I started mattermost with docker compose
My version is 7.1.5
I exec to container via command “docker exec -it container-id /bin/bash”
when I want run simple command or install with apt I got error permission
and I don’t have password for su root
so, what is the root password of mattermost container?
agriesser
(Alexander Griesser)
February 27, 2023, 7:04am
2
Hi @farhaadn and welcome to the Mattermost forums!
When you run the docker exec
command as root, you should also be root inside the container. Did you try that?
1 Like
yes I try that but even with root user I cant get any package
root@45768021acf7:/mattermost# apt update
E: setgroups 65534 failed - setgroups (1: Operation not permitted)
E: setegid 65534 failed - setegid (1: Operation not permitted)
E: seteuid 100 failed - seteuid (1: Operation not permitted)
E: setgroups 0 failed - setgroups (1: Operation not permitted)
rm: cannot remove ‘/var/cache/apt/archives/partial/*.deb’: Permission denied
Reading package lists… Done
W: chown to _apt:root of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory (1: Operation not permitted)
W: chown to _apt:root of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory (1: Operation not permitted)
E: setgroups 65534 failed - setgroups (1: Operation not permitted)
E: setegid 65534 failed - setegid (1: Operation not permitted)
E: seteuid 100 failed - seteuid (1: Operation not permitted)
E: setgroups 0 failed - setgroups (1: Operation not permitted)
E: Method gave invalid 400 URI Failure message: Failed to setgroups - setgroups (1: Operation not permitted)
E: Method http has died unexpectedly!
E: Sub-process http returned an error code (112)
agriesser
(Alexander Griesser)
February 27, 2023, 8:12am
4
The directories might be read only depending on your configuration. What additional tools do you want to install in the container? What is it exactly that you’re trying to achieve here?
1 Like
lsof, tcpdump and iptables packages
I want to check the traffic
agriesser
(Alexander Griesser)
February 27, 2023, 9:01am
6
You can not install iptables inside a docker container, since it does not have access to the iptables anyways.
All connections from a docker container are visible on the host on the outside, so you should use these tools on your linux host and not inside the container.
what about lsof and tcpdump?
I can run it in container and I have it in another containers
agriesser
(Alexander Griesser)
February 27, 2023, 9:34am
8
Yes, you can - but all of this information is also available on the outside and whenever you update the container, the additional tools will be removed again and you have to reinstall them then.
It is not good practice to install tools inside the docker image once it’s running, you could modify the docker file to create a new customized container image which also includes these tools.
Another alternative would be to map a statically compiled version of busybox f.ex. into the container. This would then allow you to run some common debugging commands directly from within the container:
# docker exec -u root -ti 98505b225dd4 /bin/bash
root@98505b225dd4:/mattermost# busybox netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 98505b225dd4:58696 mm-770-postgres-1.mm-770_default:5432 ESTABLISHED
tcp 0 0 98505b225dd4:36328 mm-770-postgres-1.mm-770_default:5432 TIME_WAIT
tcp 0 0 98505b225dd4:58712 mm-770-postgres-1.mm-770_default:5432 ESTABLISHED
tcp 0 0 98505b225dd4:34114 server-18-66-97-125.fra56.r.cloudfront.net:443 ESTABLISHED
tcp 0 0 98505b225dd4:58680 mm-770-postgres-1.mm-770_default:5432 ESTABLISHED
tcp 0 0 98505b225dd4:40220 server-18-66-112-60.fra56.r.cloudfront.net:443 ESTABLISHED
tcp 0 0 98505b225dd4:58738 mm-770-postgres-1.mm-770_default:5432 ESTABLISHED
tcp 0 0 98505b225dd4:58692 mm-770-postgres-1.mm-770_default:5432 ESTABLISHED
tcp 0 0 98505b225dd4:33942 server-13-32-121-69.fra60.r.cloudfront.net:443 ESTABLISHED
tcp 0 0 98505b225dd4:36336 mm-770-postgres-1.mm-770_default:5432 TIME_WAIT
tcp 0 0 localhost:35868 localhost:8065 TIME_WAIT
tcp 0 0 98505b225dd4:58704 mm-770-postgres-1.mm-770_default:5432 ESTABLISHED
tcp 0 0 98505b225dd4:41040 server-18-66-97-74.fra56.r.cloudfront.net:443 ESTABLISHED
tcp 0 0 98505b225dd4:58728 mm-770-postgres-1.mm-770_default:5432 ESTABLISHED
tcp 0 0 98505b225dd4:58758 mm-770-postgres-1.mm-770_default:5432 ESTABLISHED
tcp 0 0 98505b225dd4:58748 mm-770-postgres-1.mm-770_default:5432 ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 3 [ ] STREAM CONNECTED 62486324 /tmp/plugin2943161274
unix 3 [ ] STREAM CONNECTED 62486310
unix 3 [ ] STREAM CONNECTED 62485360
unix 3 [ ] STREAM CONNECTED 62485344
unix 3 [ ] STREAM CONNECTED 62486312 /tmp/plugin4011823926
unix 3 [ ] STREAM CONNECTED 62485369 /tmp/plugin2211775106
unix 3 [ ] STREAM CONNECTED 62486337
unix 3 [ ] STREAM CONNECTED 62486338 /tmp/plugin1169520782
unix 3 [ ] STREAM CONNECTED 62485328
unix 3 [ ] STREAM CONNECTED 62485368
unix 3 [ ] STREAM CONNECTED 62485315 /tmp/plugin471179159
unix 3 [ ] STREAM CONNECTED 62485361 /tmp/plugin1627926240
To do that, you can install the busybox-static
package on your host system (or compile your own statically linked busybox binary with all the tools you need) and map it into the container by modifying the volumes in your docker-compose.yml
file (see last line of the volumes section)
volumes:
- ${MATTERMOST_CONFIG_PATH}:/mattermost/config:rw
- ${MATTERMOST_DATA_PATH}:/mattermost/data:rw
- ${MATTERMOST_LOGS_PATH}:/mattermost/logs:rw
- ${MATTERMOST_PLUGINS_PATH}:/mattermost/plugins:rw
- ${MATTERMOST_CLIENT_PLUGINS_PATH}:/mattermost/client/plugins:rw
- ${MATTERMOST_BLEVE_INDEXES_PATH}:/mattermost/bleve-indexes:rw
- /bin/busybox:/bin/busybox:ro
1 Like
YiruChen
(Yiru Chen)
April 18, 2023, 3:45am
10
Hello,
I would appreciate some guidance on how to install nslookup in a container and configure additional hosts in the docker-compose.yml file, as shown below:
extra_hosts:
- "mattermost:xx.xx.xx.xx"
Unfortunately, I encountered an error in the docker logs that reads: /bin/sh: couldn't get address for 'mattermost': not found
.
Would you be able to kindly suggest a solution to address this issue? Thank you.
agriesser
(Alexander Griesser)
April 18, 2023, 4:10am
11
Hi,
the busybox
binary also includes an nslookup
applet, so the instructions above can be used to also get nslookup
in your container, you just need to call it like this then:
# busybox nslookup
BusyBox v1.30.1 (Debian 1:1.30.1-6+b3) multi-call binary.
Usage: nslookup [-type=QUERY_TYPE] [-debug] HOST [DNS_SERVER]
Query DNS about HOST
QUERY_TYPE: soa,ns,a,aaaa,cname,mx,txt,ptr,any
The extra_hosts
section you posted is syntactically correct:
mattermost:
[...]
volumes:
[...]
- /bin/busybox:/bin/busybox:ro
extra_hosts:
- "somehost:1.2.3.4"
This will add the busybox binary to the container and also create the hosts file entry:
# docker exec -ti mm-770-mattermost-1 busybox ping somehost
PING somehost (1.2.3.4): 56 data bytes
ping: permission denied (are you root?)
# docker exec -ti mm-770-mattermost-1 busybox nslookup mattermost.com 1.1.1.1
Server: 1.1.1.1
Address: 1.1.1.1:53
Non-authoritative answer:
Name: mattermost.com
Address: 141.193.213.20
Name: mattermost.com
Address: 141.193.213.21
Non-authoritative answer:
YiruChen
(Yiru Chen)
April 18, 2023, 6:45am
12
Hi @agriesser , Is it possible to use nslookup without busybox?
agriesser
(Alexander Griesser)
April 18, 2023, 7:07am
13
Yes, but only, if you statically link it, so you would have to grab the source for this binary and compile it on your own and create a static binary without dependencies.
If you just copy over the nslookup
binary into your container, it will be missing lots of its dependencies:
# ldd $(which nslookup)
linux-vdso.so.1 (0x00007ffc4e950000)
libedit.so.2 => /usr/lib/x86_64-linux-gnu/libedit.so.2 (0x00007f1b327a5000)
libdns-9.16.37-Debian.so => /usr/lib/x86_64-linux-gnu/libdns-9.16.37-Debian.so (0x00007f1b3256c000)
libirs-9.16.37-Debian.so => /usr/lib/x86_64-linux-gnu/libirs-9.16.37-Debian.so (0x00007f1b3255f000)
libbind9-9.16.37-Debian.so => /usr/lib/x86_64-linux-gnu/libbind9-9.16.37-Debian.so (0x00007f1b32548000)
libisccfg-9.16.37-Debian.so => /usr/lib/x86_64-linux-gnu/libisccfg-9.16.37-Debian.so (0x00007f1b32511000)
libisc-9.16.37-Debian.so => /usr/lib/x86_64-linux-gnu/libisc-9.16.37-Debian.so (0x00007f1b32489000)
libidn2.so.0 => /usr/lib/x86_64-linux-gnu/libidn2.so.0 (0x00007f1b32466000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f1b32444000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f1b3226f000)
libtinfo.so.6 => /lib/x86_64-linux-gnu/libtinfo.so.6 (0x00007f1b32240000)
libbsd.so.0 => /usr/lib/x86_64-linux-gnu/libbsd.so.0 (0x00007f1b32229000)
libgssapi_krb5.so.2 => /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2 (0x00007f1b321d6000)
libkrb5.so.3 => /usr/lib/x86_64-linux-gnu/libkrb5.so.3 (0x00007f1b320fa000)
libfstrm.so.0 => /usr/lib/x86_64-linux-gnu/libfstrm.so.0 (0x00007f1b320ed000)
libmaxminddb.so.0 => /usr/lib/x86_64-linux-gnu/libmaxminddb.so.0 (0x00007f1b320e6000)
liblmdb.so.0 => /usr/lib/x86_64-linux-gnu/liblmdb.so.0 (0x00007f1b320cf000)
libprotobuf-c.so.1 => /usr/lib/x86_64-linux-gnu/libprotobuf-c.so.1 (0x00007f1b320c4000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f1b320be000)
/lib64/ld-linux-x86-64.so.2 (0x00007f1b32807000)
libns-9.16.37-Debian.so => /usr/lib/x86_64-linux-gnu/libns-9.16.37-Debian.so (0x00007f1b32070000)
libssl.so.1.1 => /usr/lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007f1b31fdd000)
libcrypto.so.1.1 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007f1b31ce8000)
libjson-c.so.5 => /usr/lib/x86_64-linux-gnu/libjson-c.so.5 (0x00007f1b31cd5000)
libuv.so.1 => /usr/lib/x86_64-linux-gnu/libuv.so.1 (0x00007f1b31ca5000)
libxml2.so.2 => /usr/lib/x86_64-linux-gnu/libxml2.so.2 (0x00007f1b31af7000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f1b31ad8000)
libunistring.so.2 => /usr/lib/x86_64-linux-gnu/libunistring.so.2 (0x00007f1b31956000)
libmd.so.0 => /usr/lib/x86_64-linux-gnu/libmd.so.0 (0x00007f1b31949000)
libk5crypto.so.3 => /usr/lib/x86_64-linux-gnu/libk5crypto.so.3 (0x00007f1b31919000)
libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2 (0x00007f1b31913000)
libkrb5support.so.0 => /usr/lib/x86_64-linux-gnu/libkrb5support.so.0 (0x00007f1b31902000)
libkeyutils.so.1 => /lib/x86_64-linux-gnu/libkeyutils.so.1 (0x00007f1b318fb000)
libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007f1b318e1000)
libicuuc.so.67 => /usr/lib/x86_64-linux-gnu/libicuuc.so.67 (0x00007f1b316f8000)
liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007f1b316d0000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f1b3158a000)
libicudata.so.67 => /usr/lib/x86_64-linux-gnu/libicudata.so.67 (0x00007f1b2fa71000)
libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f1b2f8a4000)
libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f1b2f88a000)
If you really want to do that, you will need to make sure that you also mount all these libraries into your container (at least the ones that are missing). Busybox behaves better in this regard.
Is there any specific reason why you need the original nslookup
binary out of the bind9-dnsutils
package?