From 866f511022fb3a451141460ca56776f2f422da4e Mon Sep 17 00:00:00 2001 From: Miranda Streeter Date: Thu, 28 May 2026 14:15:56 -0700 Subject: [PATCH] Add entrypoint script for detecting cadir rootless volume Signed-off-by: Miranda Streeter --- README.md | 26 ++++++++++++------- openvoxserver/Containerfile | 2 ++ .../87-ca-permissions.sh | 11 ++++++++ 3 files changed, 29 insertions(+), 10 deletions(-) create mode 100755 openvoxserver/container-entrypoint.d/87-ca-permissions.sh diff --git a/README.md b/README.md index 70fdb4c..21c3e87 100644 --- a/README.md +++ b/README.md @@ -167,30 +167,36 @@ services: ### Permissions -#### Podman +#### Rootless Podman -When using Podman, make sure the container runs with the correct permissions. The OpenVox Server process starts as `root` and then drops privileges to the `puppet` user. -This can lead to permission issues with bind mounts or volumes, especially for the OpenVox SSL and CA directories, for example: +When using rootless Podman, the OpenVox Server process starts as a virtual `root` and then drops privileges to the `puppet` user. +This can lead to permission issues with bind mount volumes, which you may want to use for the OpenVox SSL and CA directories. For example: ```shell -v ./openvoxserver-ssl:/etc/puppetlabs/puppet/ssl --v ./openvoxserver-ca:/etc/puppetlabs/puppetserver/ +-v ./openvoxserver-ca:/etc/puppetlabs/puppetserver/ca ``` -To avoid this, you can run Podman with user namespace mapping enabled: `--userns=keep-id`. With `podman-compose`, use: +By default the container will attempt to correct permissions. For a large number of files it may spend a long time at "Adjusting mounted CA directory ownership". This is normal. +If this still runs into permissions issues please check selinux and related security layers. You can relabel the host directory using the `:Z` flag: ```shell -PODMAN_USERNS=keep-id podman-compose up +-v ./openvoxserver-ca:/etc/puppetlabs/puppetserver/ca:Z ``` -This approach works best when using named volumes. +Please be careful not to mount any vital system directories when using this flag. -If that doesn’t work in your setup, you can mount a custom script directory to `/container-custom-entrypoint.d/` and place a script there which adjusts permissions on the mounted directories. -These scripts are executed on container startup, before the OpenVox Server process is launched. +If you're starting from scratch we instead recommend using a named volume. For example, note that the left value is not a path: + +```shell +-v puppet_ca:/etc/puppetlabs/puppetserver/ca +``` + +Permissions are managed for you, and from there the volume can be migrated using `podman volume export` and `podman volume import` commands. #### Docker -These issues have not occurred with Docker so far. +Docker always runs rootfull, and does not need permissions adjustments. ## How to deploy OpenVox/Puppet code diff --git a/openvoxserver/Containerfile b/openvoxserver/Containerfile index 6a75b24..85e11f5 100644 --- a/openvoxserver/Containerfile +++ b/openvoxserver/Containerfile @@ -56,6 +56,8 @@ ENV AUTOSIGN=true \ OPENVOX_REPORTS="puppetdb" \ OPENVOX_STORECONFIGS_BACKEND="puppetdb" \ OPENVOX_STORECONFIGS=true \ + OPENVOX_USER_UID=${OPENVOX_USER_UID} \ + OPENVOX_USER_GID=${OPENVOX_USER_GID} \ OPENVOXDB_SERVER_URLS=https://openvoxdb:8081 \ OPENVOXSERVER_ENABLE_ENV_CACHE_DEL_API=true \ OPENVOXSERVER_ENVIRONMENT_TIMEOUT=unlimited \ diff --git a/openvoxserver/container-entrypoint.d/87-ca-permissions.sh b/openvoxserver/container-entrypoint.d/87-ca-permissions.sh new file mode 100755 index 0000000..bb8312d --- /dev/null +++ b/openvoxserver/container-entrypoint.d/87-ca-permissions.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +set -e + +CA_DIR="/etc/puppetlabs/puppetserver/ca" + +# Check if CA directory is present and owned by any a different user +if [ -d "$CA_DIR" ] && [ "$(stat -c '%u' "$CA_DIR")" != "$OPENVOX_USER_UID" ]; then + echo "Adjusting mounted CA directory ownership. This may take time. Please wait." + chown -R "$OPENVOX_USER_UID:$OPENVOX_USER_GID" "$CA_DIR" || echo "Failed to chown $CA_DIR" +fi