Permission denied after upgrading docker container from 10.3 to 10.4 in Jelastic

Michiel_Oliemans · May 13, 2024, 12:01pm

We’re trying to upgrade our SonarQube v10.3 to v10.5 (Community Edition), which is running as a docker container inside our Jelastic platform, see also: Container Run Configuration | Virtuozzo Dev Docs.

When trying to start up we see the following error message:
/bin/sh: 1: /opt/sonarqube/docker/entrypoint.sh: Permission denied

It appears to be caused by the stronger security configuration that’s referred to in this answer: Error launching docker container for 10.4 enterprise - #5 by jeremy.cotineau.

We’re not changing any user ids or anything like that ourselves, but probably the Jelastic platform does something in how it starts the container that’s interfering with this configuration. We’re at a loss however how we can resolve this issue and upgrade our SonarQube instance.

davi.vidal · May 22, 2024, 6:40pm

Hi @Michiel_Oliemans. Welcome to our community forums!

It is my first time hearing about Jelastic. Can you show me how you are deploying our Docker image there? Are you trying to run it as an Application or System container?

Can you SSH into the container and show me the output of stat /opt/sonarqube/docker/entrypoint.sh?

christophe.cariou · July 16, 2024, 3:26pm

Hi Davi ,

I^ve exactly the same trouble than Michiel : SQ on a Jelastic platform, with this error :

/bin/sh: 1: /opt/sonarqube/docker/entrypoint.sh: Permission denied

Here is result of stat command for me :

 stat /opt/sonarqube/docker/entrypoint.sh
  File: /opt/sonarqube/docker/entrypoint.sh
  Size: 381       Blocks: 8          IO Block: 4096   regular file
Device: 8f40b661h/2403382881dInode: 395640      Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2299-01-27 00:36:45.128654848 +0000
Modify: 2024-07-02 07:09:46.000000000 +0000
Change: 2024-07-16 14:52:23.137408776 +0000
 Birth: -

Do you have a workaround for this case ?

Regards
Christophe

Michiel_Oliemans · July 23, 2024, 9:52am

Hi Davi,

Sorry for the late reply, was on holiday. We run it as an application container. I’m getting the same result for the stat command as Cristophe below.

  File: /opt/sonarqube/docker/entrypoint.sh
  Size: 381       Blocks: 8          IO Block: 4096   regular file
Device: a590b651h/2777724497dInode: 3277132     Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2299-01-27 00:36:45.128654848 +0000
Modify: 2024-04-25 22:51:02.000000000 +0000
Change: 2024-05-13 11:37:17.875856503 +0000
 Birth: -

davi.vidal · July 29, 2024, 7:48am

Hi @Michiel_Oliemans and @christophe.cariou.

I have no idea what is happening. I’m going totally blind here.

How did you deploy SonarQube there? Did you use our official Helm chart? A custom chart? Only the Docker image?

@christophe.cariou, are you using Community Edition as well?

Michiel_Oliemans · July 29, 2024, 8:19am

Only the Docker image.

christophe.cariou · July 29, 2024, 9:35am

Only Docker image, as application container, with a separated PostgreSQL container.

davi.vidal · July 29, 2024, 2:34pm

Do you know if I can spawn a local/development instance of Jelastic to investigate?

Since this thread has been going on for quite a while now, did you also try SonarQube 10.6? If yes, I assume that you got the same error, right?

Do you know what container engine Jelastic is running behind the scenes?

Michiel_Oliemans · July 31, 2024, 5:54pm

Just upgraded to 10.6 and in that version this problem seems to be resolved! Let’s hope it stays that way and the problem doesn’t come back in a future release.

christophe.cariou · August 6, 2024, 6:46am

Hi. Still locked on this issue. I’m not upgrading, just a fresh deployment of 10.6 (latest). @davi.vidal , mounting a JElastic instance is not possible, I’m afraid, or a very long process… But, perhaps, you can try a free account on one of JElastic PAAS providers : Virtuozzo Cloud Union Catalog: Choose Your Service Provider.

Note :
If I “su sonarqube” inside the container, I can launch entrypoint.sh…

christophe.cariou · August 6, 2024, 7:25am

If I apply a 'chown -R sonarqube /opt/sonarqube/ ’ and the restart the contener, it works also… I suspect there is something around the fact that the owner of file is “root”, and despite membership of user sonarqube to guid 0.

davi.vidal · August 6, 2024, 9:09am

That is very weird indeed. As you noted, we make sure that the sonarqube user has the root group as its primary group, and that the group has permission over everything. This is a recommended guideline from OpenShift.

That is interesting! You shouldn’t need that as the default user is sonarqube. Can you open a terminal session to the container and run id?

You should see something similar to this:

docker run -it --entrypoint /bin/bash sonarqube
sonarqube@5a0ada440bf6:/opt/sonarqube$ id
uid=1000(sonarqube) gid=0(root) groups=0(root)
sonarqube@5a0ada440bf6:/opt/sonarqube$
exit

system · August 13, 2024, 9:09am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.