Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rootless container failing on startup on SELinux system #1174

Open
1 of 2 tasks
josh-hemphill opened this issue Aug 23, 2024 · 2 comments
Open
1 of 2 tasks

Rootless container failing on startup on SELinux system #1174

josh-hemphill opened this issue Aug 23, 2024 · 2 comments

Comments

@josh-hemphill
Copy link

josh-hemphill commented Aug 23, 2024
edited
Loading

Describe the current behavior

Applying the same SELinux file permissions applied to other rootless containers, the grist container stops after printing an unhelpful TLS error during startup.

Steps to reproduce

  1. Configure a grist container with the GRIST_DOCKER_USER and GRIST_DOCKER_GROUP flags set to the same user as flags to set the run-as, and add the :Z flag on any volumes (ensures the container gets singular ownership, and avoids other SELinux issues when sharing between multiple containers)
  2. Use the podman unshare or equivalent to find or set the file permissions to own or have permissions for the UID/GID from the container namespace (from the local perspective it will show a much higher UID/GID number which corresponds to the lower UID/GID number inside the container namespace)
  3. Run it and it should crash.

The resulting error:

Error: connect ECONNREFUSED ::1:443
    at TCPConnectWrap.afterConnect [as oncomplete] (node:net:1555:16) {
  errno: -111,
  code: 'ECONNREFUSED',
  syscall: 'connect',
  address: '::1',
  port: 443
}

Which prints after the debug: skipping incomplete language ... gets printed a few times

Describe the expected behavior

Either running or printing a more helpful error

Where have you encountered this bug?

Instance information (when self-hosting only)

  • Grist instance:
    • Version: latest (confirmed 1.1.17)
    • Installation mode: podman (docker compatible backend) (I don't have compose files because I exported the containers to kube yaml files)
    • Architecture: single-worker
@josh-hemphill josh-hemphill mentioned this issue Aug 31, 2024
Open
@Spoffy
Copy link
Contributor

Spoffy commented Sep 10, 2024

Hey @josh-hemphill - are you using any custom SELinux policies for your containers?

At a glance, I'm wondering if one the health checks (or similar) is failing on startup due to Grist not having the right policy set to allow it to connect to :443?

Or maybe a tighter firewall setup on Fedora?

I can have a look into this, although my SELinux + Fedora knowledge is pretty limited! 🙂

@josh-hemphill
Copy link
Author

Nothing custom, this was a fresh install of Fedora. I tried looking up anything I could find about container networking on Fedora/RHEL, and all I could find is stuff talking about exposing ports which seems to work fine; I can't find anything about outbound traffic being effected. 🤔

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Spoffy @josh-hemphill