The Wayback Machine - https://web.archive.org/web/20200606044302/https://github.com/bitwarden/server/issues/497
Skip to content

/ server

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bitwarden server does not work with Podman #497

Open
SpyTec opened this issue May 15, 2019 · 22 comments
Open

Bitwarden server does not work with Podman #497

SpyTec opened this issue May 15, 2019 · 22 comments

Comments

@SpyTec
Copy link

@SpyTec SpyTec commented May 15, 2019

After running bitwarden.sh with letsencrypt option enabled, I get the following error

Status: Image is up to date for docker.io/certbot/certbot:latest
The following error was encountered:
[Errno 13] Permission denied: '/etc/letsencrypt/logs'
Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.

Repro steps

  1. Grabbed bitwarden.sh from https://go.btwrdn.co/bw-sh
  2. Ran ./bitwarden.sh install
  3. Fill in domain that isn't localhost
  4. Enter y for Let's Encrypt
  5. Enter email

Expected results

Installation continues

Actual results

Installation fails with permission error

Run trace

# ./bitwarden.sh install
 _     _ _                         _            
| |__ (_) |___      ____ _ _ __ __| | ___ _ __  
| '_ \| | __\ \ /\ / / _` | '__/ _` |/ _ \ '_ \ 
| |_) | | |_ \ V  V / (_| | | | (_| |  __/ | | |
|_.__/|_|\__| \_/\_/ \__,_|_|  \__,_|\___|_| |_|

Open source password management solutions
Copyright 2015-2019, 8bit Solutions LLC
https://bitwarden.com, https://github.com/bitwarden

===================================================

Docker version 1.13.1, build 1556cce-unsupported
docker-compose version 1.20.1, build 5d8c71b

(!) Enter the domain name for your Bitwarden instance (ex. bitwarden.company.com): bitwarden.example.com

(!) Do you want to use Let's Encrypt to generate a free SSL certificate? (y/n): y

(!) Enter your email address (Let's Encrypt will send you certificate expiration reminders): example@example.com

Using default tag: latest
Trying to pull repository docker.io/certbot/certbot ... 
sha256:ec4383b768b6a162889adcdce2d60cb4c760d2fa48287a354c0182c5e2330fed: Pulling from docker.io/certbot/certbot
Digest: sha256:ec4383b768b6a162889adcdce2d60cb4c760d2fa48287a354c0182c5e2330fed
Status: Image is up to date for docker.io/certbot/certbot:latest
The following error was encountered:
[Errno 13] Permission denied: '/etc/letsencrypt/logs'
Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.
@kspearrin
Copy link
Collaborator

@kspearrin kspearrin commented May 15, 2019

Looks like you do not have permissions to map volumes to the host. Maybe you need to run with sudo?
@SpyTec
Copy link
Author

@SpyTec SpyTec commented May 15, 2019

Yeah that was the weird part, tried both with sudo and as root. Though I spotted I run an unsupported build of Docker, maybe that is playing up. Will look into it when I get a chance
@SpyTec
Copy link
Author

@SpyTec SpyTec commented May 16, 2019
edited

Yep, that was the case. Outdated Docker was the issue, switched to Podman while I was at it.

Thanks anyhow, appreciate the help :)
@SpyTec SpyTec closed this May 16, 2019
@SpyTec
Copy link
Author

@SpyTec SpyTec commented May 22, 2019

Getting a different error now running podman 1.1.2

spytec@KeyraGuest1:~/Bitwarden$ ./bitwarden.sh install
 _     _ _                         _
| |__ (_) |___      ____ _ _ __ __| | ___ _ __
| '_ \| | __\ \ /\ / / _` | '__/ _` |/ _ \ '_ \
| |_) | | |_ \ V  V / (_| | | | (_| |  __/ | | |
|_.__/|_|\__| \_/\_/ \__,_|_|  \__,_|\___|_| |_|

Open source password management solutions
Copyright 2015-2019, 8bit Solutions LLC
https://bitwarden.com, https://github.com/bitwarden

===================================================

podman version 1.1.2
docker-compose version 1.20.1, build 5d8c71b

(!) Enter the domain name for your Bitwarden instance (ex. bitwarden.company.com): bitwarden.company.com

(!) Do you want to use Let's Encrypt to generate a free SSL certificate? (y/n): n

Trying to pull docker://bitwarden/setup:1.30.3...Getting image source signatures
Copying blob 743f2d6c1f65 [======================================] 21.4MiB / 21.4MiB
Copying blob e822a344dc4b [======================================] 16.9MiB / 16.9MiB
Copying blob 18c9661a68a5 [======================================] 2.8MiB / 2.8MiB
Copying blob 1103e508d13e [======================================] 28.1MiB / 28.1MiB
Copying blob ad367c85dc33 [======================================] 846.6KiB / 846.6KiB
Copying blob 16d3f5e1dd6d [======================================] 126b / 126b
Copying blob 7fb4289fbfba [======================================] 14.1MiB / 14.1MiB
Copying blob ab2972c2a9d3 [======================================] 517b / 517b
Copying blob d71a7028f643 [======================================] 517b / 517b
Copying config 60dca6a720 [======================================] 4.9KiB / 4.9KiB
Writing manifest to image destination
Storing signatures
60dca6a720fe51a343b3e06600088c30b89bf07979c4c2d4c571f6ef5d51a404
mkdir: cannot create directory '/bitwarden/docker': Permission denied
mkdir: cannot create directory '/bitwarden/ssl': Permission denied
mkdir: cannot create directory '/bitwarden/letsencrypt': Permission denied
mkdir: cannot create directory '/bitwarden/identity': Permission denied
mkdir: cannot create directory '/bitwarden/nginx': Permission denied
mkdir: cannot create directory '/bitwarden/ca-certificates': Permission denied
chown: cannot read directory '/bitwarden': Permission denied
@SpyTec SpyTec reopened this May 22, 2019
@SpyTec
Copy link
Author

@SpyTec SpyTec commented May 31, 2019

Same issue with:
podman version 1.3.1
docker-compose version 1.22.0, build f46880f
@SpyTec
Copy link
Author

@SpyTec SpyTec commented Jun 11, 2019
edited

Since Podman has replaced Docker in Fedora and can run Docker containers if setup correctly. Can the container files and scripts be updated to work better with non-root containers?
@SpyTec
Copy link
Author

@SpyTec SpyTec commented Jul 12, 2019
edited

This is most likely SELinux issues, would Bitwarden be interested in optimizing their docker compose to work better with SELinux?

Might even be as simple as adding :Z to the volume in run.sh https://github.com/bitwarden/server/blob/master/scripts/run.sh#L95
@kspearrin
Copy link
Collaborator

@kspearrin kspearrin commented Jul 12, 2019
edited

@SpyTec I do not know much about SELinux, so I would be interested in knowing what the issues here are and what the fix would be.
@SpyTec
Copy link
Author

@SpyTec SpyTec commented Jul 12, 2019

I'm unable to experiment with the bitwarden.sh and run.sh scripts right now.

SELinux has contexts for processes and files which locks files down depending on where the files are located or what contexts the processes are given. Podman works a bit differently than Docker in that it by default runs non-root inside the container, and it also has security enhancements which might it difficult to run Docker commands under Podman instead.

I'm presuming that the volume mounted under Docker works fine as it runs as root-user inside the container, but as soon as we use Podman and Podman-Docker bridge we run into SELinux context issues as it's running as non-root.

Adding :Z would destructively change the context label on the mounted folder, meaning it would let the user container runs as be able to modify the content inside. As long as nothing with the project changes the context of the folder deliberately it should be safe to use :Z.

So instead of -v $OUTPUT_DIR:/bitwarden or would be -v $OUTPUT_DIR:/bitwarden:Z. Though I'd recommend trying this with both Docker and Podman to be sure
@kspearrin
Copy link
Collaborator

@kspearrin kspearrin commented Jul 12, 2019

We do not run under root in the containers. We step down to a bitwarden user which has a UID/GID matching that of the host user (or as specified in ./bwdata/env).
@Mart124
Copy link
Contributor

@Mart124 Mart124 commented Nov 21, 2019

Did you try disabling SELinux first ?
SELINUX=disabled in /etc/selinux/config (then reboot)
Also try to run bitwarden.sh directly as root user, it could give you clues.
@SpyTec
Copy link
Author

@SpyTec SpyTec commented Nov 21, 2019

@Mart124 the problem is SELinux in the containers, not on my machine. Bitwarden needs to be changed to work with Podman. Running bitwarden.sh as root will only help with opening ports above 1024, so wouldn't change anything there either

I've gone with bitwarden_rs however, as it allowed me to change container settings. Official Bitwarden was a bit of a mess for me to configure locally with all the different containers and generated docker-composes
@SpyTec SpyTec changed the title Installation script fails with Permission denied Bitwarden server does not work with Podman Nov 21, 2019
@rodehoed
Copy link

@rodehoed rodehoed commented Nov 28, 2019

+1 for me. We are in the process of start using the enterprise version. It should be hosted on Redhat EL8 which does come with podman and not docker.

Willing to test!
@Warfields
Copy link

@Warfields Warfields commented Nov 29, 2019

I'd be willing to write some code to get this working just point me in the right direction
@bilogic
Copy link

@bilogic bilogic commented Dec 23, 2019

Hi,

I'm using bitwarden server with docker. If selinux is disabled, all is fine, but when enabled, I'm having lots of log permission denied issues. Here are some logs when

Running docker logs -f bitwarden-mssql

chown: changing ownership of '/var/opt/mssql/data/master.mdf': Permission denied
chown: changing ownership of '/var/opt/mssql/data/mastlog.ldf': Permission denied
chown: changing ownership of '/var/opt/mssql/data/model.mdf': Permission denied

Running docker logs -f bitwarden-nginx

chown: changing ownership of '/etc/ssl': Permission denied
chown: changing ownership of '/var/log/nginx/error.log': Permission denied
chown: changing ownership of '/var/log/nginx/access.log': Permission denied
  1. @kspearrin How do I get the bitwarden server to use the bitwarden user?
  2. @SpyTec Any idea what I can do about selinux or run.sh?

Thanks!
@bilogic
Copy link

@bilogic bilogic commented Dec 23, 2019 

[root@linuxdev3 www]# ll
total 4
drwxr-xr-x. 14 65534 65534  194 Dec 22 21:31 bwdata

btw this is my user and group ID when doing a ll
@kspearrin
Copy link
Collaborator

@kspearrin kspearrin commented Dec 23, 2019

@bilogic The bitwarden containers are already configured to run processes as the bitwarden user. See here for example: https://github.com/bitwarden/server/blob/master/src/Api/entrypoint.sh
@bilogic
Copy link

@bilogic bilogic commented Dec 24, 2019

@kspearrin I did the following:

groupadd bitwarden
useradd bitwarden -g bitwarden
chown -R bitwarden:bitwarden bwdata

I enabled selinux and restarted docker, but the permission denied errors continue to happen
@Mart124
Copy link
Contributor

@Mart124 Mart124 commented Dec 27, 2019

You can tune UID/GID container uses to run its processes thanks to the following conf file :
bwdata/env/uid.env
@Mart124 Mart124 mentioned this issue Dec 28, 2019
Open
@rbicker
Copy link

@rbicker rbicker commented Apr 9, 2020

This is not an issue of lacking permissions for the bitwarden user, the problem is based on wrong selinux fcontexts.

I can confirm that adding ":Z" enables the containers to run, I am currently using the following ./bwdata/docker/docker-compose.override.yml as a workarround.

version: '3'
services:
  mssql:
    volumes:
      - mssql_data:/var/opt/mssql/data:Z
      - ../logs/mssql:/var/opt/mssql/log:Z
      - ../mssql/backups:/etc/bitwarden/mssql/backups:Z

  web:
    volumes:
      - ../web:/etc/bitwarden/web:Z

  attachments:
    volumes:
      - ../core/attachments:/etc/bitwarden/core/attachments:Z

  api:
    volumes:
      - ../core:/etc/bitwarden/core:Z
      - ../ca-certificates:/etc/bitwarden/ca-certificates:Z
      - ../logs/api:/etc/bitwarden/logs:Z

  identity:
    volumes:
      - ../identity:/etc/bitwarden/identity:Z
      - ../core:/etc/bitwarden/core:Z
      - ../ca-certificates:/etc/bitwarden/ca-certificates:Z
      - ../logs/identity:/etc/bitwarden/logs:Z

  admin:
    volumes:
      - ../core:/etc/bitwarden/core:Z
      - ../ca-certificates:/etc/bitwarden/ca-certificates:Z
      - ../logs/admin:/etc/bitwarden/logs:Z

  icons:
    volumes:
      - ../ca-certificates:/etc/bitwarden/ca-certificates:Z
      - ../logs/icons:/etc/bitwarden/logs:Z

  notifications:
    volumes:
      - ../ca-certificates:/etc/bitwarden/ca-certificates:Z
      - ../logs/notifications:/etc/bitwarden/logs:Z

  events:
    volumes:
      - ../ca-certificates:/etc/bitwarden/ca-certificates:Z
      - ../logs/events:/etc/bitwarden/logs:Z

  nginx:
    volumes:
      - ../nginx:/etc/bitwarden/nginx:Z
      - ../letsencrypt:/etc/letsencrypt:Z
      - ../ssl:/etc/ssl:Z
      - ../logs/nginx:/var/log/nginx:Z
@Warfields
Copy link

@Warfields Warfields commented Apr 9, 2020

This is not an issue of lacking permissions for the bitwarden user, the problem is based on wrong selinux fcontexts.

I can confirm that adding ":Z" enables the containers to run, I am currently using the following ./bwdata/docker/docker-compose.override.yml as a workarround.

version: '3'
services:
  mssql:
    volumes:
      - mssql_data:/var/opt/mssql/data:Z
      - ../logs/mssql:/var/opt/mssql/log:Z
      - ../mssql/backups:/etc/bitwarden/mssql/backups:Z

  web:
    volumes:
      - ../web:/etc/bitwarden/web:Z

  attachments:
    volumes:
      - ../core/attachments:/etc/bitwarden/core/attachments:Z

  api:
    volumes:
      - ../core:/etc/bitwarden/core:Z
      - ../ca-certificates:/etc/bitwarden/ca-certificates:Z
      - ../logs/api:/etc/bitwarden/logs:Z

  identity:
    volumes:
      - ../identity:/etc/bitwarden/identity:Z
      - ../core:/etc/bitwarden/core:Z
      - ../ca-certificates:/etc/bitwarden/ca-certificates:Z
      - ../logs/identity:/etc/bitwarden/logs:Z

  admin:
    volumes:
      - ../core:/etc/bitwarden/core:Z
      - ../ca-certificates:/etc/bitwarden/ca-certificates:Z
      - ../logs/admin:/etc/bitwarden/logs:Z

  icons:
    volumes:
      - ../ca-certificates:/etc/bitwarden/ca-certificates:Z
      - ../logs/icons:/etc/bitwarden/logs:Z

  notifications:
    volumes:
      - ../ca-certificates:/etc/bitwarden/ca-certificates:Z
      - ../logs/notifications:/etc/bitwarden/logs:Z

  events:
    volumes:
      - ../ca-certificates:/etc/bitwarden/ca-certificates:Z
      - ../logs/events:/etc/bitwarden/logs:Z

  nginx:
    volumes:
      - ../nginx:/etc/bitwarden/nginx:Z
      - ../letsencrypt:/etc/letsencrypt:Z
      - ../ssl:/etc/ssl:Z
      - ../logs/nginx:/var/log/nginx:Z

@rbicker Do you want to create a pull request for this?
@rbicker
Copy link

@rbicker rbicker commented Apr 19, 2020

I had to disable selinux again, as we were experiencing some weird issues. Unfortunately I do not have the time to troubleshoot the issue at the moment...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
7 participants
@bilogic @kspearrin @rodehoed @SpyTec @rbicker @Warfields @Mart124
You can’t perform that action at this time.