Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

crash at start (Permission denied) #590

Open
flykoh opened this issue Nov 5, 2023 · 9 comments
Open

crash at start (Permission denied) #590

flykoh opened this issue Nov 5, 2023 · 9 comments
Labels
bug

Comments

@flykoh
Copy link

flykoh commented Nov 5, 2023

What is the bug or the crash?

i tring to spin container with this docker composer file
`
version: '3.9'
name: uals_gs

services:
masterGs:
image: kartoza/geoserver:2.24.0
restart: on-failure
ports:
- "8091:8080"
volumes:

    - "d:\\docker\\geoserver\\data_dir:/opt/geoserver/data_dir"
    - "d:\\docker\\geoserver\\extrafonts:/opt/fonts"

environment:
    - GEOSERVER_ADMIN_USER=flykoh
    - GEOSERVER_ADMIN_PASSWORD=RTk%2iN2sfE3
    - STABLE_EXTENSIONS=css-plugin,sqlserver-plugin
    - BROKER_URL=tcp://0.0.0.0:61661
    - READONLY=disabled
    - CLUSTER_DURABILITY=false
    - CLUSTERING=True
    - TOGGLE_MASTER=true
    - TOGGLE_SLAVE=true
    - RANDOMSTRING=23bd87cfa327d47e-master
    - INSTANCE_STRING=ac3bcba2fa7d989678a01ef4facc4173010cd8b40d2e5f5a8d18d5f863ca976f-master

healthcheck:
    test: "curl --fail --silent --write-out 'HTTP CODE : %{http_code}\n' --output /dev/null -u flykoh:'RTk%2iN2sfE3' http://localhost:8080/geoserver/rest/about/version.xml"
    interval: 5m30s
    timeout: 10s
    retries: 3

nodeN1:
image: kartoza/geoserver:2.24.0
restart: on-failure
ports:
- "8092:8080"
volumes:

    - "d:\\docker\\geoserver\\data_dir:/opt/geoserver/data_dir"
    - "d:\\docker\\geoserver\\extrafonts:/opt/fonts"

environment:
    - GEOSERVER_ADMIN_USER=flykoh
    - GEOSERVER_ADMIN_PASSWORD=RTk%2iN2sfE3
    - STABLE_EXTENSIONS=css-plugin,sqlserver-plugin
    - BROKER_URL=tcp://masterGs:61661
    - READONLY=disabled
    - CLUSTER_DURABILITY=false
    - CLUSTERING=True
    - TOGGLE_MASTER=true
    - TOGGLE_SLAVE=true
    - EMBEDDED_BROKER=disabled
    - RANDOMSTRING=23bd87cfa327d47e-node1
    - INSTANCE_STRING=ac3bcba2fa7d989678a01ef4facc4173010cd8b40d2e5f5a8d18d5f863ca976f-node1


depends_on:
    masterGs:
        condition: service_started

healthcheck:
    test: "curl --fail --silent --write-out 'HTTP CODE : %{http_code}\n' --output /dev/null -u flykoh:'RTk%2iN2sfE3' http://localhost:8080/geoserver/rest/about/version.xml"
    interval: 5m30s
    timeout: 10s
    retries: 3

nodeN2:
image: kartoza/geoserver:2.24.0
restart: on-failure
ports:
- "8093:8080"
volumes:

    - "d:\\docker\\geoserver\\data_dir:/opt/geoserver/data_dir"
    - "d:\\docker\\geoserver\\extrafonts:/opt/fonts"

environment:
    - GEOSERVER_ADMIN_USER=flykoh
    - STABLE_EXTENSIONS=css-plugin,sqlserver-plugin
    - BROKER_URL=tcp://masterGs:61661
    - READONLY=disabled
    - CLUSTER_DURABILITY=false
    - CLUSTERING=True
    - TOGGLE_MASTER=true
    - TOGGLE_SLAVE=true
    - EMBEDDED_BROKER=disabled
    - RANDOMSTRING=23bd87cfa327d47e-node2
    - INSTANCE_STRING=ac3bcba2fa7d989678a01ef4facc4173010cd8b40d2e5f5a8d18d5f863ca976f-node2


depends_on:
    masterGs:
        condition: service_started

healthcheck:
    test: "curl --fail --silent --write-out 'HTTP CODE : %{http_code}\n' --output /dev/null -u flykoh:'RTk%2iN2sfE3' http://localhost:8080/geoserver/rest/about/version.xml"
    interval: 5m30s
    timeout: 10s
    retries: 3

nodeN3:
image: kartoza/geoserver:2.24.0
restart: on-failure
ports:
- "8094:8080"
volumes:

    - "d:\\docker\\geoserver\\data_dir:/opt/geoserver/data_dir"
    - "d:\\docker\\geoserver\\extrafonts:/opt/fonts"

environment:
    - GEOSERVER_ADMIN_USER=flykoh
    - GEOSERVER_ADMIN_PASSWORD=RTk%2iN2sfE3
    - STABLE_EXTENSIONS=css-plugin,sqlserver-plugin
    - BROKER_URL=tcp://masterGs:61661
    - READONLY=disabled
    - CLUSTER_DURABILITY=false
    - CLUSTERING=True
    - TOGGLE_MASTER=true
    - TOGGLE_SLAVE=true
    - EMBEDDED_BROKER=disabled
    - RANDOMSTRING=23bd87cfa327d47e-node3
    - INSTANCE_STRING=ac3bcba2fa7d989678a01ef4facc4173010cd8b40d2e5f5a8d18d5f863ca976f-node3


depends_on:
    masterGs:
        condition: service_started

healthcheck:
    test: "curl --fail --silent --write-out 'HTTP CODE : %{http_code}\n' --output /dev/null -u flykoh:'RTk%2iN2sfE3' http://localhost:8080/geoserver/rest/about/version.xml"
    interval: 5m30s
    timeout: 10s
    retries: 3

`
i got error that Permission denied

Steps to reproduce the issue

2023-11-06 01:44:51 Enabling jms-cluster-plugin for GeoServer
2023-11-06 01:44:53 [Entrypoint] GENERATED tomcat PASSWORD: NYnVatBOUFzOTHHp9N
2023-11-06 01:44:54 /scripts/entrypoint.sh:57 0: CLUSTER_CONFIG_DIR=/opt/geoserver/data_dir/cluster/instance_23bd87cfa327d47e-master
2023-11-06 01:44:54 /scripts/entrypoint.sh:58 0: MONITOR_AUDIT_PATH=/opt/geoserver/data_dir/monitoring/monitor_23bd87cfa327d47e-master
2023-11-06 01:48:58 /opt/geoserver/data_dir/gwc is nested in /opt/geoserver/data_dir
2023-11-06 01:48:58 [0.003s][warning][gc,ergo] -XX:NewSize and -XX:MaxNewSize override -XX:NewRatio
2023-11-06 01:44:51 --2023-11-05 22:44:51-- https://download.jar-download.com/cache_jars/org.jdom/jdom2/2.0.6.1/jar_files.zip
2023-11-06 01:44:51 Resolving download.jar-download.com (download.jar-download.com)... 104.21.30.50, 172.67.150.151, 2606:4700:3032::ac43:9697, ...
2023-11-06 01:44:51 Connecting to download.jar-download.com (download.jar-download.com)|104.21.30.50|:443... connected.
2023-11-06 01:44:52 HTTP request sent, awaiting response... 404 Not Found
2023-11-06 01:44:52 2023-11-05 22:44:52 ERROR 404: Not Found.
2023-11-06 01:44:52
2023-11-06 01:48:58 NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
2023-11-06 01:49:02 05-Nov-2023 22:49:02.264 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/usr/local/tomcat/webapps/geoserver]
2023-11-06 01:49:24 05-Nov-2023 22:49:24.244 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
2023-11-06 01:49:27 2023-11-05 22:49:27,762 main ERROR RollingFileManager (/opt/geoserver/data_dir/cluster/instance_23bd87cfa327d47e-master/geoserver.log) java.io.FileNotFoundException: /opt/geoserver/data_dir/cluster/instance_23bd87cfa327d47e-master/geoserver.log (Permission denied) java.io.FileNotFoundException: /opt/geoserver/data_dir/cluster/instance_23bd87cfa327d47e-master/geoserver.log (Permission denied)
2023-11-06 01:49:43 org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'geoServerLoader' defined in URL [jar:file:/usr/local/tomcat/webapps/geoserver/WEB-INF/lib/gs-main-2.24.0.jar!/applicationContext.xml]: Initialization of bean failed; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'JMSReadOnlyGeoServerLoader': Unsatisfied dependency expressed through field 'config'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'JMSConfiguration': Invocation of init method failed; nested exception is java.lang.IllegalStateException: java.io.FileNotFoundException: /opt/geoserver/data_dir/cluster/instance_23bd87cfa327d47e-master/cluster.properties (Permission denied)

Versions

2.24.0

Additional context

No response
@NyakudyaA
Copy link
Collaborator

Can you try to use docker volumes or alternatively check the permission for the mounted folders and change them per the documentation

@KoenDierckx
Copy link

We have run into the same issue.

Using this basic compose file:

version: '3.8'
services:
  geoserver:
    image: kartoza/geoserver:2.24.0
    ports:
      - 8080:8080
    volumes:
      - ./data_dir:/opt/geoserver/data_dir
    environment:
      - GEOSERVER_DATA_DIR=/opt/geoserver/data_dir

This compose file works as long as the local data_dir does not exist before starting the container
It will break if the data_dir is pre created, and we normally provision data directories.

NO DATA DIR

root@saskdp8dev:/tmp/geoserver# ls -aln
total 12
drwxr-xr-x  2 0 0 4096 Nov 14 08:54 .
drwxrwxrwt 14 0 0 4096 Nov 14 08:55 ..
-rw-r--r--  1 0 0  227 Nov 14 08:54 docker-compose.yml

root@saskdp8dev:/tmp/geoserver# docker compose up -d
[+] Running 2/2
 ⠿ Network geoserver_default        Created                                                                                                                                                                                                                                                                  0.2s
 ⠿ Container geoserver-geoserver-1  Started                                                                                                                                                                                                                                                                  0.6s

Files are owned by uid 1000

root@saskdp8dev:/tmp/geoserver# ls -aln data_dir/
total 48
drwxr-xr-x 7 1000 1000 4096 Nov 14 08:55 .
drwxr-xr-x 3    0    0 4096 Nov 14 08:55 ..
-rw-r--r-- 1 1000 1000  134 Nov 14 08:55 controlflow.properties
drwxr-xr-x 2 1000 1000 4096 Nov 14 08:55 gwc
-rw-r--r-- 1 1000 1000 1597 Nov 14 08:55 gwc-gs.xml
-rw-r--r-- 1 1000 1000  160 Nov 14 08:55 logging.xml
drwxr-xr-x 2 1000 1000 4096 Nov 14 08:55 logs
drwxr-xr-x 3 1000 1000 4096 Nov 14 08:55 monitoring
-rw-r--r-- 1 1000 1000   53 Nov 14 08:55 s3.properties
drwxr-xr-x 8 1000 1000 4096 Nov 14 08:55 security
-rw-r--r-- 1 1000 1000   19 Nov 14 08:55 tomcat_pass.txt
drwxr-xr-x 2 1000 1000 4096 Nov 14 08:55 user_projections

WITH DATA DIR

root@saskdp8dev:/tmp/geoserver# ls -aln
total 16
drwxr-xr-x  3    0    0 4096 Nov 14 08:58 .
drwxrwxrwt 14    0    0 4096 Nov 14 08:58 ..
drwxr-xr-x  2 1000 1000 4096 Nov 14 08:58 data_dir
-rw-r--r--  1    0    0  227 Nov 14 08:54 docker-compose.yml

root@saskdp8dev:/tmp/geoserver# docker compose up -d
[+] Running 2/2
 ⠿ Network geoserver_default        Created                                                                                                                                                                                                                                                                  0.3s
 ⠿ Container geoserver-geoserver-1  Started

Files are still owned by root

root@saskdp8dev:/tmp/geoserver# ls -aln data_dir/
total 48
drwxr-xr-x 7 1000 1000 4096 Nov 14 08:59 .
drwxr-xr-x 3    0    0 4096 Nov 14 08:58 ..
-rw-r--r-- 1    0    0  134 Nov 14 08:59 controlflow.properties
drwxr-xr-x 2    0    0 4096 Nov 14 08:59 gwc
-rw-r--r-- 1    0    0 1597 Nov 14 08:59 gwc-gs.xml
-rw-r--r-- 1    0    0  160 Nov 14 08:59 logging.xml
drwxr-xr-x 2    0    0 4096 Nov 14 08:59 logs
drwxr-xr-x 3    0    0 4096 Nov 14 08:59 monitoring
-rw-r--r-- 1    0    0   53 Nov 14 08:59 s3.properties
drwxr-xr-x 8    0    0 4096 Nov 14 08:59 security
-rw-r--r-- 1    0    0   19 Nov 14 08:59 tomcat_pass.txt
drwxr-xr-x 2    0    0 4096 Nov 14 08:59 user_projections

And will cause the permission denied errors while starting geoserver

@NyakudyaA
Copy link
Collaborator

Two possible solutions

  • Try to set GEOSERVER_UID,GEOSERVER_GID,USER,GROUP_NAME env variables and make sure your data directory is owned by this user.
  • try running the container as root by setting RUN_AS_ROOT=TRUE, not recommended though because of security implications

@flykoh
Copy link
Author

flykoh commented Nov 14, 2023

  • RUN_AS_ROOT

how can i set run as root

@KoenDierckx
Copy link

Tried the env variables you suggested

version: '3.8'
services:
  geoserver:
    image: kartoza/geoserver:2.24.0
    ports:
      - 8080:8080
    volumes:
      - ./data_dir:/opt/geoserver/data_dir
    environment:
      - GEOSERVER_DATA_DIR=/opt/geoserver/data_dir
      - GEOSERVER_UID=1000
      - GEOSERVER_GID=1000
      - USER=vagrant
      - GROUP_NAME=vagrant

Created the data dir with the same user and group

# ls -aln
total 16
drwxr-xr-x  3    0    0 4096 Nov 14 15:04 .
drwxrwxrwt 14    0    0 4096 Nov 14 15:14 ..
drwxr-xr-x  7 1000 1000 4096 Nov 14 15:06 data_dir
-rw-r--r--  1    0    0  330 Nov 14 14:53 docker-compose.yml

# ls -al
total 16
drwxr-xr-x  3 root    root    4096 Nov 14 15:04 .
drwxrwxrwt 14 root    root    4096 Nov 14 15:14 ..
drwxr-xr-x  7 vagrant vagrant 4096 Nov 14 15:06 data_dir
-rw-r--r--  1 root    root     330 Nov 14 14:53 docker-compose.yml

But that gives the same error

... nested exception is java.lang.IllegalStateException: java.io.IOException: Permission denied

As all files are owned by root

# ls -al data_dir/
total 48
drwxr-xr-x 7 vagrant vagrant 4096 Nov 14 15:06 .
drwxr-xr-x 3 root    root    4096 Nov 14 15:04 ..
-rw-r--r-- 1 root    root     134 Nov 14 15:05 controlflow.properties
drwxr-xr-x 2 root    root    4096 Nov 14 15:05 gwc
-rw-r--r-- 1 root    root    1597 Nov 14 15:05 gwc-gs.xml
-rw-r--r-- 1 root    root     160 Nov 14 15:05 logging.xml
drwxr-xr-x 2 root    root    4096 Nov 14 15:05 logs
drwxr-xr-x 3 root    root    4096 Nov 14 15:05 monitoring
-rw-r--r-- 1 root    root      53 Nov 14 15:05 s3.properties
drwxr-x--- 2 vagrant vagrant 4096 Nov 14 15:06 styles
-rw-r--r-- 1 root    root      19 Nov 14 15:05 tomcat_pass.txt
drwxr-xr-x 2 root    root    4096 Nov 14 15:05 user_projections

I have the feeling the entrypoint scripts fail somewhere, but there is no logging, so hard to determine where it is failing

@NyakudyaA
Copy link
Collaborator

  • RUN_AS_ROOT

how can i set run as root

Just add the env

RUN_AS_ROOT=TRUE

@flykoh
Copy link
Author

flykoh commented Nov 21, 2023

  • RUN_AS_ROOT

how can i set run as root

Just add the env

RUN_AS_ROOT=TRUE

in docker image build file and rebuild new custom image
or in docker composer

@NyakudyaA NyakudyaA added the bug label Nov 26, 2023
@oatnog
Copy link

oatnog commented Oct 14, 2024

I'm seeing this using the helm chart and a provisioned existing data dir. Not sure what's going on--when I shell into the pod, I show up as root and can create files in the data dir.

@lucawen
Copy link

lucawen commented Oct 15, 2024

I'm seeing this using the helm chart and a provisioned existing data dir. Not sure what's going on--when I shell into the pod, I show up as root and can create files in the data dir.

I can confirm this problem. Right now, I'm using the application as root.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@KoenDierckx @lucawen @flykoh @oatnog @NyakudyaA