failures deploying ethical hacker docker compose from `start_app` script - `chown: /var/lib/postgresql/data: Permission denied`
GangGreenTemperTatum opened this issue · 7 comments
howdy!
➜ Damn-Vulnerable-RESTaurant-API-Game git:(main) ✗ system_profiler SPSoftwareDataType SPHardwareDataType
Software:
System Software Overview:
System Version: macOS 14.3.1 (23D60)
Kernel Version: Darwin 23.3.0
note: using colima
(Mac OS container runtime) instead of Docker desktop, follow the instructions "Running the Application - Ethical Hackers Approach"
➜ Damn-Vulnerable-RESTaurant-API-Game git:(main) ✗ chmod +x ./start_app.sh
➜ Damn-Vulnerable-RESTaurant-API-Game git:(main) ✗ sudo ./start_app.sh
WARN[0000] /Users/adam/git/Damn-Vulnerable-RESTaurant-API-Game/docker-compose.yml: `version` is obsolete
[+] Running 1/0
✔ Container damn-vulnerable-restaurant-api-game-db-1 Creat... 0.0s
Attaching to db-1, web-1
db-1 | chown: /var/lib/postgresql/data: Permission denied
db-1 exited with code 1
dependency failed to start: container damn-vulnerable-restaurant-api-game-db-1 exited (1)
this looks to be an issue with postgres
and not necessarily this docker compose.. i think the script requires updating to run elevated privileges on postgres, see:
any assistance much appreciated, tyia!
Hi @GangGreenTemperTatum,
thanks for raising the issue.
Could you verify if the following docker-compose.yml
works for you? Please, replace current content with the following content:
services:
web:
build: .
command: bash -c "alembic upgrade head && uvicorn main:app --host 0.0.0.0 --port 8080 --workers 1 --reload"
volumes:
- ./app/:/app/
- /app/.venv
ports:
- 8080:8080
depends_on:
db:
condition: service_healthy
privileged: true
cap_add:
- SYS_ADMIN
environment:
- POSTGRES_USER=admin
- POSTGRES_PASSWORD=password
- POSTGRES_SERVER=db
- POSTGRES_PORT=5432
- POSTGRES_DB=restaurant
db:
image: postgres:15.4-alpine
volumes:
- ./postgres_data:/var/lib/postgresql/data/
environment:
- POSTGRES_USER=admin
- POSTGRES_PASSWORD=password
- POSTGRES_DB=restaurant
- PGDATA=/var/lib/postgresql/data/pgdata
healthcheck:
test: ["CMD", "sh", "-c", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
interval: 5s
start_period: 5s
expose:
- 5432
I had the same issue and can confirm that cleaning postgres_data
and changing docker-compose.yml
file solved the problem.
hey @theowni , thanks so much for the quick response! strongly assume this is me doing something wrong here...
i replaced the docker-compose.yml
contents with the new code you kindly provided, but still getting the same error 🤔
➜ Damn-Vulnerable-RESTaurant-API-Game git:(main) ✗ sudo ./start_app.sh
[+] Running 1/0
✔ Container damn-vulnerable-restaurant-api-game-db-1 Created 0.0s
Attaching to db-1, web-1
db-1 | chown: /var/lib/postgresql/data/pgdata: Permission denied
db-1 exited with code 1
dependency failed to start: container damn-vulnerable-restaurant-api-game-db-1 exited (1)
Gracefully stopping... (press Ctrl+C again to force)
i also tried (since i am using colima
) to update the ./start_app.sh
script to include a prepended sudo
to the docker command but no dice:
#!/bin/bash
mkdir -p postgres_data
sudo docker compose up $1
same results with docker-compose
:
➜ Damn-Vulnerable-RESTaurant-API-Game git:(main) ✗ sudo docker-compose up
[+] Running 1/0
✔ Container damn-vulnerable-restaurant-api-game-db-1 Created 0.0s
Attaching to db-1, web-1
db-1 | chown: /var/lib/postgresql/data/pgdata: Permission denied
db-1 exited with code 1
dependency failed to start: container damn-vulnerable-restaurant-api-game-db-1 exited (1)
➜ Damn-Vulnerable-RESTaurant-API-Game git:(main) ✗ sudo docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
damn-vulnerable-restaurant-api-game-web latest d6961fef2132 27 hours ago 343MB
aquasec/trivy 0.10.0 0e282587eaed 3 years ago 65.2MB
➜ Damn-Vulnerable-RESTaurant-API-Game git:(main) ✗ sudo docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
➜ Damn-Vulnerable-RESTaurant-API-Game git:(main) ✗ ls -al
total 440
drwxr-xr-x 19 adam staff 608 9 Apr 05:53 .
drwxr-xr-x 109 adam staff 3488 9 Apr 05:29 ..
drwxr-xr-x 11 adam staff 352 9 Apr 05:29 .git
drwxr-xr-x 3 adam staff 96 9 Apr 05:29 .github
-rw-r--r-- 1 adam staff 3143 9 Apr 05:29 .gitignore
-rw-r--r-- 1 adam staff 1042 9 Apr 05:29 .pre-commit-config.yaml
-rw-r--r-- 1 adam staff 3210 9 Apr 05:29 CODE_OF_CONDUCT.md
-rw-r--r-- 1 adam staff 2340 9 Apr 05:29 CONTRIBUTING.md
-rw-r--r-- 1 adam staff 1079 9 Apr 05:29 Dockerfile
-rw-r--r--@ 1 adam staff 35148 9 Apr 05:29 LICENSE
-rw-r--r-- 1 adam staff 5859 9 Apr 05:29 README.md
drwxr-xr-x 13 adam staff 416 9 Apr 05:29 app
-rwxr-xr-x 1 adam staff 932 10 Apr 09:14 docker-compose.yml
-rw-r--r-- 1 adam staff 136586 9 Apr 05:29 poetry.lock
drwx------ 3 adam staff 96 10 Apr 09:15 postgres_data
-rw-r--r-- 1 adam staff 949 9 Apr 05:29 pyproject.toml
-rwxr-xr-x 1 adam staff 62 10 Apr 09:16 start_app.sh
-rwxr-xr-x 1 adam staff 75 9 Apr 05:29 start_game.sh
-rwxr-xr-x 1 adam staff 33 9 Apr 06:36 stop_app.sh
anything i am doing obviously wrong here? tyia 🙏🏼
@laucer - apologies, what did you mean specifically here?
that cleaning postgres_data
I discussed this one with @laucer and he deleted postgres_data
directory before launching the game with modified docker-compose. So, @GangGreenTemperTatum let's run the following commands and let me know what is the output:
docker compose down # to tear down any running containers
sudo rm -rf postgres_data # to remove directory with potentially "broken" permissions
# now, update the docker-compose if it's not updated
# and launch the app
./start_app.sh
ahhh i see, thanks again @theowni !
Damn-Vulnerable-RESTaurant-API-Game git:(main) ✗ ./start_app.sh
[+] Running 3/3
✔ Network damn-vulnerable-restaurant-api-game_default Created 0.1s
✔ Container damn-vulnerable-restaurant-api-game-db-1 Created 0.0s
✔ Container damn-vulnerable-restaurant-api-game-web-1 Created 0.7s
Attaching to db-1, web-1
db-1 | chown: /var/lib/postgresql/data/pgdata: Permission denied
db-1 exited with code 1
dependency failed to start: container damn-vulnerable-restaurant-api-game-db-1 exited (1)
➜ Damn-Vulnerable-RESTaurant-API-Game git:(main) ✗ sudo ./start_app.sh
still getting the error unfortunately 🤔
Hi again @GangGreenTemperTatum,
I think I was able to reproduce the issue. The problem looks to be related with Colima. I used the following environment to reproduce the issue:
MacOS Sonoma 14.1
Colima version 0.6.8
Docker version 24.0.7
It looks like Colima doesn't have a proper permissions to your local directory to make changes in the directory. It's a kind of known issue which can be resolved in a non user-friendly way by modifying Colima configs. So, to make it more user-friendly, I modified docker-compose.yml
to use named volumes instead of bind mounts. In this way, the database directory will be still persistent but in the directory managed by Docker (with proper permissions).
Here is the modified docker-compose.yml
:
services:
web:
build: .
command: bash -c "alembic upgrade head && uvicorn main:app --host 0.0.0.0 --port 8080 --workers 1 --reload"
volumes:
- ./app/:/app/
- /app/.venv
ports:
- 8080:8080
depends_on:
db:
condition: service_healthy
privileged: true
cap_add:
- SYS_ADMIN
environment:
- POSTGRES_USER=admin
- POSTGRES_PASSWORD=password
- POSTGRES_SERVER=db
- POSTGRES_PORT=5432
- POSTGRES_DB=restaurant
db:
image: postgres:15.4-alpine
volumes:
- pg_volume:/var/lib/postgresql/data/
environment:
- POSTGRES_USER=admin
- POSTGRES_PASSWORD=password
- POSTGRES_DB=restaurant
- PGDATA=/var/lib/postgresql/data/pgdata
healthcheck:
test: ["CMD", "sh", "-c", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
interval: 5s
start_period: 5s
expose:
- 5432
volumes:
pg_volume:
Update the docker-compose.yml
content and run the commands:
docker compose down # to tear down any running containers
sudo rm -rf postgres_data # to remove the directory which won't be used anyway
./start_app.sh
I hope, it will resolve the issue!
hey @theowni , wow, thank you so much!! 🎉 so quick 👏🏼
➜ Damn-Vulnerable-RESTaurant-API-Game git:(main) ✗ sudo docker ps -a
Password:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
56f72be731de damn-vulnerable-restaurant-api-game-web "bash -c 'alembic up…" 26 seconds ago Up 19 seconds 0.0.0.0:8080->8080/tcp, :::8080->8080/tcp damn-vulnerable-restaurant-api-game-web-1
dce56440de69 postgres:15.4-alpine "docker-entrypoint.s…" 26 seconds ago Up 25 seconds (healthy) 5432/tcp damn-vulnerable-restaurant-api-game-db-1
➜ Damn-Vulnerable-RESTaurant-API-Game git:(main) ✗ curl http://localhost:8080/docs
<!DOCTYPE html>
<html>
<head>
<link type="text/css" rel="stylesheet" href="https://cdn.jsdelivr.net/npm/swagger-ui-dist@5/swagger-ui.css">
<link rel="shortcut icon" href="https://fastapi.tiangolo.com/img/favicon.png">
<title>Damn Vulnerable RESTaurant - Swagger UI</title>
👌🏼👌🏼👌🏼👌🏼👌🏼👌🏼