Shell root password

I started mattermost with docker compose
My version is 7.1.5
I exec to container via command “docker exec -it container-id /bin/bash”
when I want run simple command or install with apt I got error permission
and I don’t have password for su root

so, what is the root password of mattermost container?

Hi @farhaadn and welcome to the Mattermost forums!

When you run the docker exec command as root, you should also be root inside the container. Did you try that?

yes I try that but even with root user I cant get any package

root@45768021acf7:/mattermost# apt update
E: setgroups 65534 failed - setgroups (1: Operation not permitted)
E: setegid 65534 failed - setegid (1: Operation not permitted)
E: seteuid 100 failed - seteuid (1: Operation not permitted)
E: setgroups 0 failed - setgroups (1: Operation not permitted)
rm: cannot remove ‘/var/cache/apt/archives/partial/*.deb’: Permission denied
Reading package lists… Done
W: chown to _apt:root of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory (1: Operation not permitted)
W: chown to _apt:root of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory (1: Operation not permitted)
E: setgroups 65534 failed - setgroups (1: Operation not permitted)
E: setegid 65534 failed - setegid (1: Operation not permitted)
E: seteuid 100 failed - seteuid (1: Operation not permitted)
E: setgroups 0 failed - setgroups (1: Operation not permitted)
E: Method gave invalid 400 URI Failure message: Failed to setgroups - setgroups (1: Operation not permitted)
E: Method http has died unexpectedly!
E: Sub-process http returned an error code (112)

The directories might be read only depending on your configuration. What additional tools do you want to install in the container? What is it exactly that you’re trying to achieve here?

lsof, tcpdump and iptables packages
I want to check the traffic

You can not install iptables inside a docker container, since it does not have access to the iptables anyways.
All connections from a docker container are visible on the host on the outside, so you should use these tools on your linux host and not inside the container.

what about lsof and tcpdump?
I can run it in container and I have it in another containers

Yes, you can - but all of this information is also available on the outside and whenever you update the container, the additional tools will be removed again and you have to reinstall them then.
It is not good practice to install tools inside the docker image once it’s running, you could modify the docker file to create a new customized container image which also includes these tools.
Another alternative would be to map a statically compiled version of busybox f.ex. into the container. This would then allow you to run some common debugging commands directly from within the container:

# docker exec -u root -ti 98505b225dd4 /bin/bash
root@98505b225dd4:/mattermost# busybox netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 98505b225dd4:58696      mm-770-postgres-1.mm-770_default:5432 ESTABLISHED
tcp        0      0 98505b225dd4:36328      mm-770-postgres-1.mm-770_default:5432 TIME_WAIT
tcp        0      0 98505b225dd4:58712      mm-770-postgres-1.mm-770_default:5432 ESTABLISHED
tcp        0      0 98505b225dd4:34114      server-18-66-97-125.fra56.r.cloudfront.net:443 ESTABLISHED
tcp        0      0 98505b225dd4:58680      mm-770-postgres-1.mm-770_default:5432 ESTABLISHED
tcp        0      0 98505b225dd4:40220      server-18-66-112-60.fra56.r.cloudfront.net:443 ESTABLISHED
tcp        0      0 98505b225dd4:58738      mm-770-postgres-1.mm-770_default:5432 ESTABLISHED
tcp        0      0 98505b225dd4:58692      mm-770-postgres-1.mm-770_default:5432 ESTABLISHED
tcp        0      0 98505b225dd4:33942      server-13-32-121-69.fra60.r.cloudfront.net:443 ESTABLISHED
tcp        0      0 98505b225dd4:36336      mm-770-postgres-1.mm-770_default:5432 TIME_WAIT
tcp        0      0 localhost:35868         localhost:8065          TIME_WAIT
tcp        0      0 98505b225dd4:58704      mm-770-postgres-1.mm-770_default:5432 ESTABLISHED
tcp        0      0 98505b225dd4:41040      server-18-66-97-74.fra56.r.cloudfront.net:443 ESTABLISHED
tcp        0      0 98505b225dd4:58728      mm-770-postgres-1.mm-770_default:5432 ESTABLISHED
tcp        0      0 98505b225dd4:58758      mm-770-postgres-1.mm-770_default:5432 ESTABLISHED
tcp        0      0 98505b225dd4:58748      mm-770-postgres-1.mm-770_default:5432 ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags       Type       State         I-Node Path
unix  3      [ ]         STREAM     CONNECTED     62486324 /tmp/plugin2943161274
unix  3      [ ]         STREAM     CONNECTED     62486310
unix  3      [ ]         STREAM     CONNECTED     62485360
unix  3      [ ]         STREAM     CONNECTED     62485344
unix  3      [ ]         STREAM     CONNECTED     62486312 /tmp/plugin4011823926
unix  3      [ ]         STREAM     CONNECTED     62485369 /tmp/plugin2211775106
unix  3      [ ]         STREAM     CONNECTED     62486337
unix  3      [ ]         STREAM     CONNECTED     62486338 /tmp/plugin1169520782
unix  3      [ ]         STREAM     CONNECTED     62485328
unix  3      [ ]         STREAM     CONNECTED     62485368
unix  3      [ ]         STREAM     CONNECTED     62485315 /tmp/plugin471179159
unix  3      [ ]         STREAM     CONNECTED     62485361 /tmp/plugin1627926240

To do that, you can install the busybox-static package on your host system (or compile your own statically linked busybox binary with all the tools you need) and map it into the container by modifying the volumes in your docker-compose.yml file (see last line of the volumes section)

    volumes:
      - ${MATTERMOST_CONFIG_PATH}:/mattermost/config:rw
      - ${MATTERMOST_DATA_PATH}:/mattermost/data:rw
      - ${MATTERMOST_LOGS_PATH}:/mattermost/logs:rw
      - ${MATTERMOST_PLUGINS_PATH}:/mattermost/plugins:rw
      - ${MATTERMOST_CLIENT_PLUGINS_PATH}:/mattermost/client/plugins:rw
      - ${MATTERMOST_BLEVE_INDEXES_PATH}:/mattermost/bleve-indexes:rw
      - /bin/busybox:/bin/busybox:ro

Thank you, its usefull

Hello,

I would appreciate some guidance on how to install nslookup in a container and configure additional hosts in the docker-compose.yml file, as shown below:

extra_hosts:
  - "mattermost:xx.xx.xx.xx"

Unfortunately, I encountered an error in the docker logs that reads: /bin/sh: couldn't get address for 'mattermost': not found.

Would you be able to kindly suggest a solution to address this issue? Thank you.

Hi,

the busybox binary also includes an nslookup applet, so the instructions above can be used to also get nslookup in your container, you just need to call it like this then:

# busybox nslookup
BusyBox v1.30.1 (Debian 1:1.30.1-6+b3) multi-call binary.

Usage: nslookup [-type=QUERY_TYPE] [-debug] HOST [DNS_SERVER]

Query DNS about HOST

QUERY_TYPE: soa,ns,a,aaaa,cname,mx,txt,ptr,any

The extra_hosts section you posted is syntactically correct:

  mattermost:
    [...]
    volumes:
      [...]
      - /bin/busybox:/bin/busybox:ro
    extra_hosts:
      - "somehost:1.2.3.4"

This will add the busybox binary to the container and also create the hosts file entry:

# docker exec -ti mm-770-mattermost-1 busybox ping somehost
PING somehost (1.2.3.4): 56 data bytes
ping: permission denied (are you root?)

# docker exec -ti mm-770-mattermost-1 busybox nslookup mattermost.com 1.1.1.1
Server:         1.1.1.1
Address:        1.1.1.1:53

Non-authoritative answer:
Name:   mattermost.com
Address: 141.193.213.20
Name:   mattermost.com
Address: 141.193.213.21

Non-authoritative answer:

Hi @agriesser, Is it possible to use nslookup without busybox?

Yes, but only, if you statically link it, so you would have to grab the source for this binary and compile it on your own and create a static binary without dependencies.
If you just copy over the nslookup binary into your container, it will be missing lots of its dependencies:

# ldd $(which nslookup)
        linux-vdso.so.1 (0x00007ffc4e950000)
        libedit.so.2 => /usr/lib/x86_64-linux-gnu/libedit.so.2 (0x00007f1b327a5000)
        libdns-9.16.37-Debian.so => /usr/lib/x86_64-linux-gnu/libdns-9.16.37-Debian.so (0x00007f1b3256c000)
        libirs-9.16.37-Debian.so => /usr/lib/x86_64-linux-gnu/libirs-9.16.37-Debian.so (0x00007f1b3255f000)
        libbind9-9.16.37-Debian.so => /usr/lib/x86_64-linux-gnu/libbind9-9.16.37-Debian.so (0x00007f1b32548000)
        libisccfg-9.16.37-Debian.so => /usr/lib/x86_64-linux-gnu/libisccfg-9.16.37-Debian.so (0x00007f1b32511000)
        libisc-9.16.37-Debian.so => /usr/lib/x86_64-linux-gnu/libisc-9.16.37-Debian.so (0x00007f1b32489000)
        libidn2.so.0 => /usr/lib/x86_64-linux-gnu/libidn2.so.0 (0x00007f1b32466000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f1b32444000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f1b3226f000)
        libtinfo.so.6 => /lib/x86_64-linux-gnu/libtinfo.so.6 (0x00007f1b32240000)
        libbsd.so.0 => /usr/lib/x86_64-linux-gnu/libbsd.so.0 (0x00007f1b32229000)
        libgssapi_krb5.so.2 => /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2 (0x00007f1b321d6000)
        libkrb5.so.3 => /usr/lib/x86_64-linux-gnu/libkrb5.so.3 (0x00007f1b320fa000)
        libfstrm.so.0 => /usr/lib/x86_64-linux-gnu/libfstrm.so.0 (0x00007f1b320ed000)
        libmaxminddb.so.0 => /usr/lib/x86_64-linux-gnu/libmaxminddb.so.0 (0x00007f1b320e6000)
        liblmdb.so.0 => /usr/lib/x86_64-linux-gnu/liblmdb.so.0 (0x00007f1b320cf000)
        libprotobuf-c.so.1 => /usr/lib/x86_64-linux-gnu/libprotobuf-c.so.1 (0x00007f1b320c4000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f1b320be000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f1b32807000)
        libns-9.16.37-Debian.so => /usr/lib/x86_64-linux-gnu/libns-9.16.37-Debian.so (0x00007f1b32070000)
        libssl.so.1.1 => /usr/lib/x86_64-linux-gnu/libssl.so.1.1 (0x00007f1b31fdd000)
        libcrypto.so.1.1 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 (0x00007f1b31ce8000)
        libjson-c.so.5 => /usr/lib/x86_64-linux-gnu/libjson-c.so.5 (0x00007f1b31cd5000)
        libuv.so.1 => /usr/lib/x86_64-linux-gnu/libuv.so.1 (0x00007f1b31ca5000)
        libxml2.so.2 => /usr/lib/x86_64-linux-gnu/libxml2.so.2 (0x00007f1b31af7000)
        libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f1b31ad8000)
        libunistring.so.2 => /usr/lib/x86_64-linux-gnu/libunistring.so.2 (0x00007f1b31956000)
        libmd.so.0 => /usr/lib/x86_64-linux-gnu/libmd.so.0 (0x00007f1b31949000)
        libk5crypto.so.3 => /usr/lib/x86_64-linux-gnu/libk5crypto.so.3 (0x00007f1b31919000)
        libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2 (0x00007f1b31913000)
        libkrb5support.so.0 => /usr/lib/x86_64-linux-gnu/libkrb5support.so.0 (0x00007f1b31902000)
        libkeyutils.so.1 => /lib/x86_64-linux-gnu/libkeyutils.so.1 (0x00007f1b318fb000)
        libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007f1b318e1000)
        libicuuc.so.67 => /usr/lib/x86_64-linux-gnu/libicuuc.so.67 (0x00007f1b316f8000)
        liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007f1b316d0000)
        libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f1b3158a000)
        libicudata.so.67 => /usr/lib/x86_64-linux-gnu/libicudata.so.67 (0x00007f1b2fa71000)
        libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f1b2f8a4000)
        libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f1b2f88a000)

If you really want to do that, you will need to make sure that you also mount all these libraries into your container (at least the ones that are missing). Busybox behaves better in this regard.

Is there any specific reason why you need the original nslookup binary out of the bind9-dnsutils package?