Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support running sabnzbd as root in container #37

Open
jpf91 opened this issue Aug 11, 2020 · 0 comments
Open

Support running sabnzbd as root in container #37

jpf91 opened this issue Aug 11, 2020 · 0 comments

Comments

@jpf91
Copy link

jpf91 commented Aug 11, 2020
edited
Loading

I know, looks like a strange request at first ;-)

The reason is that I want to use this image in podman's rootless mode. This means podman already runs as a user on the container host system and provides security / isolation. In that case, podman maps the uid/gid 0 to the host system user. So if I have a user sabnzbd and a group sabnzbd on the host and I want files created by the container to be owned by sabnzbd:sabzbnd on the host system, then sabnzbd has to run as root inside the container. (There is a possibility to map some other uid/gid to the primary host id, but it's undocumented and complicated...).

Currently, the best I can do is setting SABNZBD_UID to 0. I would not have expected the usermod command to work, but for some reason it's partially working:

# id sabnzbd
uid=0(root) gid=0(root) groups=0(root)
# grep sabnzbd /etc/passwd
sabnzbd:x:0:666::/sabnzbd:/bin/sh
# grep sabnzbd /etc/group
sabnzbd:x:666:

But it has the strange effect that files generated by sabnzbd are now owned by root, but the group is still set to sabnzbd messing up the permissions on the container host. So really, an explicit SABNZBD_ROOT=y would be very much appreciated.

Off-Topic

Setting up this thing in podman was a pain, so in case you want to include these instructions in the README:

Tested on Fedora 32:

# Containers can be started by systemd
setsebool -P container_manage_cgroup 1

# Create sabnzbd user. Note: --system can be used to create a system user, but /etc/subid and /etc/subgid are not set up properly in this case and must be modified manually.
useradd -d /var/lib/sabnzbd -U sabnzbd
# Disable login for user
usermod -L sabnzbd

# Allow container access to sabnzbd configuration dir and data dir
semanage fcontext -a -t container_file_t '/var/lib/sabnzbd(/.*)?'
semanage fcontext -a -t container_file_t '/media/data/download/sabnzbd(/.*)?'
restorecon -v -RF /var/lib/sabnzbd 
restorecon -v -RF /media/data/download/sabnzbd

Create the systemd service in /etc/systemd/system/container-sabnzbd.service:

# container-sabnzbd.service
# autogenerated by Podman 2.0.3
# Tue Aug 11 18:43:34 CEST 2020

[Unit]
Description=Podman container-sabnzbd.service
Documentation=man:podman-generate-systemd(1)
Wants=network.target
After=network-online.target

[Service]
User=sabnzbd
Group=sabnzbd
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=always
ExecStartPre=/bin/rm -f %T/container-sabnzbd.pid %T/container-sabnzbd.ctr-id
ExecStart=/usr/bin/podman run --conmon-pidfile %T/container-sabnzbd.pid --cidfile %T/container-sabnzbd.ctr-id --cgroups=no-conmon -d --replace --name sabnzbd -e SABNZBD_UID=0 -e SABNZBD_GID=0 -v /var/lib/sabnzbd:/datadir -v /media/data/download/sabnzbd:/media -p 10000:8080 --label io.containers.autoupdate=image --log-driver=journald docker.io/sabnzbd/sabnzbd
ExecStop=/usr/bin/podman stop --ignore --cidfile %T/container-sabnzbd.ctr-id -t 10
ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %T/container-sabnzbd.ctr-id
PIDFile=%T/container-sabnzbd.pid
KillMode=none
Type=forking

[Install]
WantedBy=multi-user.target default.target

(note: %t in the autogenerated file had to be changed to %T).

  • Now run systemctl daemon-reload && systemctl start container-sabnzbd.
  • Run systemctl enable container-sabnzbd to start the service at boot.
  • systemctl status container-sabnzb shows the log, as logs are sent to the journal (logged as process conmon).
  • podman auto-update should work to update the container, but I couldn't test it.

It is also possible to run the container in podman without setting up a systemd service and an sabnzbd user. In that case, the chcon commands are still required for the shared volumes. The podman command can then be started manually: podman run --name sabnzbd -e SABNZBD_UID=0 -e SABNZBD_GID=0 -v datadir:/datadir -v mediadir:/media -p 10000:8080 sabnzbd/sabnzbd

Apart from the podman specific setup, I had to do two other steps:

  • Add the hostname of the system host / nginx reverse proxy to the configuration.
  • Set up nginx reverse proxy. I couldn't find a fully-working nginx documentation example, but this is what works for me:
location /sabnzbd {
   proxy_pass http://127.0.0.1:10000/sabnzbd;
   client_max_body_size 10m;
   client_body_buffer_size 128k;

   #Timeout if the real server is dead
   proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

   # Advanced Proxy Config
   send_timeout 5m;
   proxy_read_timeout 240;
   proxy_send_timeout 240;
   proxy_connect_timeout 240;

   # Basic Proxy Config
   proxy_set_header Host $host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Proto https;
   proxy_redirect  http://  $scheme://;
   proxy_http_version 1.1;
   proxy_set_header Connection "";
   proxy_cache_bypass $cookie_session;
   proxy_no_cache $cookie_session;
   proxy_buffers 32 4k;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jpf91