שגיאות הרשאות עם \"./launcher rebuild app\" בהתקנה חדשה

I did:

git clone https://github.com/discourse/discourse_docker.git /var/discourse
cd /var/discourse
chmod 700 containers

then my copied my old app.yml into containers and tried rebuilding the app:

[root@two discourse]# ./launcher rebuild app
x86_64 arch detected.
Ensuring launcher is up to date
Launcher is up-to-date
Stopping old container
+ /usr/bin/docker stop -t 600 app
app
2.0.20250722-0020: Pulling from discourse/base
Digest: sha256:3b975c30ef85e9742e2d7f6093450867e67dae204c93d22cc38d043dcbf530b3
Status: Image is up to date for discourse/base:2.0.20250722-0020
docker.io/discourse/base:2.0.20250722-0020
/usr/local/lib/ruby/gems/3.3.0/gems/pups-1.3.0/lib/pups.rb
/usr/local/bin/pups --stdin
I, [2025-09-12T19:05:09.283821 #1]  INFO -- : Reading from stdin
I, [2025-09-12T19:05:09.296585 #1]  INFO -- : File > /etc/service/postgres/run  chmod: +x  chown: 
I, [2025-09-12T19:05:09.301579 #1]  INFO -- : File > /etc/service/postgres/log/run  chmod: +x  chown: 
I, [2025-09-12T19:05:09.307391 #1]  INFO -- : File > /etc/runit/3.d/99-postgres  chmod: +x  chown: 
I, [2025-09-12T19:05:09.313597 #1]  INFO -- : File > /root/install_postgres  chmod: +x  chown: 
I, [2025-09-12T19:05:09.319914 #1]  INFO -- : File > /root/upgrade_postgres  chmod: +x  chown: 
I, [2025-09-12T19:05:09.320255 #1]  INFO -- : Replacing data_directory = '/var/lib/postgresql/15/main' with data_directory = '/shared/postgres_data' in /etc/postgresql/15/main/postgresql.conf
I, [2025-09-12T19:05:09.323526 #1]  INFO -- : Replacing (?-mix:#?listen_addresses *=.*) with listen_addresses = '*' in /etc/postgresql/15/main/postgresql.conf
I, [2025-09-12T19:05:09.324153 #1]  INFO -- : Replacing (?-mix:#?synchronous_commit *=.*) with synchronous_commit = $db_synchronous_commit in /etc/postgresql/15/main/postgresql.conf
I, [2025-09-12T19:05:09.324577 #1]  INFO -- : Replacing (?-mix:#?shared_buffers *=.*) with shared_buffers = $db_shared_buffers in /etc/postgresql/15/main/postgresql.conf
I, [2025-09-12T19:05:09.324945 #1]  INFO -- : Replacing (?-mix:#?work_mem *=.*) with work_mem = $db_work_mem in /etc/postgresql/15/main/postgresql.conf
I, [2025-09-12T19:05:09.325369 #1]  INFO -- : Replacing (?-mix:#?default_text_search_config *=.*) with default_text_search_config = '$db_default_text_search_config' in /etc/postgresql/15/main/postgresql.conf
I, [2025-09-12T19:05:09.325759 #1]  INFO -- : Replacing (?-mix:#?checkpoint_segments *=.*) with checkpoint_segments = $db_checkpoint_segments in /etc/postgresql/15/main/postgresql.conf
I, [2025-09-12T19:05:09.329467 #1]  INFO -- : Replacing (?-mix:#?logging_collector *=.*) with logging_collector = $db_logging_collector in /etc/postgresql/15/main/postgresql.conf
I, [2025-09-12T19:05:09.330304 #1]  INFO -- : Replacing (?-mix:#?log_min_duration_statement *=.*) with log_min_duration_statement = $db_log_min_duration_statement in /etc/postgresql/15/main/postgresql.conf
I, [2025-09-12T19:05:09.330761 #1]  INFO -- : Replacing (?-mix:^#local +replication +postgres +peer$) with local replication postgres  peer in /etc/postgresql/15/main/pg_hba.conf
I, [2025-09-12T19:05:09.331823 #1]  INFO -- : Replacing (?-mix:^host.*all.*all.*127.*$) with host all all 0.0.0.0/0 md5 in /etc/postgresql/15/main/pg_hba.conf
I, [2025-09-12T19:05:09.332230 #1]  INFO -- : Replacing (?-mix:^host.*all.*all.*::1\/128.*$) with host all all ::/0 md5 in /etc/postgresql/15/main/pg_hba.conf
I, [2025-09-12T19:05:09.332621 #1]  INFO -- : > if [ -f /root/install_postgres ]; then
  /root/install_postgres && rm -f /root/install_postgres
elif [ -e /shared/postgres_run/.s.PGSQL.5432 ]; then
  socat /dev/null UNIX-CONNECT:/shared/postgres_run/.s.PGSQL.5432 || exit 0 && echo postgres already running stop container ; exit 1
fi

mkdir: cannot create directory ‘/shared/postgres_run’: Permission denied
chown: cannot access '/shared/postgres_run': No such file or directory
chmod: cannot access '/shared/postgres_run': No such file or directory
mkdir: cannot create directory ‘/shared/postgres_run’: Permission denied
chown: cannot access '/shared/postgres_run/15-main.pg_stat_tmp': No such file or directory
install: cannot change owner and permissions of ‘/shared/postgres_data’: No such file or directory
initdb: error: could not create directory "/shared/postgres_data": Permission denied
find: ‘/shared/postgres_data’: No such file or directory
chown: cannot dereference '/var/run/postgresql': No such file or directory
cat: /shared/postgres_data/PG_VERSION: No such file or directory
du: cannot access '/shared/postgres_data': No such file or directory
/root/upgrade_postgres: line 7: * 2: syntax error: operand expected (error token is "* 2")
I, [2025-09-12T19:05:12.122891 #1]  INFO -- : Generating locales (this might take a while)...
  en_US.UTF-8... done
Generation complete.
The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.

The database cluster will be initialized with locale "en_US.UTF-8".
The default database encoding has accordingly been set to "UTF8".
The default text search configuration will be set to "english".

Data page checksums are disabled.

creating directory /shared/postgres_data ... Upgrading PostgreSQL from version to 15



FAILED
--------------------
Pups::ExecError: if [ -f /root/install_postgres ]; then
  /root/install_postgres && rm -f /root/install_postgres
elif [ -e /shared/postgres_run/.s.PGSQL.5432 ]; then
  socat /dev/null UNIX-CONNECT:/shared/postgres_run/.s.PGSQL.5432 || exit 0 && echo postgres already running stop container ; exit 1
fi
 failed with return #<Process::Status: pid 18 exit 1>
Location of failure: /usr/local/lib/ruby/gems/3.3.0/gems/pups-1.3.0/lib/pups/exec_command.rb:131:in `spawn'
exec failed with the params {"tag"=>"db", "cmd"=>"if [ -f /root/install_postgres ]; then\n  /root/install_postgres && rm -f /root/install_postgres\nelif [ -e /shared/postgres_run/.s.PGSQL.5432 ]; then\n  socat /dev/null UNIX-CONNECT:/shared/postgres_run/.s.PGSQL.5432 || exit 0 && echo postgres already running stop container ; exit 1\nfi\n"}
bootstrap failed with exit code 1
** FAILED TO BOOTSTRAP ** please scroll up and look for earlier error messages, there may be more than one.
./discourse-doctor may help diagnose the problem.
c9c7badf83b119a15b40255ae48a05182f72663cc870ca85e867c1f9a218bb83

Apparently there is a permissions problem inside the container right at the outset:

mkdir: cannot create directory ‘/shared/postgres_run’: Permission denied

What could be causing this?

כנראה שאני צריך להריץ את docker עם הדגל --privileged, מכיוון שזה פותר את הבעיה:

./launcher rebuild app --docker-args '--privileged'

לא ברור לי מדוע זה המצב. (זה פועל על Fedora 42.) אשמח להבין מה קורה כאן.

Because in Discourse those files are owned by root (or the parent directory is?).

Perhaps it’s set by default in Ubuntu. I don’t know what might be different in Ubuntu.

You could try setting /var/discourse/shared to world writable and see if it works? Or maybe you could see if it works without ``–privileged` now?

Ubuntu is what’s recommended and Debian is what is inside the container (and may now be what CDCK uses for their host OS?). Fedora has a bunch of stuff locked down that Ubuntu doesn’t. If you’d love to understand, you’re likely to be largely on your own, though I think I remember at least one person here with some frequency likes Fedora CentOS (which is closer to Fedora than Ubuntu is!). This might have clues: MKJ's Opinionated Discourse Deployment Configuration

I wonder what the effective uid is at the point where the bootstrap script is trying to make subdirectories in /var/discourse/shared; I had thought it would be root, since docker is being run as root, but apparently not?

I see nothing there about using --privileged, sadly, though I share his desire to do this all with podman instead of docker.

כן, עוד לא ניסיתי להריץ Discourse בסביבת ייצור על פדורה, רק פיתחתי Discourse על פדורה, וגם זה לא על 42. שרתי ה-Discourse שלי כעת נמצאים על AlmaLinux 9 ואני לא צריך --privileged שם. אין לי Docker מותקן על אף אחת ממערכות הפדורה שלי.

אני חושב שאנסה לקבוע מי הבעלים של הספריות האלה ללא --privileged כשיתפנה לי זמן.

כשבוחנים את --privileged אני רואה שהוא מבטל את התיוגים של תהליכי SELinux.

אני לא מבטל את SELinux בשרת ה-Discourse שלי, ולמעשה יש הוראות במדריך שלי כיצד להתאים את שמירת SELinux פעיל תוך שימוש ב-nginx חיצוני. אפשר גם לבדוק את יומני ה-avc שלך עבור דחיות רלוונטיות ולכתוב מדיניות מקומית באמצעות audit2allow. אבל זה יכול להיות תהליך איטרטיבי ארוך. הייתי מתחיל מאפס (מוחק את /var/discourse) כדי לוודא שזהו מבחן תקף ולראות אם עדיין תזדקק ל---permissive עם SELinux מושבת (למשל, setenforce 0). אז אם זה עובד, אפשר להשתמש ב-audit2allow מכיוון ש-setenforce 0 עדיין כותב ערכי avc, אבל כבר לא נעצר בשער הראשון, כך שתגיע למדיניות עובדת מהר יותר.

אני לא חושב שהייתי ממשיך להשתמש ב---privileged במערכת ייצור אם הייתי יכול להימנע מכך.