Example of how to use apparmor's aa-exec? - apparmor

I'm trying to use aa-exec but can't find any examples.
sudo aa-exec -f home.me.opt.blah.foobin -p home.me.opt.blah.foobin ls
(run in the dir /home/me/opt/blah/) yields
aa-exec: ERROR: profile 'home.me.opt.blah.foobin' does not exist

If /home/me/opt/blah/foobin is a profile:
sudo aa-exec -p /home/me/opt/blah/foobin ls
If /home/me/opt/blah/foobin is a file or directory containing profiles:
sudo aa-exec -f /home/me/opt/blah/foobin ls

Related

Docker container unable to ignore the EntryPoint bash script failure

Bash script:
clonePath=/data/config/
git branch -r | fgrep -v 'origin/HEAD' | sed 's| origin/|git checkout |' > checkoutAllBranches.sh
chmod +x checkoutAllBranches.sh
echo "Fetch branch: `cat checkoutAllBranches.sh`"
./checkoutAllBranches.sh
git checkout master
git remote rm origin
rm checkoutAllBranches.sh
for config_dir in `ls -a`; do
cp -r $config_dir $clonePath/;
done
echo "API Config update complete..."
Dockerfile which issues this script execution
ENTRYPOINT ["sh","config-update-force.sh","|| true"]
The error below causes the container startup failure despite setting the command status to 0 manually using || true
ERROR:
Error:
cp: cannot create regular file '/data/./.git/objects/pack/pack-27a9d...fb5e368e4cf.pack': Permission denied
cp: cannot create regular file '/data/./.git/objects/pack/pack-27a9d...fbae25e368e4cf.idx': Permission denied
I am looking for 2 options here:
Change these file permissions and then store them in the remote with rwx permissions
Do something to the docker file to ignore this script failure error and start the container.
DOCKERFILE:
FROM docker.hub.com/java11-temurin:latest
USER root
RUN apt-get update
RUN apt-get -y upgrade
RUN apt-get install -y rsync telnet vim wget git
RUN mkdir -p /opt/config/clone/data
RUN chown -R 1001:1001 /opt/config
USER 1001
ADD build/libs/my-api-config-server.jar .
ADD config-update-force.sh .
USER root
RUN chmod +x config-update-force.sh
USER 1001
EXPOSE 8080
CMD java $BASE_JAVA_OPTS $JAVA_OPTS -jar my-api-config-server.jar
ENTRYPOINT ["sh","config-update-force.sh","|| true"]
BASH SCRIPT:
#!/bin/bash
set +e
set +x
clonePath=/opt/clone/data/data
#source Optumfile.properties
echo "properties loaded: example ${git_host}"
if [ -d my-api-config ]; then
rm -rf my-api-config;
echo "existing my-api-config dir deleted..."
fi
git_url=https://github.com/my-api-config-server
git clone https://github.com/my-api-config-server
cd my-api-config-server
git branch -r | fgrep -v 'origin/HEAD' | sed 's| origin/|git checkout |' > checkoutAllBranches.sh
chmod +x checkoutAllBranches.sh
echo "Fetch branch: `cat checkoutAllBranches.sh`"
./checkoutAllBranches.sh
git checkout master
git remote rm origin
rm checkoutAllBranches.sh
for config_dir in `ls -a`; do
cp -r $config_dir $clonePath/;
done
echo "My API Config update complete..."
When you do in the script...
chmod +x checkoutAllBranches.sh
...than why not before cp
chmod -R +rwx ${clonePath}
...or if the stderr message 'wont impact anything'...
cp -r $config_dir $clonePath/ 2>/dev/null;
...even cp dont copy -verbosly.
?
When your Dockerfile declares an ENTRYPOINT, that command is the only thing the container does. If it also declares a CMD, the CMD is passed as additional arguments to the ENTRYPOINT; it is not run on its own unless the ENTRYPOINT makes sure to execute it.
Shell errors are not normally fatal, and especially if you explicitly set +e, even if a shell command fails the shell script will keep running. You see this in your output where you get multiple cp errors; the first error does not terminate the script.
You need to do two things here. The first is to set the ENTRYPOINT to actually run the CMD; the simplest and most common way to do this is to end the script with
exec "$#"
The second is to remove the || true from the Dockerfile. As you have it written out currently, this is passed as the first argument to the entrypoint wrapper – it is not run through a shell and it is not interpreted as a "or" operator. If your script begins with a "shebang" line and is marked executable (both of these are correct in the question) the you do not explicitly need the sh interpreter.
# must be a JSON array; no additional "|| true" argument; no sh -c wrapper
ENTRYPOINT ["./config-update-force.sh"]
# any valid CMD will work with `exec "$#"
CMD java $BASE_JAVA_OPTS $JAVA_OPTS -jar my-api-config-server.jar

Dockerfile commands not executing in MacOS

I am trying to build a container using docker file which has some statements to execute as below:
# Create folder for caching files
RUN mkdir -p /Library/WebServer/docroot/publish
RUN chown -R daemon:daemon /Library/WebServer/docroot
I am using below command to build :
$ docker build --no-cache -t dispatcher-apache -f Dockerfile
I can see the below execution :
Step 7/10 : RUN mkdir -p /Library/WebServer/docroot/publish
---> Running in 4c8f7c3e2238
But the file isn't created on that location when I check.
-bash: cd: /Library/WebServer/docroot/publish: No such file or directory
However, if I create commands from terminal, it works fine.
Dockerfile :
FROM httpd:2.4
# Copy dispatcher module
RUN mkdir -p /private/libexec/apache2/
COPY ./apache2-modules/ /private/libexec/apache2/
RUN ln -s /private/libexec/apache2/dispatcher-apache2.4-4.2.3.so /private/libexec/apache2/mod_dispatcher.so
# Copy new apache dependencies
RUN mkdir -p /private/etc/apache2/conf
COPY ./publish/etc/httpd/conf.d/ /private/etc/apache2/conf/
# Create folder for caching files
RUN mkdir -p /Library/WebServer/docroot/publish
RUN chown -R daemon:daemon /Library/WebServer/docroot
# Create folder for log files
RUN mkdir -p /private/var/log/apache2
# Replace httpd.conf with enabled modules
COPY ./my-httpd.conf /usr/local/apache2/conf/httpd.conf
EDIT after some help:
Now after build, I started the container and below is the error
$ docker run -dit -e HOSTIP=$(ipconfig getifaddr en0) --rm --name dispatcher-app -p 8080:80 dispatcher-apache
6a032a50be846bef06027976b990da27bcb446c28d582cf6c3a4dc4ad4361e1c
$ docker exec -it dispatcher-app /bin/bash
Error: No such container: dispatcher-app
Any troubleshooting tips?

How to execute and log as specific user?

I need to run a command/shell-script as on other user. The stdout shall be written to a logfile.
I tried it like this:
export LOGDIR=foo/bar
sudo -u www command /home/www > /home/www/$LOGDIR/command.log
But I get always this error:
-bash: /home/www/foo/bar/command.log: Permission denied
You can try this easily with this little stupid example:
sudo -u edeviser ls /home/edeviser > /home/edeviser/$LOGDIR/ls.log
I see the problem is, that the redirection with > is not done as the user specified by the ´-u´ option.
How to execute the command and log as the same specific user?
You can try something like
sudo -u www bash -c "command /home/www > /home/www/$LOGDIR/command.log"
export logdir="foo/bar"
sudo -u www command /home/www |sudo -u www dd of="/home/www/$logdir/command.log"

No pid file generate when reinstall spring boot executable jar

I pack a executable jar and install it as init.d service normally. But when I reinstall it, the pid file and log file not generate. so it will failed when exec service appname start
How can I reinstall it?
the command below:
sudo ln -s /opt/bss-message/app.jar /etc/init.d/app1
when i link another script like:
sudo ln -s /opt/bss-message/app.jar /etc/init.d/app2
app2 has not pid file and log file.
Works for me:
$ sudo ln -s `pwd`/target/demo-0.0.1-SNAPSHOT.jar /etc/init.d/app1
$ sudo /etc/init.d/app1 start
Started [9732]
$ sudo ln -s `pwd`/target/demo-0.0.1-SNAPSHOT.jar /etc/init.d/app2
$ sudo /etc/init.d/app2 start
Started [9790]
$ ls /var/log/app*.log
/var/log/app1.log /var/log/app2.log /var/log/apport.log
$ ls /var/run/app1/
app1.pid
$ ls /var/run/app2/
app2.pid

Why can't I echo contents into a new file as sudo? [duplicate]

This question already has answers here:
Bash Deployment Script Permission Problem
(2 answers)
Closed 8 years ago.
I came across this weird problem just now and I can't seem to get to the bottom of it. I'm trying to add a config file to /etc/sudoers.d/ but get permission denied. In the example below, the file "tweedle" doesn't exist and:
drwxr-xr-x 2 root root 4.0K Jan 2 18:27 sudoers.d/
So here's the command:
$ sudo echo "tweedle ALL=(ALL) ALL" > /etc/sudoers.d/tweedle
-bash: /etc/sudoers.d/tweedle: Permission denied
It doesn't even work when I break it into two commands:
$ sudo touch /etc/sudoers.d/tweedle
$ sudo echo "poodle" > /etc/sudoers.d/tweedle
When I tested it locally, same problem:
$ cd ~
$ mkdir -m 755 tweedle
$ sudo chown root:root tweedle
$ sudo echo "battle" > ~/tweedle/beetle
-bash: /home/spanky/tweedle/beetle: Permission denied
$ sudo touch tweedle/beetle
$ sudo echo "battle" > tweedle/beetle
-bash: tweedle/beetle: Permission denied
Without sudo, all is well:
$ cd ~
$ mkdir poodle
$ echo "noodle" > poodle/bottle
$ cat poodle/bottle
noodle
Thoughts?
The echo command is being run as root, but the redirection is done by your shell, so it's executed as the current user, not as root.
The simplest solution is to invoke a root shell to run both the command and the redirection.
Rather than:
sudo echo line > file
try this:
sudo sh -c 'echo line > file'
or
sudo bash -c 'echo line > file'
The answer is to use "tee" with a pipe, a command I wasn't familiar with, so you can use sudo for the second half:
$ echo "tweedle ALL=(ALL) ALL" | sudo tee /etc/sudoers.d/tweedle

Resources