Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dealing with permissions on a rootless container #1482

Open
masscream opened this issue May 2, 2024 · 0 comments
Open

Dealing with permissions on a rootless container #1482

masscream opened this issue May 2, 2024 · 0 comments

Comments

@masscream
Copy link

Hi everyone, I would like to know if it's possible to run your container even without the root permissions with correct settings. So far whatever I tried results with the coturn running, however the process has almost no rights everywhere in the system - which leads to having only default configuration or put all the parameters to the running command (don't like that). My command is

docker run \
  -d \
  --net mybridge \
  --ip 10.0.10.11 \
  --name coturn \
  --restart always \
  -p 3478:3478 \
  -p 3478:3478/udp \
  -p 5349:5349 \
  -p 5349:5349/udp \
  -p 9004:8080 \
  -p 49150-49170:49150-49170/udp \
  -v coturn_volume:/etc/coturn \
coturn/coturn

What I tried already:

  1. Setting owner nobody:nogroup on coturn_volume
  2. Setting docker profile owner + acl nobody:rwx rights on coturn volume
  3. Playing with -e PUID, PGID env variables - 0, docker profile owner, nobody
  4. mounting the volume on the /coturn folder in the container fs and specifying turnserver.conf as a run parameter in it....

Everything just leads to:

0: (1): INFO: System cpu num is 8
0: (1): INFO: System cpu num is 8
0: (1): INFO: System enable num is 4
0: (1): WARNING: Cannot find config file: turnserver.conf. Default and command-line settings will be used.
0: (1): INFO: Coturn Version Coturn-4.6.2 'Gorst'
0: (1): INFO: Max number of open files/sockets allowed for this process: 1048576
0: (1): INFO: Due to the open files/sockets limitation, max supported number of TURN Sessions possible is: 524000 (approximately)
0: (1): INFO: 
==== Show him the instruments, Practical Frost: ====
0: (1): INFO: OpenSSL compile-time version: OpenSSL 3.0.11 19 Sep 2023 (0x300000b0)
0: (1): INFO: TLS 1.3 supported
0: (1): INFO: DTLS 1.2 supported
0: (1): INFO: TURN/STUN ALPN supported
0: (1): INFO: Third-party authorization (oAuth) supported
0: (1): INFO: GCM (AEAD) supported
0: (1): INFO: SQLite supported, default database location is /var/lib/coturn/turndb
0: (1): INFO: Redis supported
0: (1): INFO: PostgreSQL supported
0: (1): INFO: MySQL supported
0: (1): INFO: MongoDB supported
0: (1): INFO: Default Net Engine version: 3 (UDP thread per CPU core)
0: (1): INFO: Domain name: 
0: (1): INFO: Default realm: 
0: (1): ERROR: CONFIG: Empty cli-password, and so telnet cli interface is disabled! Please set a non empty cli-password!
0: (1): WARNING: cannot find certificate file: turn_server_cert.pem (1)
0: (1): WARNING: cannot start TLS and DTLS listeners because certificate file is not set properly
0: (1): WARNING: cannot find private key file: turn_server_pkey.pem (1)
0: (1): WARNING: cannot start TLS and DTLS listeners because private key file is not set properly
0: (1): INFO: Certificate file found: //turn_server_cert.pem
0: (1): INFO: Private key file found: //turn_server_pkey.pem
0: (1): WARNING: NO EXPLICIT LISTENER ADDRESS(ES) ARE CONFIGURED
0: (1): INFO: ===========Discovering listener addresses: =========
0: (1): INFO: Listener address to use: 127.0.0.1
0: (1): INFO: Listener address to use: 10.0.10.11
0: (1): INFO: Listener address to use: ::1
0: (1): INFO: =====================================================
0: (1): INFO: Total: 1 'real' addresses discovered
0: (1): INFO: =====================================================
0: (1): WARNING: NO EXPLICIT RELAY ADDRESS(ES) ARE CONFIGURED
0: (1): INFO: ===========Discovering relay addresses: =============
0: (1): INFO: Relay address to use: 10.0.10.11
0: (1): INFO: Relay address to use: ::1
0: (1): INFO: =====================================================
0: (1): INFO: Total: 2 relay addresses discovered
0: (1): INFO: =====================================================
0: (1): WARNING: Cannot create pid file: /var/run/turnserver.pid
0: (1): INFO: pid file created: /var/tmp/turnserver.pid
0: (1): INFO: IO method: epoll (with changelist)
0: (1): WARNING: STUN CHANGE_REQUEST not supported: only one IP address is provided
0: (1): INFO: Wait for relay ports initialization...
0: (1): INFO:   relay 10.0.10.11 initialization...
0: (1): INFO:   relay 10.0.10.11 initialization done
0: (1): INFO:   relay ::1 initialization...
0: (1): INFO:   relay ::1 initialization done
0: (1): INFO: Relay ports initialization done
4: (25): DEBUG: turn server id=0 created
4: (27): DEBUG: turn server id=2 created
4: (26): DEBUG: turn server id=1 created
4: (28): DEBUG: turn server id=3 created
4: (30): DEBUG: turn server id=5 created
4: (29): DEBUG: turn server id=4 created
4: (1): INFO: Total General servers: 8
4: (32): DEBUG: turn server id=7 created
4: (31): DEBUG: turn server id=6 created
4: (1): INFO: Total auth threads: 5
4: (1): INFO: prometheus collector disabled, not started

Is there a way to fix/workaround this please ?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@masscream