Cronjob for non-root docker images

lasa · October 17, 2023, 8:13am

Checklist
I have read intro post: About the Installation Issues category
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue

Hi,
I have a working passbolt pro-non-root setup with LDAP activated.

In the docker-compose.yaml file is the following command section:

    command:
      - /bin/bash
      - -c
      - |
        # Uncomment line below if you are using ldap sync. Change '* * * * *' to your preferred sync schedule. More info: https://en.wikipedia.org/wiki/Cron
        # echo '* * * * * www-data exec /bin/bash -c "source /etc/environment && /usr/share/php/passbolt/bin/cake directory_sync all" >> /var/log/cron.log 2>&1' >> /etc/cron.d/passbolt-pro-server
        /usr/bin/wait-for.sh -t 0 db:3306 -- /docker-entrypoint.sh

I uncommented the second line to synchronize LDAP via cron, but got the following error after starting the container:

/bin/bash: line 2: /etc/cron.d/passbolt-pro-server: Permission denied

The file /etc/cron.d/passbolt-pro-server is owned by root, so it seems valid that the non root image cannot write there.

After putting the line

* * * * * www-data exec /bin/bash -c "source /etc/environment && /usr/share/php/passbolt/bin/cake directory_sync all" >> /var/log/cron.log 2>&1' >> /etc/cron.d/passbolt-pro-server

by hand into /etc/cron.d/passbolt-pro-server I got the following errors during cron execution:

passbolt_1 time="xxx" level=info msg="/bin/sh: 1: cannot create /var/log/cron.log: Permission denied" channel=stderr iteration=0 job.command="www-data exec /bin/bash -c \"source /etc/environment && /usr/share/php/passbolt/bin/cake directory_sync all\" >> /var/log/cron.log 2>&1" job.position=1 job.schedule="*/15 * * * *"
passbolt_1  time="xxx" level=error msg="error running command: exit status 2" iteration=0 job.command="www-data exec /bin/bash -c \"source /etc/environment && /usr/share/php/passbolt/bin/cake directory_sync all\" >> /var/log/cron.log 2>&1" job.position=1 job.schedule="*/15 * * * *"

I touched and chmoded www-data:www-data /var/log/cron.log and proceeded to the next errors in /var/log/cron.log:

/bin/sh: 1: www-data: not found

So I changed the cron job

* * * * * www-data exec /bin/bash -c "source /etc/environment && /usr/share/php/passbolt/bin/cake directory_sync all" >> /var/log/cron.log 2>&1' >> /etc/cron.d/passbolt-pro-server

to

* * * * *  /bin/bash -c "source /etc/environment && /usr/share/php/passbolt/bin/cake directory_sync all" >> /var/log/cron.log 2>&1' >> /etc/cron.d/passbolt-pro-server

Since the image is non root, the cron job is executed by www-data and it worked this way.

Though the sync still not worked:

# /var/log/cron.log
Warning: check config and pass option --persist to actually modify data. Running in dry-run mode.

At the end my cron job looks like this (added --persist):

* * * * * /bin/bash -c "source /etc/environment && $PASSBOLT_BASE_DIR/bin/cake directory_sync all --persist" >> /var/log/cron.log 2>&1

Issues to solve:

How can I write the cronjob during command execution in docker-compose.yml.
Update docs for non-root docker image

clayton · October 17, 2023, 9:20am

Hey @lasa welcome to the forum!

Using the non-root docker image does make this a more fun issue to solve. To get this working you’ll need to create and mount a couple files.

cron_ldap


#!/usr/bin/env bash
# This script is executed as part of a cronjob task
# is already run as www-data or any other web user.

set -euo pipefail

DIR=$(dirname "$(readlink -f "$0")")

"$DIR"/cake directory_sync all --persist

passbolt-pro-server

#
#
#  Cronjob to process emails for the Passbolt Web Service every minute.
#
#  This crontab script is part of the Passbolt Debian package,
#  see dh_installcron debhelper program for more details.
#

PATH=/bin:/usr/local/bin:/usr/bin
PASSBOLT_BASE_DIR=/usr/share/php/passbolt
PASSBOLT_LOG_DIR=/var/log/passbolt

* * * * * $PASSBOLT_BASE_DIR/bin/cron > $PASSBOLT_LOG_DIR/cron.log 2> $PASSBOLT_LOG_DIR/cron-error.log
* * * * * $PASSBOLT_BASE_DIR/bin/cron_ldap > $PASSBOLT_LOG_DIR/cron.log 2> $PASSBOLT_LOG_DIR/cron-error.log

You’ll then need to mount these to the passbolt container with something like

   - ./<path to file>/cron_ldap:/usr/share/php/passbolt/bin/cron_ldap  
   - ./<path to file>/passbolt-pro-server:/etc/cron.d/passbolt-pro-server

The cron_ldap file will need to be executable.

That should get this cronjob working for you

lasa · October 17, 2023, 12:59pm

Hi @clayton
Thanks, I hoped there is a way to solve this, without mounting the files.

You solution works for me after I did this:

chown root:root /usr/share/php/passbolt/bin/cron_ldap (probably not required, but could be safer)
chmod +x /usr/share/php/passbolt/bin/cron_ldap
chown root:root /etc/cron.d/passbolt-pro-server (probably not required, but could be safer)

Also I changed

* * * * * $PASSBOLT_BASE_DIR/bin/cron_ldap > $PASSBOLT_LOG_DIR/cron.log 2> $PASSBOLT_LOG_DIR/cron-error.log

to

* * * * * $PASSBOLT_BASE_DIR/bin/cron_ldap > $PASSBOLT_LOG_DIR/cron_ldap.log 2> $PASSBOLT_LOG_DIR/cron_ldap-error.log

To separate the log files.