Skip to content

[Fedore-CoreOS]Installation fail, no access to files in /etc/* #1505

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
DutchmanNL opened this issue Jun 7, 2022 · 16 comments
Closed

[Fedore-CoreOS]Installation fail, no access to files in /etc/* #1505

DutchmanNL opened this issue Jun 7, 2022 · 16 comments
Labels
Type: Support Request

Comments

@DutchmanNL
Copy link

Version

22.5

Steps to Reproduce

  • install fedora core OS
  • clone the GitHub repository (tried to do that in /tmp / home/>user< and opt both (clone always works)
  • running the install script ./install
  • installation fails, 2 issue can be mentioned
  1. during install the error
▶ Ensuring Relay credentials ...
Creating ../relay/config.yml...
Pulling relay ... 
Pulling relay ... pulling from getsentry/relay
Pulling relay ... digest: sha256:6f72c6534fbed7b564...
Pulling relay ... status: image is up to date for g...
Pulling relay ... done
Creating network "sentry-self-hosted_default" with the default driver
Creating sentry-self-hosted_relay_run ... 
Creating sentry-self-hosted_relay_run ... done
2022-06-07T14:26:29Z [relay_config::config] INFO: generating new relay credentials
Creating sentry-self-hosted_relay_run ... 
Creating sentry-self-hosted_relay_run ... done
2022-06-07T14:26:30Z [relay_log::utils] ERROR: no stored credentials
1
Failed to create relay credentials in ../relay/credentials.json.
--- credentials.json v ---------------------------------------
{"secret_key":"*******","public_key":"*******","id":"*******"}
--- credentials.json ^ ---------------------------------------
  1. re-running ./install.sh fails with error (click house is not coming up due to file permission issues):
6. BaseDaemon::reloadConfiguration() @ 0x9157010 in /usr/bin/clickhouse
7. BaseDaemon::initialize(Poco::Util::Application&) @ 0x91597d2 in /usr/bin/clickhouse
8. DB::Server::initialize(Poco::Util::Application&) @ 0x8f96458 in /usr/bin/clickhouse
9. Poco::Util::Application::run() @ 0x10457659 in /usr/bin/clickhouse
10. DB::Server::run() @ 0x8f96045 in /usr/bin/clickhouse
11. mainEntryClickHouseServer(int, char**) @ 0x8f8ce23 in /usr/bin/clickhouse
12. main @ 0x8ee8799 in /usr/bin/clickhouse
13. __libc_start_main @ 0x21b97 in /lib/x86_64-linux-gnu/libc-2.27.so
14. _start @ 0x8ee802e in /usr/bin/clickhouse
 (version 20.3.9.70 (official build))
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
dirname: missing operand
Try 'dirname --help' for more information.
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
dirname: missing operand
Try 'dirname --help' for more information.
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
Processing configuration file '/etc/clickhouse-server/config.xml'.
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml, Stack trace (when copying this message, always include the lines below):
0. Poco::FileAccessDeniedException::FileAccessDeniedException(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, int) @ 0x105400e0 in /usr/bin/clickhouse
1. Poco::FileImpl::handleLastErrorImpl(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) @ 0x1054aa30 in /usr/bin/clickhouse
2. ? @ 0x1054afcd in /usr/bin/clickhouse
3. DB::ConfigProcessor::getConfigMergeFiles(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) @ 0xdef7a3b in /usr/bin/clickhouse
4. DB::ConfigProcessor::processConfig(bool*, zkutil::ZooKeeperNodeCache*, std::__1::shared_ptr<Poco::Event> const&) @ 0xdef8557 in /usr/bin/clickhouse
5. DB::ConfigProcessor::loadConfig(bool) @ 0xdef9e97 in /usr/bin/clickhouse
6. BaseDaemon::reloadConfiguration() @ 0x9157010 in /usr/bin/clickhouse
7. BaseDaemon::initialize(Poco::Util::Application&) @ 0x91597d2 in /usr/bin/clickhouse
8. DB::Server::initialize(Poco::Util::Application&) @ 0x8f96458 in /usr/bin/clickhouse
9. Poco::Util::Application::run() @ 0x10457659 in /usr/bin/clickhouse
10. DB::Server::run() @ 0x8f96045 in /usr/bin/clickhouse
11. mainEntryClickHouseServer(int, char**) @ 0x8f8ce23 in /usr/bin/clickhouse
12. main @ 0x8ee8799 in /usr/bin/clickhouse
13. __libc_start_main @ 0x21b97 in /lib/x86_64-linux-gnu/libc-2.27.so
14. _start @ 0x8ee802e in /usr/bin/clickhouse
 (version 20.3.9.70 (official build))
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
dirname: missing operand
Try 'dirname --help' for more information.
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
dirname: missing operand
Try 'dirname --help' for more information.
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
Processing configuration file '/etc/clickhouse-server/config.xml'.
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml, Stack trace (when copying this message, always include the lines below):
0. Poco::FileAccessDeniedException::FileAccessDeniedException(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, int) @ 0x105400e0 in /usr/bin/clickhouse
1. Poco::FileImpl::handleLastErrorImpl(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) @ 0x1054aa30 in /usr/bin/clickhouse
2. ? @ 0x1054afcd in /usr/bin/clickhouse
3. DB::ConfigProcessor::getConfigMergeFiles(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) @ 0xdef7a3b in /usr/bin/clickhouse
4. DB::ConfigProcessor::processConfig(bool*, zkutil::ZooKeeperNodeCache*, std::__1::shared_ptr<Poco::Event> const&) @ 0xdef8557 in /usr/bin/clickhouse
5. DB::ConfigProcessor::loadConfig(bool) @ 0xdef9e97 in /usr/bin/clickhouse
6. BaseDaemon::reloadConfiguration() @ 0x9157010 in /usr/bin/clickhouse
7. BaseDaemon::initialize(Poco::Util::Application&) @ 0x91597d2 in /usr/bin/clickhouse
8. DB::Server::initialize(Poco::Util::Application&) @ 0x8f96458 in /usr/bin/clickhouse
9. Poco::Util::Application::run() @ 0x10457659 in /usr/bin/clickhouse
10. DB::Server::run() @ 0x8f96045 in /usr/bin/clickhouse
11. mainEntryClickHouseServer(int, char**) @ 0x8f8ce23 in /usr/bin/clickhouse
12. main @ 0x8ee8799 in /usr/bin/clickhouse
13. __libc_start_main @ 0x21b97 in /lib/x86_64-linux-gnu/libc-2.27.so
14. _start @ 0x8ee802e in /usr/bin/clickhouse
 (version 20.3.9.70 (official build))
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
dirname: missing operand
Try 'dirname --help' for more information.
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
dirname: missing operand
Try 'dirname --help' for more information.
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
Processing configuration file '/etc/clickhouse-server/config.xml'.
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml, Stack trace (when copying this message, always include the lines below):
0. Poco::FileAccessDeniedException::FileAccessDeniedException(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, int) @ 0x105400e0 in /usr/bin/clickhouse
1. Poco::FileImpl::handleLastErrorImpl(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) @ 0x1054aa30 in /usr/bin/clickhouse
2. ? @ 0x1054afcd in /usr/bin/clickhouse
3. DB::ConfigProcessor::getConfigMergeFiles(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) @ 0xdef7a3b in /usr/bin/clickhouse
4. DB::ConfigProcessor::processConfig(bool*, zkutil::ZooKeeperNodeCache*, std::__1::shared_ptr<Poco::Event> const&) @ 0xdef8557 in /usr/bin/clickhouse
5. DB::ConfigProcessor::loadConfig(bool) @ 0xdef9e97 in /usr/bin/clickhouse
6. BaseDaemon::reloadConfiguration() @ 0x9157010 in /usr/bin/clickhouse
7. BaseDaemon::initialize(Poco::Util::Application&) @ 0x91597d2 in /usr/bin/clickhouse
8. DB::Server::initialize(Poco::Util::Application&) @ 0x8f96458 in /usr/bin/clickhouse
9. Poco::Util::Application::run() @ 0x10457659 in /usr/bin/clickhouse
10. DB::Server::run() @ 0x8f96045 in /usr/bin/clickhouse
11. mainEntryClickHouseServer(int, char**) @ 0x8f8ce23 in /usr/bin/clickhouse
12. main @ 0x8ee8799 in /usr/bin/clickhouse
13. __libc_start_main @ 0x21b97 in /lib/x86_64-linux-gnu/libc-2.27.so
14. _start @ 0x8ee802e in /usr/bin/clickhouse
 (version 20.3.9.70 (official build))

Expected Result

succesfull installation on fedora core-os

Actual Result

  1. during install the error
▶ Ensuring Relay credentials ...
Creating ../relay/config.yml...
Pulling relay ... 
Pulling relay ... pulling from getsentry/relay
Pulling relay ... digest: sha256:6f72c6534fbed7b564...
Pulling relay ... status: image is up to date for g...
Pulling relay ... done
Creating network "sentry-self-hosted_default" with the default driver
Creating sentry-self-hosted_relay_run ... 
Creating sentry-self-hosted_relay_run ... done
2022-06-07T14:26:29Z [relay_config::config] INFO: generating new relay credentials
Creating sentry-self-hosted_relay_run ... 
Creating sentry-self-hosted_relay_run ... done
2022-06-07T14:26:30Z [relay_log::utils] ERROR: no stored credentials
1
Failed to create relay credentials in ../relay/credentials.json.
--- credentials.json v ---------------------------------------
{"secret_key":"*******","public_key":"*******","id":"*******"}
--- credentials.json ^ ---------------------------------------
  1. re-running ./install.sh fails with error (click house is not coming up due to file permission issues):
6. BaseDaemon::reloadConfiguration() @ 0x9157010 in /usr/bin/clickhouse
7. BaseDaemon::initialize(Poco::Util::Application&) @ 0x91597d2 in /usr/bin/clickhouse
8. DB::Server::initialize(Poco::Util::Application&) @ 0x8f96458 in /usr/bin/clickhouse
9. Poco::Util::Application::run() @ 0x10457659 in /usr/bin/clickhouse
10. DB::Server::run() @ 0x8f96045 in /usr/bin/clickhouse
11. mainEntryClickHouseServer(int, char**) @ 0x8f8ce23 in /usr/bin/clickhouse
12. main @ 0x8ee8799 in /usr/bin/clickhouse
13. __libc_start_main @ 0x21b97 in /lib/x86_64-linux-gnu/libc-2.27.so
14. _start @ 0x8ee802e in /usr/bin/clickhouse
 (version 20.3.9.70 (official build))
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
dirname: missing operand
Try 'dirname --help' for more information.
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
dirname: missing operand
Try 'dirname --help' for more information.
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
Processing configuration file '/etc/clickhouse-server/config.xml'.
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml, Stack trace (when copying this message, always include the lines below):
0. Poco::FileAccessDeniedException::FileAccessDeniedException(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, int) @ 0x105400e0 in /usr/bin/clickhouse
1. Poco::FileImpl::handleLastErrorImpl(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) @ 0x1054aa30 in /usr/bin/clickhouse
2. ? @ 0x1054afcd in /usr/bin/clickhouse
3. DB::ConfigProcessor::getConfigMergeFiles(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) @ 0xdef7a3b in /usr/bin/clickhouse
4. DB::ConfigProcessor::processConfig(bool*, zkutil::ZooKeeperNodeCache*, std::__1::shared_ptr<Poco::Event> const&) @ 0xdef8557 in /usr/bin/clickhouse
5. DB::ConfigProcessor::loadConfig(bool) @ 0xdef9e97 in /usr/bin/clickhouse
6. BaseDaemon::reloadConfiguration() @ 0x9157010 in /usr/bin/clickhouse
7. BaseDaemon::initialize(Poco::Util::Application&) @ 0x91597d2 in /usr/bin/clickhouse
8. DB::Server::initialize(Poco::Util::Application&) @ 0x8f96458 in /usr/bin/clickhouse
9. Poco::Util::Application::run() @ 0x10457659 in /usr/bin/clickhouse
10. DB::Server::run() @ 0x8f96045 in /usr/bin/clickhouse
11. mainEntryClickHouseServer(int, char**) @ 0x8f8ce23 in /usr/bin/clickhouse
12. main @ 0x8ee8799 in /usr/bin/clickhouse
13. __libc_start_main @ 0x21b97 in /lib/x86_64-linux-gnu/libc-2.27.so
14. _start @ 0x8ee802e in /usr/bin/clickhouse
 (version 20.3.9.70 (official build))
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
dirname: missing operand
Try 'dirname --help' for more information.
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
dirname: missing operand
Try 'dirname --help' for more information.
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
Processing configuration file '/etc/clickhouse-server/config.xml'.
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml, Stack trace (when copying this message, always include the lines below):
0. Poco::FileAccessDeniedException::FileAccessDeniedException(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, int) @ 0x105400e0 in /usr/bin/clickhouse
1. Poco::FileImpl::handleLastErrorImpl(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) @ 0x1054aa30 in /usr/bin/clickhouse
2. ? @ 0x1054afcd in /usr/bin/clickhouse
3. DB::ConfigProcessor::getConfigMergeFiles(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) @ 0xdef7a3b in /usr/bin/clickhouse
4. DB::ConfigProcessor::processConfig(bool*, zkutil::ZooKeeperNodeCache*, std::__1::shared_ptr<Poco::Event> const&) @ 0xdef8557 in /usr/bin/clickhouse
5. DB::ConfigProcessor::loadConfig(bool) @ 0xdef9e97 in /usr/bin/clickhouse
6. BaseDaemon::reloadConfiguration() @ 0x9157010 in /usr/bin/clickhouse
7. BaseDaemon::initialize(Poco::Util::Application&) @ 0x91597d2 in /usr/bin/clickhouse
8. DB::Server::initialize(Poco::Util::Application&) @ 0x8f96458 in /usr/bin/clickhouse
9. Poco::Util::Application::run() @ 0x10457659 in /usr/bin/clickhouse
10. DB::Server::run() @ 0x8f96045 in /usr/bin/clickhouse
11. mainEntryClickHouseServer(int, char**) @ 0x8f8ce23 in /usr/bin/clickhouse
12. main @ 0x8ee8799 in /usr/bin/clickhouse
13. __libc_start_main @ 0x21b97 in /lib/x86_64-linux-gnu/libc-2.27.so
14. _start @ 0x8ee802e in /usr/bin/clickhouse
 (version 20.3.9.70 (official build))
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
dirname: missing operand
Try 'dirname --help' for more information.
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
dirname: missing operand
Try 'dirname --help' for more information.
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml (version 20.3.9.70 (official build))
Processing configuration file '/etc/clickhouse-server/config.xml'.
Poco::Exception. Code: 1000, e.code() = 13, e.displayText() = Access to file denied: /etc/clickhouse-server/config.d/sentry.xml, Stack trace (when copying this message, always include the lines below):
0. Poco::FileAccessDeniedException::FileAccessDeniedException(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, int) @ 0x105400e0 in /usr/bin/clickhouse
1. Poco::FileImpl::handleLastErrorImpl(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) @ 0x1054aa30 in /usr/bin/clickhouse
2. ? @ 0x1054afcd in /usr/bin/clickhouse
3. DB::ConfigProcessor::getConfigMergeFiles(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) @ 0xdef7a3b in /usr/bin/clickhouse
4. DB::ConfigProcessor::processConfig(bool*, zkutil::ZooKeeperNodeCache*, std::__1::shared_ptr<Poco::Event> const&) @ 0xdef8557 in /usr/bin/clickhouse
5. DB::ConfigProcessor::loadConfig(bool) @ 0xdef9e97 in /usr/bin/clickhouse
6. BaseDaemon::reloadConfiguration() @ 0x9157010 in /usr/bin/clickhouse
7. BaseDaemon::initialize(Poco::Util::Application&) @ 0x91597d2 in /usr/bin/clickhouse
8. DB::Server::initialize(Poco::Util::Application&) @ 0x8f96458 in /usr/bin/clickhouse
9. Poco::Util::Application::run() @ 0x10457659 in /usr/bin/clickhouse
10. DB::Server::run() @ 0x8f96045 in /usr/bin/clickhouse
11. mainEntryClickHouseServer(int, char**) @ 0x8f8ce23 in /usr/bin/clickhouse
12. main @ 0x8ee8799 in /usr/bin/clickhouse
13. __libc_start_main @ 0x21b97 in /lib/x86_64-linux-gnu/libc-2.27.so
14. _start @ 0x8ee802e in /usr/bin/clickhouse
 (version 20.3.9.70 (official build))
@DutchmanNL DutchmanNL changed the title [Fedore-CoreOS]Installation files, no access to files in /etc/* [Fedore-CoreOS]Installation fail, no access to files in /etc/* Jun 7, 2022
@aminvakil
Copy link
Collaborator

AFAIR Fedora CoreOS's filesystem is read-only after booting up and is more suitable for stateless applications (I'm not completely sure about this, so please correct me if I'm wrong).

Scripts in this repository create docker volumes which gets created by default in /var/lib/docker, so you may have a problem writing in that directory (you may change default docker folder though).

Is there a specific necessity to use Fedora CoreOS for this?

@DutchmanNL
Copy link
Author

Is there a specific necessity to use Fedora CoreOS for this

Jup, basically Fedora Core OS is the best way of having an docker only core system it reduces al overhead from other instances and allows automated management and deployment.

that’s also the reason way there is an RO file system only as the best practise is to use docker volumes for storing data.

Mso from that setup, having bindings is not the proper way of ga fling data.

mis there any reason way we map the data here instead creating a volume ? The install script would still be possible to create volumes and push data into that which could be used across the related docker containers ?

@DutchmanNL
Copy link
Author

Scripts in this repository create docker volumes which gets created by default in /var/lib/docker, so you may have a problem writing in that directory (you may change default docker folder though).

To add, no this is not the case all docker volumes are created just fine. Problems are the bindings we use in /etc/ which are not accessible by the docker engine. So moving alle data which currently has a binding would solve this behaviour

@aminvakil
Copy link
Collaborator

that’s also the reason way there is an RO file system only as the best practise is to use docker volumes for storing data.

Using volumes instead of bind mounts is not always the best scenario IMO.

Scripts in this repository create docker volumes which gets created by default in /var/lib/docker, so you may have a problem writing in that directory (you may change default docker folder though).

To add, no this is not the case all docker volumes are created just fine. Problems are the bindings we use in /etc/ which are not accessible by the docker engine. So moving alle data which currently has a binding would solve this behaviour

In some cases we use bind mount, but it mounts the files in self-hosted directory into different containers.

For example looking into this issue case (clickhouse):

self-hosted/docker-compose.yml

Lines 198 to 204 in 6c88b78

volumes:
- "sentry-clickhouse:/var/lib/clickhouse"
- "sentry-clickhouse-log:/var/log/clickhouse-server"
- type: bind
read_only: true
source: ./clickhouse/config.xml
target: /etc/clickhouse-server/config.d/sentry.xml

So as you can see sentry is not trying to mount anything from /etc/, but mounting into /etc/ in container, so may want to investigate further, what other restrictions you are facing with Fedora CoreOS.

Also a couple of other bind mounts:

    - "./sentry:/etc/sentry"
    - "./geoip:/geoip:ro"
    - "./certificates:/usr/local/share/ca-certificates:ro"

        source: ./postgres/
        target: /opt/sentry/

        source: ./symbolicator
        target: /etc/symbolicator

        source: ./relay
        target: /work/.relay

@DutchmanNL
Copy link
Author

Using volumes instead of bind mounts is not always the best scenario IMO.

Agree, but on fedora it is there is no way arround it as the docker service has no access to the file system (which is security wise a perfect solution.

please also have a further look, the etc directory’s created by the script on a regular installation which is impossible on fedora

my suggestion would be, that the installation script creates a config volume for this situation which would make the bindings not needed anymore and comply with the basic root setup of a secure docker root host.

imagine an administrator can add any bind he want at the root system, an non wanted situation for scaling

in generic I think having a proper solution for this kind of setups would be very benefitfull for the whole sentry community as fedora is the leading, docker only, main system which allows very easy no-touch deployment & zero touch maintenance (the whole host manage itself and only provides docker environments)

as I am a security engineer, I am happy to assist/think or discuss this further but due to my missing knowledge of sentry itself it’s hard to define the solution by myself

one thing as example I would like to try, is removing all the binds and make that central volume which will take over the binds.
Would be happy to help/investigate but having a small group of people knowing the setup/brainstorming about a solution would support that proces

@aminvakil
Copy link
Collaborator

Agree, but on fedora it is there is no way arround it as the docker service has no access to the file system (which is security wise a perfect solution.

Fedora or Fedora CoreOS? I haven't used Fedora for the past couple of years, but I don't think Fedora has the same restrictions as Fedora CoreOS have.

please also have a further look, the etc directory’s created by the script on a regular installation which is impossible on fedora

Please read my comment again, self-hosted is not creating any directory inside host /etc directory.

my suggestion would be, that the installation script creates a config volume for this situation which would make the bindings not needed anymore and comply with the basic root setup of a secure docker root host.

imagine an administrator can add any bind he want at the root system, an non wanted situation for scaling

in generic I think having a proper solution for this kind of setups would be very benefitfull for the whole sentry community as fedora is the leading, docker only, main system which allows very easy no-touch deployment & zero touch maintenance (the whole host manage itself and only provides docker environments)

(resisting to get into distro wars... 😅 )

as I am a security engineer, I am happy to assist/think or discuss this further but due to my missing knowledge of sentry itself it’s hard to define the solution by myself

one thing as example I would like to try, is removing all the binds and make that central volume which will take over the binds. Would be happy to help/investigate but having a small group of people knowing the setup/brainstorming about a solution would support that proces

I don't think having a couple of bind mounts (which some of them are files shipped from git and / or created by ./install.sh different scripts) is a security flaw which moving them into docker volumes prevents it.

What do you propose for files shipped from git if we move to docker volumes?

@DutchmanNL
Copy link
Author

DutchmanNL commented Jun 12, 2022
edited
Loading

Fedora or Fedora CoreOS? I haven't used Fedora for the past couple of years, but I don't think Fedora has the same restrictions as Fedora CoreOS have.

Fedora-Core OS is my current focus, sorry but no experience with fedora itself :)

Please read my comment again, self-hosted is not creating any directory inside host /etc directory.

understood, its part of the git clone folder structure

resisting to get into distro wars

😆 😆 😆

What do you propose for files shipped from git if we move to docker volumes?

I think moving to docker volumes would mean we we have to change the way/mindset how to manage/maintain containing files.
Suggestion: we ca use a simple docker container (like the alpine ones) which just provides vi/nano & git allowing us to maintain the content.

Accessing the structure then could be archived by running the contain as run exec nano /xxx//file or accessing the terminal of this docker container.
This container only needs to run when making changes so even the just run/remove after flag could be used as we mount a persistent volume which would not be deleted

@aminvakil
Copy link
Collaborator

What do you propose for files shipped from git if we move to docker volumes?

I think moving to docker volumes would mean we we have to change the way/mindset how to manage/maintain containing files. Suggestion: we ca use a simple docker container (like the alpine ones) which just provides vi/nano & git allowing us to maintain the content.

Accessing the structure then could be archived by running the contain as run exec nano /xxx//file or accessing the terminal of this docker container. This container only needs to run when making changes so even the just run/remove after flag could be used as we mount a persistent volume which would not be deleted

Sorry , but I don't think this is worth the effort.

AFAIK Fedora CoreOS is not designed to run install scripts (like install.sh and other scripts in install folder) after it's booted and running anyway and you should just run containers (with or without volumes attached to it) on it.

@DutchmanNL
Copy link
Author

AFAIK Fedora CoreOS is not designed to run install scripts (like install.sh and other scripts in install folder) after it's booted and running anyway and you should just run containers (with or without volumes attached to it) on it.

hmm i do not agree, running install scripts works fine also on fedora-core also used by other processes.
The challenge is mapping of the data, the install script still can run as normal just has to take care moving the git data related items to a volume instead binding which always can be archived with the root account.

Sorry , but I don't think this is worth the effort.

Of course I cannot judged about that, but I can imagine that may also in other distro's it could get an issue in long therm and still fedora-core is the leigth weightest and easiest to manage distro (regarding updates/deployment) in the available OS out there.

@aminvakil
Copy link
Collaborator

@DutchmanNL I'm against this change myself, but I'm not a maintainer in this repository.

We can wait for a maintainer to see their opinions.

cc @chadwhitacre

@chadwhitacre
Copy link
Member

Oh wow I missed a lot here. 😬

I'm digging out of an inbox pile right now, I will circle back and digest this when I can ...

@DutchmanNL
Copy link
Author

Oh wow I missed a lot here. 😬

I'm digging out of an inbox pile right now, I will circle back and digest this when I can ...

no worries take your time :), happy to chat/interact if there are open questions or items :)

@github-actions
Copy link

This issue has gone three weeks without activity. In another week, I will close it.

But! If you comment or otherwise update it, I will reset the clock, and if you label it Status: Backlog or Status: In Progress, I will leave it alone ... forever!

"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀

@DutchmanNL
Copy link
Author

No stale please @chadwhitacre :)

@emmatyping
Copy link
Contributor

I am planning on re-writing our installer based on several requests e.g. #999 and #369

I will try to keep configuration of where mounts go in mind when working on this, but I don't think we will want to make a volume for configs by default.

@emmatyping emmatyping closed this as not planned Won't fix, can't repro, duplicate, stale Jul 15, 2022
@chadwhitacre
Copy link
Member

@ethanhs Should we start a meta-ticket for the installer rewrite to keep track?

No longer stale here though not what you had in mind @DutchmanNL sorry 😅

@emmatyping emmatyping mentioned this issue Jul 16, 2022
Closed
@github-actions github-actions bot locked and limited conversation to collaborators Jul 31, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Type: Support Request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@chadwhitacre @DutchmanNL @emmatyping @aminvakil