Xibo-Docker as non-root user

poldotz · March 15, 2025, 9:59am

Hello everyone.

#Issue (Xibo-docker 4.2.12 on Linux host)
In our company cluster, we can’t execute containers as root user, following the docker best practices: [https://www.docker.com/blog/understanding-the-docker-user-instruction/#:~:text=Use%20a%20non-root%20user,resources%20allocated%20to%20the%20container.](https://Use a non-root user to limit root access).
Is there an image configured to run as a non-root user (eg: www-data)?
Trying to use the default image as the www-data user, I get all these errors (as you might imagine):

chmod: cannot access '/root/.my.cnf': Permission denied
Updating settings.php
ERROR 1045 (28000): Access denied for user 'www-data'@'192.168.158.2' (using password: NO)
New install
Provisioning Database
ERROR 1045 (28000): Access denied for user 'www-data'@'192.168.158.2' (using password: NO)
Phinx by CakePHP - https://phinx.org.

using config file /var/www/cms/phinx.php
using config parser php
using migration paths 
 - /var/www/cms/db/migrations
warning no environment specified, defaulting to: production
using adapter mysql
using database cms
ordering by creation time

All Done. Took 0.0476s
Configuring Database Settings
ERROR 1045 (28000): Access denied for user 'www-data'@'192.168.158.2' (using password: NO)
ERROR 1045 (28000): Access denied for user 'www-data'@'192.168.158.2' (using password: NO)
ERROR 1045 (28000): Access denied for user 'www-data'@'192.168.158.2' (using password: NO)
ERROR 1045 (28000): Access denied for user 'www-data'@'192.168.158.2' (using password: NO)
ERROR 1045 (28000): Access denied for user 'www-data'@'192.168.158.2' (using password: NO)
Setting up Maintenance
Protected Maintenance
ERROR 1045 (28000): Access denied for user 'www-data'@'192.168.158.2' (using password: NO)
ERROR 1045 (28000): Access denied for user 'www-data'@'192.168.158.2' (using password: NO)
Importing ca-certs
cp: cannot stat '/var/www/cms/ca-certs/*.pem': No such file or directory
cp: cannot stat '/var/www/cms/ca-certs/*.crt': No such file or directory
Updating certificates in /etc/ssl/certs...
ln: failed to create symbolic link '/etc/ssl/certs/orbstack-root.pem': Permission denied
Setting up XMR private API
ERROR 1045 (28000): Access denied for user 'www-data'@'192.168.158.2' (using password: NO)
Setting up Quickchart
ERROR 1045 (28000): Access denied for user 'www-data'@'192.168.158.2' (using password: NO)
ERROR 1045 (28000): Access denied for user 'www-data'@'192.168.158.2' (using password: NO)
/bin/sed: couldn't open temporary file /etc/periodic/15min/sedMPiII0: Permission denied
/bin/sed: couldn't open temporary file /etc/periodic/15min/sedMPg0z4: Permission denied
/entrypoint.sh: line 237: /etc/cron.d/cms_backup_cron: Permission denied
/entrypoint.sh: line 238: /etc/cron.d/cms_backup_cron: Permission denied
/entrypoint.sh: line 244: /var/www/maintenance.sh: Permission denied
/entrypoint.sh: line 245: /var/www/maintenance.sh: Permission denied
Configuring Maintenance
/entrypoint.sh: line 246: /var/www/maintenance.sh: Permission denied
/entrypoint.sh: line 247: /var/www/maintenance.sh: Permission denied
/entrypoint.sh: line 248: /var/www/maintenance.sh: Permission denied
/entrypoint.sh: line 249: /var/www/maintenance.sh: Permission denied
chmod: cannot access '/var/www/maintenance.sh': No such file or directory
/entrypoint.sh: line 252: /etc/cron.d/cms_maintenance_cron: Permission denied
/entrypoint.sh: line 253: /etc/cron.d/cms_maintenance_cron: Permission denied
/bin/sed: couldn't open temporary file /etc/sedEzbFEX: Permission denied
/bin/sed: couldn't open temporary file /etc/sedzcpfZY: Permission denied
/bin/sed: couldn't open temporary file /etc/sed2pJu65: Permission denied
/bin/sed: couldn't open temporary file /etc/sedL8pg4b: Permission denied
/bin/sed: couldn't open temporary file /etc/sed8vJ4qd: Permission denied
/bin/sed: couldn't open temporary file /etc/sedyvnvMg: Permission denied
/bin/sed: couldn't open temporary file /etc/sedZtmoVo: Permission denied
/bin/sed: couldn't open temporary file /etc/sed3XTeyt: Permission denied
Removing web/install/index.php from production container
ERROR 1045 (28000): Access denied for user 'www-data'@'192.168.158.2' (using password: NO)
Configure PHP
sed: couldn't open temporary file /etc/php/8.2/apache2/sedf2W608: Permission denied
sed: couldn't open temporary file /etc/php/8.2/apache2/sedcVbgyd: Permission denied
sed: couldn't open temporary file /etc/php/8.2/apache2/sedGViUVj: Permission denied
sed: couldn't open temporary file /etc/php/8.2/apache2/sedcEnxZn: Permission denied
sed: couldn't open temporary file /etc/php/8.2/apache2/sedxFtlCs: Permission denied
sed: couldn't open temporary file /etc/php/8.2/apache2/sedWYjzru: Permission denied
sed: couldn't open temporary file /etc/php/8.2/apache2/sedWcMxGy: Permission denied
sed: couldn't open temporary file /etc/php/8.2/apache2/sedq0go4E: Permission denied
sed: couldn't open temporary file /etc/php/8.2/cli/sed14e1oJ: Permission denied
sed: couldn't open temporary file /etc/php/8.2/cli/sed7CUa9M: Permission denied
sed: couldn't open temporary file /etc/php/8.2/cli/sedKslqWU: Permission denied
sed: couldn't open temporary file /etc/php/8.2/cli/seddOVegX: Permission denied
sed: couldn't open temporary file /etc/php/8.2/cli/sedxeZJM2: Permission denied
sed: couldn't open temporary file /etc/php/8.2/cli/sedmBRTZ5: Permission denied
sed: couldn't open temporary file /etc/php/8.2/cli/sede8ZGUc: Permission denied
sed: couldn't open temporary file /etc/php/8.2/cli/sedLwGmdf: Permission denied
Configure Apache
sed: couldn't open temporary file /etc/apache2/sedsfeKgl: Permission denied
sed: couldn't open temporary file /etc/apache2/sites-enabled/sed19Znzs: Permission denied
Starting cron
cron: can't open or create /var/run/crond.pid: Permission denied
Starting webserver
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 192.168.158.2. Set the 'ServerName' directive globally to suppress this message
(13)Permission denied: AH00091: apache2: could not open error log file /var/log/apache2/error.log.
AH00015: Unable to open logs
Waiting for MySQL to start - max 300 seconds
MySQL started
Configuring MySQL cnf file
/entrypoint.sh: line 55: /root/.my.cnf: Permission denied
/entrypoint.sh: line 56: /root/.my.cnf: Permission denied
/entrypoint.sh: line 57: /root/.my.cnf: Permission denied
/entrypoint.sh: line 58: /root/.my.cnf: Permission denied
/entrypoint.sh: line 59: /root/.my.cnf: Permission denied
chmod: cannot access '/root/.my.cnf': Permission denied
ERROR 1045 (28000): Access denied for user 'www-data'@'192.168.158.2' (using password: NO)
New install
Provisioning Database
ERROR 1045 (28000): Access denied for user 'www-data'@'192.168.158.2' (using password: NO)
Phinx by CakePHP - https://phinx.org.

using config file /var/www/cms/phinx.php
using config parser php
using migration paths 
 - /var/www/cms/db/migrations
warning no environment specified, defaulting to: production
using adapter mysql
using database cms
ordering by creation time

All Done. Took 0.0203s
Configuring Database Settings
ERROR 1045 (28000): Access denied for user 'www-data'@'192.168.158.2' (using password: NO)
ERROR 1045 (28000): Access denied for user 'www-data'@'192.168.158.2' (using password: NO)
ERROR 1045 (28000): Access denied for user 'www-data'@'192.168.158.2' (using password: NO)
ERROR 1045 (28000): Access denied for user 'www-data'@'192.168.158.2' (using password: NO)
ERROR 1045 (28000): Access denied for user 'www-data'@'192.168.158.2' (using password: NO)
Setting up Maintenance
Protected Maintenance
ERROR 1045 (28000): Access denied for user 'www-data'@'192.168.158.2' (using password: NO)
ERROR 1045 (28000): Access denied for user 'www-data'@'192.168.158.2' (using password: NO)
Importing ca-certs
cp: cannot stat '/var/www/cms/ca-certs/*.pem': No such file or directory
cp: cannot stat '/var/www/cms/ca-certs/*.crt': No such file or directory
Updating certificates in /etc/ssl/certs...
ln: failed to create symbolic link '/etc/ssl/certs/orbstack-root.pem': Permission denied
Setting up XMR private API
ERROR 1045 (28000): Access denied for user 'www-data'@'192.168.158.2' (using password: NO)
Setting up Quickchart
ERROR 1045 (28000): Access denied for user 'www-data'@'192.168.158.2' (using password: NO)
ERROR 1045 (28000): Access denied for user 'www-data'@'192.168.158.2' (using password: NO)
/bin/sed: couldn't open temporary file /etc/periodic/15min/sedLoz245: Permission denied
/bin/sed: couldn't open temporary file /etc/periodic/15min/sedCd7CGc: Permission denied
/entrypoint.sh: line 237: /etc/cron.d/cms_backup_cron: Permission denied
Configuring Maintenance
/entrypoint.sh: line 238: /etc/cron.d/cms_backup_cron: Permission denied
/entrypoint.sh: line 244: /var/www/maintenance.sh: Permission denied
/entrypoint.sh: line 245: /var/www/maintenance.sh: Permission denied
/entrypoint.sh: line 246: /var/www/maintenance.sh: Permission denied
/entrypoint.sh: line 247: /var/www/maintenance.sh: Permission denied
/entrypoint.sh: line 248: /var/www/maintenance.sh: Permission denied
/entrypoint.sh: line 249: /var/www/maintenance.sh: Permission denied
chmod: cannot access '/var/www/maintenance.sh': No such file or directory
/entrypoint.sh: line 252: /etc/cron.d/cms_maintenance_cron: Permission denied
/entrypoint.sh: line 253: /etc/cron.d/cms_maintenance_cron: Permission denied
/bin/sed: couldn't open temporary file /etc/sedwmG571: Permission denied
/bin/sed: couldn't open temporary file /etc/sedqS0Fn4: Permission denied
/bin/sed: couldn't open temporary file /etc/sedpwSlz8: Permission denied
/bin/sed: couldn't open temporary file /etc/sedqDa9bg: Permission denied
/bin/sed: couldn't open temporary file /etc/sed9xIULi: Permission denied
/bin/sed: couldn't open temporary file /etc/sedORvGPo: Permission denied
/bin/sed: couldn't open temporary file /etc/sed3ZXyet: Permission denied
/bin/sed: couldn't open temporary file /etc/sedI26Dkx: Permission denied
ERROR 1045 (28000): Access denied for user 'www-data'@'192.168.158.2' (using password: NO)
Configure PHP
sed: couldn't open temporary file /etc/php/8.2/apache2/sed5VJCJ8: Permission denied
sed: couldn't open temporary file /etc/php/8.2/apache2/sedLkPWIc: Permission denied
sed: couldn't open temporary file /etc/php/8.2/apache2/sedCEtKGk: Permission denied
sed: couldn't open temporary file /etc/php/8.2/apache2/sed7YyvOo: Permission denied
sed: couldn't open temporary file /etc/php/8.2/apache2/sed6uis6t: Permission denied
sed: couldn't open temporary file /etc/php/8.2/apache2/sedOsODtz: Permission denied
sed: couldn't open temporary file /etc/php/8.2/apache2/sedwfvcZz: Permission denied
sed: couldn't open temporary file /etc/php/8.2/apache2/sedlRemQF: Permission denied
sed: couldn't open temporary file /etc/php/8.2/cli/sedBYhtuL: Permission denied
sed: couldn't open temporary file /etc/php/8.2/cli/sedlg7wHP: Permission denied
sed: couldn't open temporary file /etc/php/8.2/cli/sedvA4ytV: Permission denied
sed: couldn't open temporary file /etc/php/8.2/cli/sedicq3rX: Permission denied
sed: couldn't open temporary file /etc/php/8.2/cli/sedtdux93: Permission denied
sed: couldn't open temporary file /etc/php/8.2/cli/sedOiOiP7: Permission denied
sed: couldn't open temporary file /etc/php/8.2/cli/sedehlu7d: Permission denied
sed: couldn't open temporary file /etc/php/8.2/cli/sed7rTQPf: Permission denied
Configure Apache
sed: couldn't open temporary file /etc/apache2/sedYpUlUl: Permission denied
sed: couldn't open temporary file /etc/apache2/sites-enabled/sedPLocHs: Permission denied
Starting cron
cron: can't open or create /var/run/crond.pid: Permission denied
Starting webserver
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 192.168.158.2. Set the 'ServerName' directive globally to suppress this message
(13)Permission denied: AH00091: apache2: could not open error log file /var/log/apache2/error.log.
AH00015: Unable to open logs

Thanks in advace,
Poldotz

0x0 · March 27, 2025, 2:28pm

Not sure about docker and permissions as i dont use it.

Process for podman running as user should go similar to this:

Create new user, add loginctl linger for that user to be able to run systemd services as that user.

Download and deploy xibo-docker as that user, from inside folder exec: podman-compose up for docker-compose.yml

Add systemd --user created service “xibo.service” for podman-compose startup exec.

Restart and check podman ps as user.

signage · April 2, 2025, 9:43pm

So since you are mapping the local folders into the container, you have to make sure that the ID of the user inside the container has RW access to the folders that you’re mapping.

Generally speaking, you can start the container and then run docker ps to get the container name. In my example, it came back as xibo-docker-cms-web-1

Then you can run a command to determine the ID from within the container:
docker exec -it xibo-docker-cms-web-1 id www-data. This will come back with an ID that you will use in the next step. For my example, it is 33. Note: This user may not actually exist, or may be different when you ID it on y our local system hosting the docker container.

From there, you should be able to change the POSIX permissions on the locally mapped folders so that this user account has the correct access. So if you are using the provided docker-compose file, you will want to look at each mapped directory location and modify it accordingly. For example, for the mysql container, you will see: "./shared/db:/var/lib/mysql:Z"

So you will want to run a command like:
chown -R 33:33 ./shared/db

Then restart the container and check the logs: docker logs <container-id> to see if the problem persists.

There’s other ways to do this as well, but I think this should generally point you in the right direction.