomcat 194 Jan 13 12:22 etc
drwxr-xr-x. 2 root   tomcat   6 Dec 18 14:46 lib

We need to:
  • Adjust bcv-czechidm container runscripts so they ensure correct privileges on those directories.
Workaround:
  • It is possible to adjust owner of directories manually and (since directories are mounted from host in this scenario) it will persist afterwards. This is doable either from the host or from inside the container; uid mapping needs to be taken into consideration when adjusting from the host.
Actions
Copy link

Also available in: Atom PDF