Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gosu failing under Proxmox 7 LXC #624

Open
SuperDarius-git opened this issue Nov 23, 2024 · 8 comments
Open

gosu failing under Proxmox 7 LXC #624

SuperDarius-git opened this issue Nov 23, 2024 · 8 comments

Comments

@SuperDarius-git
Copy link

SuperDarius-git commented Nov 23, 2024

Good day

Let's start at the beginning:
I am using a Proxmox server and created an LXC container with Ubuntu 22.04. On that container, I installed Azuracast on with their install Docker script. Everything worked well for very long, then I updated to the latest release and the following happened when updating, installing, and even reinstalling from scratch on a brand new LXC container. One note: The Proxmox server was on version 7 something, which were already not supported anymore. I installed a different Proxmox on a test machine, but this time the latest version 8 something. Everything worked perfectly with the new test machine.

This is the logs for the installation of Azuracast on the version 7 Proxmox LXC container:

** Running startup script '/etc/my_init.d/00_disable_mariadb.sh'...

** Startup script complete.

** Running startup script '/etc/my_init.d/00_disable_redis.sh'...

** Startup script complete.

** Running startup script '/etc/my_init.d/00_setup_user.sh'...

usermod: no changes

Docker 'azuracast' User UID: 1000

Docker 'azuracast' User GID: 1000

** Startup script complete.

** Running startup script '/etc/my_init.d/01_self_signed_ssl.sh'...

Generating self-signed certificate...

.....+...+..+.+...+...........+.+..+...+..........+........+..........+..+...+......+..........+...+......+..+....+...+.....+.+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+.+..+...+.+...+.....+...+...+....+........+............+............+...+......+.+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+........+....+........+....+.....+....+..+...+....+........+............+......+.........+..........+..+................+..+..........+.....+...+...+..........+...........+....+..+....+...+..+.........+.+......+...+..+....+...+..+.........+......+....+.........+.....+......+.......+........+......+...+.+..+....+.........+......+...+.................+...+................+......+.....+.+..+...+....+...+...+...+..+..........+.......................+....+...+...+....................+......+.........+......+......+..........+...+.....+........................+...+...+.......+..+......+.+......+...+.....+.......+..+......+.+.....+......+..........+.....+.........+.+..+.......+...+............+.........+.........+...+..+.+......+.....+.........+......+......+....+...+...........+....+...+............+......+.....+..........+.....+.......+..............+.+...+...........+.+.....+...+.+.....+.............+........+............+.+..+...+.........+...+.......+.....................+.....+....+..+.+..+..........+..+......+.......+.....+...+............+.+......+...........+...+.......+...+......+.....+.+..+.+..+....+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

.+......+.....+..........+...+.....+...+.........+...............+....+..+.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..........+.+.....+...+.+...+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.........+.+...+........+.........+....+..............+.+..+.......+..+....+......+.........+.....+....+..+................+..+.+..+.......+...+..+...+...+............+...+.......+.....+.........+..........+...+.....+.+.....+..........+.................+.......+........+...+.+......+........+......+...................+.....+.......+........+.+.....+.+........+.+......+...............+............+...+...+..+.........+.+.....+.......+......+......+..............+.+.....+.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

-----

** Startup script complete.

** Running startup script '/etc/my_init.d/02_install_extra_packages.sh'...

** Startup script complete.

** Running startup script '/etc/my_init.d/03_persist_dir.sh'...

Creating persist directories...

** Startup script complete.

** Running startup script '/etc/my_init.d/04_mariadb_conf.sh'...

** Startup script complete.

** Running startup script '/etc/my_init.d/05_centrifugo_conf.sh'...

** Startup script complete.

** Running startup script '/etc/my_init.d/05_nginx_conf.sh'...

Installing Nginx bot blocker...



Creating directory: /etc/nginx/bots.d



REPO = https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master



Downloading [FROM]=>  [REPO]/conf.d/globalblacklist.conf            [TO]=>  /etc/nginx/conf.d/globalblacklist.conf...OK

Downloading [FROM]=>  [REPO]/conf.d/botblocker-nginx-settings.conf  [TO]=>  /etc/nginx/conf.d/botblocker-nginx-settings.conf...OK



REPO = https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master



Downloading [FROM]=>  [REPO]/bots.d/blockbots.conf              [TO]=>  /etc/nginx/bots.d/blockbots.conf...OK

Downloading [FROM]=>  [REPO]/bots.d/ddos.conf                   [TO]=>  /etc/nginx/bots.d/ddos.conf...OK

Downloading [FROM]=>  [REPO]/bots.d/custom-bad-referrers.conf   [TO]=>  /etc/nginx/bots.d/custom-bad-referrers.conf...OK

Downloading [FROM]=>  [REPO]/bots.d/bad-referrer-words.conf     [TO]=>  /etc/nginx/bots.d/bad-referrer-words.conf...OK

Downloading [FROM]=>  [REPO]/bots.d/blacklist-ips.conf          [TO]=>  /etc/nginx/bots.d/blacklist-ips.conf...OK

Downloading [FROM]=>  [REPO]/bots.d/blacklist-user-agents.conf  [TO]=>  /etc/nginx/bots.d/blacklist-user-agents.conf...OK

Downloading [FROM]=>  [REPO]/bots.d/whitelist-domains.conf      [TO]=>  /etc/nginx/bots.d/whitelist-domains.conf...OK

Downloading [FROM]=>  [REPO]/bots.d/whitelist-ips.conf          [TO]=>  /etc/nginx/bots.d/whitelist-ips.conf...OK



REPO = https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master



Downloading [FROM]=>  [REPO]/setup-ngxblocker      [TO]=>  /usr/local/sbin/setup-ngxblocker...OK

Downloading [FROM]=>  [REPO]/update-ngxblocker     [TO]=>  /usr/local/sbin/update-ngxblocker...OK

WARN: /usr/local/sbin/setup-ngxblocker optionally requires: 'dig' => cannot whitelist public ip address.

Checking url: https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/include_filelist.txt



INFO:      /etc/nginx/conf.d/* detected               => /etc/nginx/nginx.conf

inserting: include /etc/nginx/bots.d/blockbots.conf;  => /etc/nginx/sites-available/default.vhost

inserting: include /etc/nginx/bots.d/ddos.conf;       => /etc/nginx/sites-available/default.vhost

Manual Whitelist: changelog.md    => /etc/nginx/bots.d/whitelist-domains.conf



Checking for missing includes:



Checking url: https://raw.githubusercontent.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/master/include_filelist.txt



Nothing to update for directory: /etc/nginx/conf.d

Nothing to update for directory: /etc/nginx/bots.d

Nothing to update for directory: /usr/local/sbin

Setting mode: 700 => /usr/local/sbin/install-ngxblocker

Setting mode: 700 => /usr/local/sbin/setup-ngxblocker

Setting mode: 700 => /usr/local/sbin/update-ngxblocker

** Startup script complete.

** Running startup script '/etc/my_init.d/05_setup_db.sh'...

2024-11-13 14:10:22+00:00 [Note] [Entrypoint]: Initial DB setup...

2024-11-13 14:10:22+00:00 [Note] [Entrypoint]: Switching to dedicated user 'mysql'

Here it just stopped with nothing happened.

I created an issue on the Azruacast Github page:
AzuraCast/AzuraCast#7553

I then upgraded the Proxmox server to the latest version 8, but still no fix.

I now am trying to install Avideo on another LXC Ubuntu 24 container. Here is the Docker compose file:


services:
  avideo:
    build:
      context: .
      args:
        SOCKET_PORT: ${SOCKET_PORT}
        HTTP_PORT: ${HTTP_PORT}
        HTTPS_PORT: ${HTTPS_PORT}
        DB_MYSQL_HOST: ${DB_MYSQL_HOST}
        DB_MYSQL_PORT: ${DB_MYSQL_PORT}
        DB_MYSQL_NAME: ${DB_MYSQL_NAME}
        DB_MYSQL_USER: ${DB_MYSQL_USER}
        DB_MYSQL_PASSWORD: ${DB_MYSQL_PASSWORD}
        SERVER_NAME: ${SERVER_NAME}
        ENABLE_PHPMYADMIN: ${ENABLE_PHPMYADMIN}
        PHPMYADMIN_PORT: ${PHPMYADMIN_PORT}
        PHPMYADMIN_ENCODER_PORT: ${PHPMYADMIN_ENCODER_PORT}
        CREATE_TLS_CERTIFICATE: ${CREATE_TLS_CERTIFICATE}
        TLS_CERTIFICATE_FILE: ${TLS_CERTIFICATE_FILE}
        TLS_CERTIFICATE_KEY: ${TLS_CERTIFICATE_KEY}
        CONTACT_EMAIL: ${CONTACT_EMAIL}
        SYSTEM_ADMIN_PASSWORD: ${SYSTEM_ADMIN_PASSWORD}
        WEBSITE_TITLE: ${WEBSITE_TITLE}
        MAIN_LANGUAGE: ${MAIN_LANGUAGE}
    restart: "unless-stopped"
    environment:
      SOCKET_PORT: ${SOCKET_PORT:-2053}
      HTTP_PORT: ${HTTP_PORT:-80}
      HTTPS_PORT: ${HTTPS_PORT:-443}
      DB_MYSQL_HOST: "${DB_MYSQL_HOST:-database}"
      DB_MYSQL_PORT: ${DB_MYSQL_PORT:-3306}
      DB_MYSQL_NAME: "${DB_MYSQL_NAME:-avideo}"
      DB_MYSQL_USER: "${DB_MYSQL_USER:-avideo}"
      DB_MYSQL_PASSWORD: "${DB_MYSQL_PASSWORD:-avideo}"
      SERVER_NAME: "${SERVER_NAME:-localhost}"
      ENABLE_PHPMYADMIN: "${ENABLE_PHPMYADMIN:-yes}"
      PHPMYADMIN_PORT: ${PHPMYADMIN_PORT:-8081}
      PHPMYADMIN_ENCODER_PORT: ${PHPMYADMIN_ENCODER_PORT:-8082}
      CREATE_TLS_CERTIFICATE: "${CREATE_TLS_CERTIFICATE:-yes}"
      TLS_CERTIFICATE_FILE: "${TLS_CERTIFICATE_FILE:-/etc/apache2/ssl/localhost.crt}"
      TLS_CERTIFICATE_KEY: "${TLS_CERTIFICATE_KEY:-/etc/apache2/ssl/localhost.key}"
      CONTACT_EMAIL: "${CONTACT_EMAIL:-admin@localhost}"
      SYSTEM_ADMIN_PASSWORD: "${SYSTEM_ADMIN_PASSWORD:-password}"
      WEBSITE_TITLE: "${WEBSITE_TITLE:-AVideo}"
      MAIN_LANGUAGE: "${MAIN_LANGUAGE:-en_US}"
      NGINX_RTMP_PORT: "${NGINX_RTMP_PORT:-1935}"
      NGINX_HTTP_PORT: "${NGINX_HTTP_PORT:-8080}"
      NGINX_HTTPS_PORT: "${NGINX_HTTPS_PORT:-8443}"
      MEMCACHED_HOST: memcached
    env_file:
      - .env
    ports:
      - "${SOCKET_PORT:-2053}:${SOCKET_PORT:-2053}"
      - "${HTTP_PORT:-80}:80"
      - "${HTTPS_PORT:-443}:443"
    volumes:
      - "./.compose/HLS:/HLS"
      - "./:/var/www/html/AVideo"
      - "./.compose/videos:/var/www/html/AVideo/videos"
      - "./.compose/encoder:/var/www/html/AVideo/Encoder"
      - "./.compose/letsencrypt:/etc/letsencrypt/"
    depends_on:
      database:
        condition: service_healthy
      database_encoder:
        condition: service_healthy
      memcached:
        condition: service_started
    healthcheck:
      test: ["CMD-SHELL", "curl --silent --fail http://localhost || exit 1"]
      interval: 30s
      timeout: 10s
      retries: 3
    deploy:
      resources:
        limits:
          cpus: "${CPUS_LIMIT:-3}"
          memory: "${MEMORY_LIMIT:-8G}"
        reservations:
          cpus: "${CPUS_LIMIT:-1}"
          memory: "${MEMORY_LIMIT:-2G}"
    networks:
      - app_net

  live:
    build: 
      context: .
      dockerfile: Dockerfile.live
    restart: "unless-stopped"
    volumes:
      - "./.compose/HLS:/HLS"
      - "./.compose/letsencrypt:/etc/letsencrypt/"
    environment:
      SERVER_NAME: "${SERVER_NAME:-localhost}"
      CREATE_TLS_CERTIFICATE: "${CREATE_TLS_CERTIFICATE:-yes}"
      TLS_CERTIFICATE_FILE: "${TLS_CERTIFICATE_FILE:-/etc/apache2/ssl/localhost.crt}"
      TLS_CERTIFICATE_KEY: "${TLS_CERTIFICATE_KEY:-/etc/apache2/ssl/localhost.key}"
      NGINX_RTMP_PORT: "${NGINX_RTMP_PORT:-1935}"
      NGINX_HTTP_PORT: "${NGINX_HTTP_PORT:-8080}"
      NGINX_HTTPS_PORT: "${NGINX_HTTPS_PORT:-8443}"
      MEMCACHED_HOST: memcached
    env_file:
      - .env
    ports:
      - "${NGINX_RTMP_PORT:-1935}:1935"
      - "${NGINX_HTTP_PORT:-8080}:8080"
      - "${NGINX_HTTPS_PORT:-8443}:8443"
    depends_on:
      avideo:
        condition: service_healthy
      database:
        condition: service_healthy
      memcached:
        condition: service_started
    healthcheck:
      test: ["CMD-SHELL", "curl --silent --fail http://localhost:8080 || exit 1"]
      interval: 30s
      timeout: 10s
      retries: 3
    deploy:
      resources:
        limits:
          cpus: "2"
          memory: "4G"
        reservations:
          cpus: "1"
          memory: "2G"
    networks:
      - app_net

  database:
    build:
      context: .
      dockerfile: Dockerfile.mariadb
    restart: "unless-stopped"
    environment:
      MYSQL_RANDOM_ROOT_PASSWORD: "yes"
      MYSQL_INITDB_SKIP_TZINFO: 1
      MYSQL_DATABASE: "${DB_MYSQL_NAME}"
      MYSQL_USER: "${DB_MYSQL_USER}"
      MYSQL_PASSWORD: "${DB_MYSQL_PASSWORD}"
      MARIADB_AUTO_UPGRADE: 1
    volumes:
      - ./.compose/db:/var/lib/mysql
    healthcheck:
      test: "mariadb-admin ping -h localhost -u $DB_MYSQL_USER -p $DB_MYSQL_PASSWORD"
      interval: 30s
      timeout: 10s
      retries: 3
    deploy:
      resources:
        limits:
          cpus: "2"
          memory: "10G"
        reservations:
          cpus: '1'
          memory: '4G'
    networks:
      - app_net

  database_encoder:
    build:
      context: .
      dockerfile: Dockerfile.mariadb
    restart: "unless-stopped"
    environment:
      MYSQL_RANDOM_ROOT_PASSWORD: "yes"
      MYSQL_INITDB_SKIP_TZINFO: 1
      MYSQL_DATABASE: "${DB_MYSQL_NAME}_encoder"
      MYSQL_USER: "${DB_MYSQL_USER}"
      MYSQL_PASSWORD: "${DB_MYSQL_PASSWORD}"
      MARIADB_AUTO_UPGRADE: 1
    volumes:
      - ./.compose/db_encoder:/var/lib/mysql
    healthcheck:
      test: "mariadb-admin ping -h localhost -u $DB_MYSQL_USER -p $DB_MYSQL_PASSWORD"
      interval: 30s
      timeout: 10s
      retries: 3
    deploy:
      resources:
        limits:
          cpus: "0.5"
          memory: "1G"
    networks:
      - app_net

  phpmyadmin:
    image: "phpmyadmin/phpmyadmin"
    restart: "unless-stopped"
    environment:
      PMA_HOST: "${DB_MYSQL_HOST}"
      PMA_PORT: ${DB_MYSQL_PORT}
      PMA_CONTROLUSER: "${DB_MYSQL_USER}"
      PMA_CONTROLPASS: "${DB_MYSQL_PASSWORD}"
      HIDE_PHP_VERSION: "true"
    ports:
      - "${PHPMYADMIN_PORT:-8081}:80"
    depends_on:
      - database
    deploy:
      resources:
        limits:
          cpus: "0.25"
          memory: "1G"
    networks:
      - app_net

  phpmyadmin_encoder:
    image: "phpmyadmin/phpmyadmin"
    restart: "unless-stopped"
    environment:
      PMA_HOST: "${DB_MYSQL_HOST}_encoder"
      PMA_PORT: ${DB_MYSQL_PORT}
      PMA_CONTROLUSER: "${DB_MYSQL_USER}"
      PMA_CONTROLPASS: "${DB_MYSQL_PASSWORD}"
      HIDE_PHP_VERSION: "true"
    ports:
      - "${PHPMYADMIN_ENCODER_PORT:-8082}:80"
    depends_on:
      - database_encoder
    deploy:
      resources:
        limits:
          cpus: "0.25"
          memory: "1G"
    networks:
      - app_net

  memcached:
    image: memcached:alpine
    restart: "unless-stopped"
    command: >
      sh -c "memcached -m 128 -c 1024 -t ${NPROC:-2} -vv"
    ports:
      - "${MEMCACHE_PORT:-11211}:11211"
    deploy:
      resources:
        limits:
          cpus: '1'
          memory: "4G"
        reservations:
          cpus: '0.5'
          memory: '512M'
    networks:
      - app_net
    environment:
      - NPROC=${NPROC:-2}

networks:
  app_net:
    driver: bridge
    ipam:
      config:
        - subnet: "${NETWORK_SUBNET:-172.21.1.0/16}"

Here is the Dockerfile.mariadb file:

# File: Dockerfile.mariadb

FROM mariadb:latest

# Set correct permissions for /tmp directory
RUN chmod 1777 /tmp

RUN chown -R mysql:mysql /var/lib/mysql
RUN chmod -R 755 /var/lib/mysql

# Copy custom MySQL configuration file
COPY deploy/my.cnf /etc/mysql/my.cnf

These are the errors on all the databse containers:

2024-11-23 05:19:20+00:00 [Note] [Entrypoint]: Entrypoint script for MariaDB Server 1:11.5.2+maria~ubu2404 started.
2024-11-23 05:19:29+00:00 [Warn] [Entrypoint]: /sys/fs/cgroup///memory.pressure not writable, functionality unavailable to MariaDB
2024-11-23 05:19:29+00:00 [Note] [Entrypoint]: Switching to dedicated user 'mysql'

Please help me.

Thank you
Darius

@grooverdan
Copy link
Member

2024-11-23 05:19:20+00:00 [Note] [Entrypoint]: Entrypoint script for MariaDB Server 1:11.5.2+maria~ubu2404 started.

FYI 11.5.2 is now EOL, and 11.6.2 is the latest. Probably won't change the issue you are facing.

2024-11-23 05:19:29+00:00 [Warn] [Entrypoint]: /sys/fs/cgroup///memory.pressure not writable, functionality unavailable to MariaDB

Note this is just a warning. As it gets to the next output its not stalling here. The memory pressure unavailable just means MariaDB won't respond to approaching OOM conditions by freeing some unused buffers.

2024-11-23 05:19:29+00:00 [Note] [Entrypoint]: Switching to dedicated user 'mysql'

I think this is the crux of the problem. The next statement after this is the actual switch:

exec gosu mysql "${BASH_SOURCE[0]}" "$@"

That is its re-executing the same script under the mysql user.

Lets just test a simpler case for your MariaDB service:

command: gosu mysql id -u

ref: command

So this simplified version will confirm its its a problem. Working output would be:

$ podman run --rm mariadb:11.5.2  gosu mysql id -u
999

I suspect the secomp filter of promox is interfering here. I couldn't see a compose option for privileged for a service.

If /var/lib/mysql is initialized then you can use user: mysql, but maybe this is the same problem as #621.

Unrelated questions on Dockerfile:

Set correct permissions for /tmp directory

RUN chmod 1777 /tmp

This isn't the case already?

RUN chown -R mysql:mysql /var/lib/mysql
RUN chmod -R 755 /var/lib/mysql

Its this the default?

Copy custom MySQL configuration file

COPY deploy/my.cnf /etc/mysql/my.cnf

note /etc/mysql/conf.d is the only documented working location https://hub.docker.com/_/mariadb/.

Also command version of the file are parsed so: command: --innodb-buffer-pool-size=20G --innodb-log-file-size=20G is an option.

@SuperDarius-git
Copy link
Author

@grooverdan - I am so thankful for your reply and answer (and questions) on my issue post, but I am a supershort guy, so everything you just said went straight over my head! - 😂

I am just trying to install or run the different software. Is there something you can suggest me to do? Or direction in any way?

Where should I change the command for testing?

Thank you
Darius

@grooverdan
Copy link
Member

Where should I change the command for testing?

As an addition line in the database service.

  database:
    build:
      context: .
      dockerfile: Dockerfile.mariadb
    restart: "unless-stopped"
    command:  gosu mysql id -u
    environment:
      MARIADB_RANDOM_ROOT_PASSWORD: "yes"
      MARIADB_INITDB_SKIP_TZINFO: 1
      MARIADB_DATABASE: "${DB_MYSQL_NAME}"
      MARIADB_USER: "${DB_MYSQL_USER}"
      MARIADB_PASSWORD: "${DB_MYSQL_PASSWORD}"
      MARIADB_AUTO_UPGRADE: 1
....

This only confirms the problem.

  database:
    build:
      context: .
      dockerfile: Dockerfile.mariadb
    restart: "unless-stopped"
    user: mysql

Might be the workaround once the data is initialized from the first start, if you manage the first start.

Other option is named volumes.

@SuperDarius-git
Copy link
Author

@grooverdan - Thank you so much for your reply. I do understand it better, but can not test this yet, because I am having problems with my power at my home lab, it's been off for 48 hours now. I will test this as soon as power comes back on. I just don't want you to think I disappeared.

@grooverdan grooverdan changed the title /sys/fs/cgroup///memory.pressure not writable, functionality unavailable to MariaDB gosu failing under Proxmox 7 LXC Nov 28, 2024
@SuperDarius-git
Copy link
Author

SuperDarius-git commented Dec 1, 2024

Hi @grooverdan - when adding the line "command: gosu mysql id -u" to the docker compose file, now it gives me an error when starting up docker compose at the database container. I have not put it in the database-encoder section yet.

The logs just gives me "999" in a few lines.

@grooverdan
Copy link
Member

ok. so it looks like it changed the user successfully and the functional failure is after that. I'm not sure what do do apart from replicate the environment and try myself.

@SuperDarius-git
Copy link
Author

That's gonna be a huge job. I will see if I can find a way to get it to work. Thanks for all your help.

@grooverdan
Copy link
Member

Debugging what happens after the volume permissions are changed:

user: mysql
command: bash -x -v /usr/local/bin/docker-entrypoint.sh mariadbd

That's gonna be a huge job. I will see if I can find a way to get it to work. Thanks for all your help.

I'd suggested --privileged or disabling secomp to see if that's sufficient.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

2 participants