Comments (3)
goofball222
commented on May 10, 2024
Added BIND_PRIV environment variable. Set it to "true" to set the privileges on the container Java binary to allow it to bind to ports <1024 when running as a non-UID=0 user.
from unifi.
goofball222
commented on May 10, 2024
Reopening, reported as not completely solved by initial changes by Docker hub user gravita - https://hub.docker.com/r/gravita/. AUFS on older kernels may not support the necessary xattrs flags for setcap. This is a common Docker storage overlay driver.
[2017-09-22 12:26:36,782] Script version 0.4.6 startup.
[2017-09-22 12:26:36,786] Setting params/variables/paths.
[2017-09-22 12:26:36,792] Validating system.properties setup for container.
[2017-09-22 12:26:36,796] Existing '/usr/lib/unifi/data/system.properties' found. Setting its container-mode options to 'true'.
[2017-09-22 12:26:36,828] SSL certificate file unchanged. Continuing with UniFi startup.
[2017-09-22 12:26:36,832] To force retry the SSL import process: delete '/usr/lib/unifi/cert/unificert.sha256' and restart the container.
[2017-09-22 12:26:36,841] Entrypoint running with UID=0.
[2017-09-22 12:26:36,857] UID/GID for unifi are unchanged: UID=999, GID=999
[2017-09-22 12:26:36,861] Ensuring file permissions are correct before dropping privs - 'chown -R unifi:unifi /usr/lib/unifi'.
[2017-09-22 12:26:36,946] Support binding ports <1024 'setcap 'cap_net_bind_service=+ep' /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java'.
Failed to set capabilities on file `/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java' (Invalid argument)
The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file
$> docker info
Containers: 11
Images: 301
Storage Driver: aufs
Root Dir: /volume1/@docker/aufs
Backing Filesystem: extfs
Dirs: 323
Dirperm1 Supported: true
Execution Driver: native-0.2
Kernel Version: 3.10.35
Operating System: <unknown>
CPUs: 4
Total Memory: 3.859 GiB
Registry: [https://index.docker.io/v1/]
WARNING: No memory limit support
WARNING: No swap limit support
$> docker version
Client version: 1.6.2
Client API version: 1.18
Go version (client): go1.4.2
Git commit (client): a263667
OS/Arch (client): linux/amd64
Server version: 1.6.2
Server API version: 1.18
Go version (server): go1.4.2
Git commit (server): a263667
OS/Arch (server): linux/amd64
Docker AUFS 'setcap' xattrs problems reported by others:
moby/moby#1070
and moby/moby#5650
Workaround: Allow running as UID=0 (root). Enable via an ENV variable, default to false and require user to explicitly set. Downside: reduces overall security of running container and internal software if enabled.
from unifi.
goofball222
commented on May 10, 2024
Additional change adding support for running as UID=0 to work around AUFS missing xattrs on older kernel+aufs versions.
from unifi.
Related Issues (20)
- Apache Log4j2 2.14.1 Remote Code Execution HOT 1
- 6.5.55 RC is out HOT 1
- something wrong after a while HOT 1
- goofball222/unifi:latest-beta 7.2.92 - "DBServer stopped" HOT 3
- f_chown() should not run if group has access HOT 1
- Current alpine images are missing shared library libsystemd.so.0 HOT 1
- "docker-entrypoint.sh": executable file not found in $PATH: unknown. HOT 4
- Cannot login after switch from internal to external MongoDB HOT 2
- Will there be an update to 7.4.156? HOT 1
- Failure upgrading to 7.4.156 HOT 4
- Beta images incorrectly tagged (7.4.165 vs 7.5.165) and failing due to JDK mismatch (11 vs 17) HOT 2
- Image for 6.1.71 beta is not built HOT 1
- Change to Mongo as separate service HOT 2
- beta 6.2.17 is out HOT 1
- Container exits because su-exec/gosu is missing HOT 4
- 6.4.47 is out HOT 1
- RUN_CHOWN failure should not necessarily be fatal HOT 1
- Existing Devices Not Adopted on New Server HOT 6
- 6.4.54 has been promoted to Stable/Official HOT 1
- Unifi 6.5.53 stable Release HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from unifi.