fescobar/allure-docker-service

allure history

Jen-Persly opened this issue · 34 comments

docker logs -f allure_allure_1

Creating history on results directory...
mkdir: cannot create directory ‘/app/allure-results/history’: Permission denied
Copying history from previous results...
cp: cannot create directory '/app/allure-results/history': Permission denied
Generating report

@Jen-Persly Can you add more details? what is the command are you running?
Can you check if you have write permissions in your local allure-results? what directory are you mounting?

first docker-compose up -d allure
then docker-compose logs -f allure
then I found this on logs :

Creating history on results directory...
mkdir: cannot create directory ‘/app/allure-results/history’: Permission denied
Copying history from previous results...
cp: cannot create directory '/app/allure-results/history': Permission denied
Generating report

@Jen-Persly can you share your compose file section? the problem is the directory that you are mounting.

version: '3' services: allure: image: "frankescobar/allure-docker-service" environment: CHECK_RESULTS_EVERY_SECONDS: 1 KEEP_HISTORY: "TRUE" ports: - "4040:4040" - "5050:5050" volumes: - ${PWD}/allure-results:/app/allure-results

but if changes to version 2.12.1, it works

version: '3' services: allure: image: "frankescobar/allure-docker-service:2.12.1" environment: CHECK_RESULTS_EVERY_SECONDS: 1 KEEP_HISTORY: "TRUE" ports: - "4040:4040" - "5050:5050" volumes: - ${PWD}/allure-results:/app/allure-results

@Jen-Persly what version appears in the logs when it failed? remove your local latest version and try again without specifying the version.

@fescobar I think still failed.. I'm using 2.13.2

this is the complete log

`ALLURE_VERSION: 2.13.2
Generating default report
Overriding configuration
Checking Allure Results every 1 second/s
Generating report

  • Serving Flask app "app" (lazy loading)
  • Environment: production
    WARNING: This is a development server. Do not use it in a production deployment.
    Use a production WSGI server instead.
  • Debug mode: off
  • Running on http://0.0.0.0:5050/ (Press CTRL+C to quit)
    Report successfully generated to allure-report
    127.0.0.1 - - [18/Mar/2020 10:42:46] "GET /emailable-report/render HTTP/1.1" 200 -
    Status: 200
    Detecting results changes...
    Creating history on results directory...
    mkdir: cannot create directory ‘/app/allure-results/history’: Permission denied
    Copying history from previous results...
    cp: cannot create directory '/app/allure-results/history': Permission denied
    Generating report
    Starting web server...`

@Jen-Persly can you tell me what is your current path ${PWD}/allure-results? Go to that directory, you don't have permission to create directories/files on that directory. Try changing the directory please.

volumes: - ${PWD}/allure-results:/app/allure-results

then I think there is no problem with permission on my machine

drwxr-xr-x 3 root root 4096 Mar 18 17:41 .
drwx------ 11 root root 4096 Mar 18 17:41 ..
drwxr-xr-x 2 root root 4096 Mar 18 17:42 allure-results
-rw-r--r-- 1 root root 285 Mar 18 17:41 docker-compose.yaml

@Jen-Persly root root that's the problem. You should never have ROOT user. In your case only the root user can create files/directories in allure-results directory.

@Jen-Persly Also only the owner of that directory (root) can create files.
https://chmod-calculator.com/
Screen Shot 2020-03-18 at 11 07 53 AM

@Jen-Persly Can I close this ticket?

We are having same problem.

We are logged in with root account and getting below message in terminal on centos 7 machine.

[root@demo ~]# docker run -p 4040:4040 -p 5050:5050 -e CHECK_RESULTS_EVERY_SECONDS=3 -e KEEP_HISTORY="TRUE" -v ${PWD}/allure-results:/app/allure-results frankescobar/allure-docker-service
ALLURE_VERSION: 2.13.2
Generating default report
Overriding configuration
Checking Allure Results every 3 second/s
Generating report

  • Serving Flask app "app" (lazy loading)
  • Environment: production
    WARNING: This is a development server. Do not use it in a production deployment.
    Use a production WSGI server instead.
  • Debug mode: off
  • Running on http://0.0.0.0:5050/ (Press CTRL+C to quit)
    Report successfully generated to allure-report
    Detecting results changes...
    Creating history on results directory...
    mkdir: cannot create directory ‘/app/allure-results/history’: Permission denied
    Copying history from previous results...
    cp: cannot create directory '/app/allure-results/history': Permission denied
    Generating report....

We tried with another account using sudo and have same issue.

Kindly help.

@tecinnobiz it’s not a good practice to run docker container with root users. But did you try adding this to your command?
--user="$(id -u):$(id -g)"

References:

https://medium.com/redbubble/running-a-docker-container-as-a-non-root-user-7d2e00f8ee15

https://docs.docker.com/engine/reference/builder/#user

I did the following workaround to fix the problem:-

docker exec -u 0 -it 147ffff7ce8e /bin/bash
ls -la
chgrp -R allure allure-results
chown allure:allure allure-results
ls -la
mkdir history
chgrp -R allure history
chown allure:allure history

@tecinnobiz that is not the right way to handle that. Try the command what I suggested. It’s not an issue. It’s the way that docker works.

Yes, I am trying the solution proposed by you.

I understand your point. I tried but got the following error

[root@demo allure-docker-java-junit4-example]# docker run -p 4040:4040 -p 5050:5050 -e CHECK_RESULTS_EVERY_SECONDS=3 -e KEEP_HISTORY="TRUE" -v ${PWD}/allure-results:/app/allure-results frankescobar/allure-docker-service --user="$(id -u):$(id -g)" &
[1] 4422
[root@demo allure-docker-java-junit4-example]#
[root@demo allure-docker-java-junit4-example]# docker: Error response from daemon: OCI runtime create failed: container_linux.go:349: starting container process caused "exec: "--user=0:0": executable file not found in $PATH": unknown.
ERRO[0001] error waiting for container: context canceled

[1]+ Exit 127 docker run -p 4040:4040 -p 5050:5050 -e CHECK_RESULTS_EVERY_SECONDS=3 -e KEEP_HISTORY="TRUE" -v ${PWD}/allure-results:/app/allure-results frankescobar/allure-docker-service --user="$(id -u):$(id -g)"
[root@demo allure-docker-java-junit4-example]#

I will try to use docker from a non root user to avoid all this challenges.

@tecinnobiz not add that part at the end, the last part is for overriding the command to start that container.
Try at the beginning like this:

docker run --user="$(id -u):$(id -g)" -p 4040:4040 -p 5050:5050 -e CHECK_RESULTS_EVERY_SECONDS=3 -e KEEP_HISTORY="TRUE" -v ${PWD}/allure-results:/app/allure-results frankescobar/allure-docker-service

Or

docker run --user="1000:1000" -p 4040:4040 -p 5050:5050 -e CHECK_RESULTS_EVERY_SECONDS=3 -e KEEP_HISTORY="TRUE" -v ${PWD}/allure-results:/app/allure-results frankescobar/allure-docker-service

For docker-compose:
https://github.com/fescobar/allure-docker-service/blob/master/README.md#override-user-container

As a conclusion, you shouldn't use directories with root permissions. You have 2 options to do from your local machine:

  • Create the directory to mount with a non-root user.
  • Or change the owner of the directory to mount for a non-root user.

If you want to use the same user from the local machine in the container you need to pass --user="$(id -u):$(id -g)"

if you still using the root users. you can try like this @fescobar @tecinnobiz
docker-compose.yml

version: '3'
services:
  allure:
    image: "frankescobar/allure-docker-service"
    environment:
      CHECK_RESULTS_EVERY_SECONDS: 1
      KEEP_HISTORY: "TRUE"
    ports:
      - "4040:4040"
      - "5050:5050"
    volumes:
      - ${PWD}/allure-results:/app/allure-results
    user: ${CURRENT_UID}

run : 
`CURRENT_UID=$(id -u):$(id -g) docker-compose up -d`

Reference: 10 Docker Image Security Best Practices
https://snyk.io/blog/10-docker-image-security-best-practices/

2. Least privileged user

When a Dockerfile doesn’t specify a USER, it defaults to executing the container using the root user. In practice, there are very few reasons why the container should have root privileges. Docker defaults to running containers using the root user. When that namespace is then mapped to the root user in the running container, it means that the container potentially has root access on the Docker host. Having an application on the container run with the root user further broadens the attack surface and enables an easy path to privilege escalation if the application itself is vulnerable to exploitation.

To minimize exposure, opt-in to create a dedicated user and a dedicated group in the Docker image for the application; use the USER directive in the Dockerfile to ensure the container runs the application with the least privileged access possible.

A specific user might not exist in the image; create that user using the instructions in the Dockerfile.
The following demonstrates a complete example of how to do this for a generic Ubuntu image:

FROM ubuntu
RUN mkdir /app
RUN groupadd -r lirantal && useradd -r -s /bin/false -g lirantal lirantal
WORKDIR /app
COPY . /app
RUN chown -R lirantal:lirantal /app
USER lirantal
CMD node index.js

The example above:

  • creates a system user (-r), with no password, no home directory set, and no shell
  • adds the user we created to an existing group that we created beforehand (using groupadd)
  • adds a final argument set to the user name we want to create, in association with the group we created
KMA71 commented

Sorry for answering in the closed issue. But I don't understood one thing. I've changed only one string in my docker-compose:
from:

image: "frankescobar/allure-docker-service"

to

image: "frankescobar/allure-docker-service:2.12.1"

and error "cannot create directory ‘/app/allure-results/history’: Permission denied" has been disappeared. And history became available.
How does this relate to setting rights?
Thank you.

@KMA71 previous versions used to use root as user. Latest versions not use root user anymore. You should use 2.13.5 the latest one on that wat you can use new features like security and the new UI https://github.com/fescobar/allure-docker-service-ui

mhd-b commented

How can i override the user container in Openshift, if i dont have admin privilege to create a service account ? im getting the permission denied error as well

How can i override the user container in Openshift, if i dont have admin privilege to create a service account ? im getting the permission denied error as well

@mhd-b that is something that you have to check in OpenShift documentation. Docker and Kubernetes support that feature as native.

Did you try using user and group 1000 like here?
https://github.com/fescobar/allure-docker-service-examples/blob/master/allure-docker-kubernetes-example/allure-deployment.yml#L20
References:
https://docs.docker.com/engine/reference/run/#user
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod

mhd-b commented

Yeah i have followed the deployment config and im getting this error :

pods "allure-deployment-74fc545d6c-" is forbidden: unable to validate against any security context constraint: [spec.containers[0].securityContext.securityContext.runAsUser: Invalid value: 1000: must be in the ranges: [1001460000, 1001469999] spec.containers[1].securityContext.securityContext.runAsUser: Invalid value: 1000: must be in the ranges: [1001460000, 1001469999]]

im unable to setup the container to be ran with Allure userid 1000 as this requires admin access, hope that there is a workaround?

Is it possible to change the ownership of the allure folders?

@mhd-b then Check how to pass your current user (user from the machine where you run the container).

@mhd-b I got it working by adding fsGroup: 1000 under spec:

So the securityContext becomes:

spec:
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
containers:
- name: allure
...

i shall raise a pull request to the code example

@mhd-b if you want to add your example, add it here https://github.com/fescobar/allure-docker-service-examples in beta branch.
Thank you.

mhd-b commented

@mhd-b I got it working by adding fsGroup: 1000 under spec:

So the securityContext becomes:

spec:
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
containers:

  • name: allure
    ...

i shall raise a pull request to the code example

I was able to fix the permission denied in Openshift by changing the ownership for the directories used by Allure.

The changed Dockerfile :

FROM frankescobar/allure-docker-service:2.13.6

USER root

RUN chown -R allure:root /app
&& chmod -R ug+rw /app

USER allure

////

Thanks @fescobar :)

it seems that the projects folder is still owned by root and thus creates the issue.

from inside the container running in AKS

image

So its not a configuration issue, it seems.

Check in EKS how to override the user

#108

My friend, you are making me run in circles.
I come from #108 and the issue that i am trying to show you clearly had problems with the projects folder.
This is not Cloud provider problem, it seems the projects folder is created by a root powered user.
Its only that folder out of all of them.

I tried reworking your docker img as mhd-b suggested but it still doesnt work.
Do you think you can make a docker img that works or should i fork ?

@peter-miroshnikov do whatever you want. This project is open source. Many people use this image without any problem.