Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UID of besu changed from 1000 to 1001 in 23.10.3 Docker image #6358

Closed
h4l opened this issue Jan 6, 2024 · 2 comments · Fixed by #6360
Closed

UID of besu changed from 1000 to 1001 in 23.10.3 Docker image #6358

h4l opened this issue Jan 6, 2024 · 2 comments · Fixed by #6360
Labels
dev experience The build system, things that enable easier development etc. docker mainnet P4 Low (ex: Node doesn't start up when the configuration file has unexpected "end-of-line" character)

Comments

@h4l
Copy link
Contributor

h4l commented Jan 6, 2024
edited
Loading

Description

As an operator running Besu's official container image, I want the container's besu user UID to remain the same so that it can read & write persistent files after updating to a new container image.

Acceptance Criteria

  • Container image's besu user UID should remain the same in every version

Steps to Reproduce (Bug)

  1. Run id in current and past versions of Besu's container to see the UID of the besu user:
$ docker container run --rm --entrypoint id hyperledger/besu:23.10.2-openjdk-latest
uid=1000(besu) gid=1000(besu) groups=1000(besu)

$ docker container run --rm --entrypoint id hyperledger/besu:23.10.3-openjdk-latest
uid=1001(besu) gid=1001(besu) groups=1001(besu),100(users)

See that besu used to use UID 1000, but in 23.10.3 it uses 1001.

Expected behavior: The besu user should have UID 1000 in 23.10.3

Actual behavior: The besu user actually has UID 1001

Frequency: 100%

Logs (if a bug)

With its data files from a past version owned by uid 1000, the 23.10.3 container will fail to start with non-obvious error message:

2024-01-06 17:32:38.521+00:00 | main | INFO  | Besu | Security Module: localfile
2024-01-06 17:32:38.549+00:00 | main | INFO  | Besu | Using the native implementation of alt bn128
2024-01-06 17:32:38.573+00:00 | main | INFO  | Besu | Using the native implementation of modexp
2024-01-06 17:32:38.574+00:00 | main | INFO  | Besu | Using the native implementation of the signature algorithm
2024-01-06 17:32:38.577+00:00 | main | INFO  | Besu | Using the native implementation of the blake2bf algorithm
2024-01-06 17:32:38.663+00:00 | main | INFO  | Besu | 0 Bootnodes configured
2024-01-06 17:32:38.753+00:00 | main | INFO  | KeyPairUtil | Attempting to load public key from /var/lib/besu/data/key
2024-01-06 17:32:38.753+00:00 | main | ERROR | Besu | Failed to start Besu
picocli.CommandLine$ExecutionException: Supplied file does not contain valid keyPair pair.
        at org.hyperledger.besu.cli.BesuCommand.buildController(BesuCommand.java:2167)
        at org.hyperledger.besu.cli.BesuCommand.initController(BesuCommand.java:2153)
        at org.hyperledger.besu.cli.BesuCommand.run(BesuCommand.java:1463)
        at picocli.CommandLine.executeUserObject(CommandLine.java:2026)
        at picocli.CommandLine.access$1500(CommandLine.java:148)
        at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2461)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2453)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2415)
        at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2273)
        at picocli.CommandLine$RunLast.execute(CommandLine.java:2417)
        at picocli.CommandLine.execute(CommandLine.java:2170)
        at org.hyperledger.besu.cli.util.ConfigOptionSearchAndRunHandler.handle(ConfigOptionSearchAndRunHandler.java:62)
        at org.hyperledger.besu.cli.util.ConfigOptionSearchAndRunHandler.handle(ConfigOptionSearchAndRunHandler.java:33)
        at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2273)
        at picocli.CommandLine$RunLast.execute(CommandLine.java:2417)
        at picocli.CommandLine.execute(CommandLine.java:2170)
        at org.hyperledger.besu.cli.BesuCommand.parse(BesuCommand.java:1628)
        at org.hyperledger.besu.cli.BesuCommand.parse(BesuCommand.java:1423)
        at org.hyperledger.besu.Besu.main(Besu.java:39)
Caused by: java.lang.IllegalArgumentException: Supplied file does not contain valid keyPair pair.
        at org.hyperledger.besu.crypto.KeyPairUtil.loadPrivateKey(KeyPairUtil.java:163)
        at org.hyperledger.besu.crypto.KeyPairUtil.load(KeyPairUtil.java:146)
        at org.hyperledger.besu.crypto.KeyPairUtil.loadKeyPair(KeyPairUtil.java:88)
        at org.hyperledger.besu.cli.BesuCommand.loadKeyPair(BesuCommand.java:1608)
        at org.hyperledger.besu.cli.BesuCommand.defaultSecurityModule(BesuCommand.java:1596)
        at com.google.common.base.Suppliers$NonSerializableMemoizingSupplier.get(Suppliers.java:183)
        at org.hyperledger.besu.cli.BesuCommand.securityModule(BesuCommand.java:3179)
        at org.hyperledger.besu.cli.BesuCommand.getControllerBuilder(BesuCommand.java:2189)
        at org.hyperledger.besu.cli.BesuCommand.buildController(BesuCommand.java:2165)
        ... 18 more
Supplied file does not contain valid keyPair pair.
To display full help:
besu [COMMAND] --help

Versions (Add all that apply)

  • Besu 23.10.3

Additional Information (Add any of the following or anything else that may be relevant)

Changing file ownership fixes this, but ideally the container user UID should not change between versions, because it means updates require manual intervention to change file permissions.

Edit: I updated this to follow the template, was in a bit of a rush when reporting this yesterday, sorry!
h4l added a commit to h4l/besu that referenced this issue Jan 7, 2024
@h4l
fix: use UID 1000 for besu user (hyperledger#6358)
6986827 
The openjdk-latest Docker image is using UID 1001 for besu, because its
base image ubuntu:23.10 now contains a default "ubuntu" user with UID
1000. (This UID change causes the besu user with UID 1001 to not have
access to files created for past versions with UID 1000.)

We now remove the default ubuntu user and explicitly use UID 1000 when
creating the besu user.
@h4l h4l mentioned this issue Jan 7, 2024
Merged
h4l added a commit to h4l/besu that referenced this issue Jan 7, 2024
@h4l
fix: use UID 1000 for besu user (hyperledger#6358)
a64583e 
The openjdk-latest Docker image is using UID 1001 for besu, because its
base image ubuntu:23.10 now contains a default "ubuntu" user with UID
1000. (This UID change causes the besu user with UID 1001 to not have
access to files created for past versions with UID 1000.)

We now remove the default ubuntu user and explicitly use UID 1000 when
creating the besu user.

Signed-off-by: Hal Blackburn <[email protected]>
@non-fungible-nelson non-fungible-nelson added dev experience The build system, things that enable easier development etc. mainnet docker P4 Low (ex: Node doesn't start up when the configuration file has unexpected "end-of-line" character) labels Jan 8, 2024
@non-fungible-nelson
Copy link
Contributor

You can pick up the stable docker image in this instance. We should address the testing gap and will fix on latest going forward.

@non-fungible-nelson
Copy link
Contributor

Thank you for finding this and the report!

h4l added a commit to h4l/besu that referenced this issue Jan 9, 2024
@h4l
fix: use UID 1000 for besu user (hyperledger#6358)
cf3eef7 
The openjdk-latest Docker image is using UID 1001 for besu, because its
base image ubuntu:23.10 now contains a default "ubuntu" user with UID
1000. (This UID change causes the besu user with UID 1001 to not have
access to files created for past versions with UID 1000.)

We now remove the default ubuntu user and explicitly use UID 1000 when
creating the besu user.

Signed-off-by: Hal Blackburn <[email protected]>
fab-10 pushed a commit that referenced this issue Jan 9, 2024
@h4l
fix: use UID 1000 for besu user (#6358) (#6360)
0622f40 
The openjdk-latest Docker image is using UID 1001 for besu, because its
base image ubuntu:23.10 now contains a default "ubuntu" user with UID
1000. (This UID change causes the besu user with UID 1001 to not have
access to files created for past versions with UID 1000.)

We now remove the default ubuntu user and explicitly use UID 1000 when
creating the besu user.

Signed-off-by: Hal Blackburn <[email protected]>
fab-10 added a commit to Consensys/linea-besu that referenced this issue Jan 12, 2024
@jframe @matkt
@garyschulte @macfarla @jflo @fab-10 @matthew1001 @pinges @Gabriel-Trintinalia @gfukushima @siladu @vuittont60 @manojpramesh @h4l @mbaxter @shemnon @daniellehrner
Merge Besu main (#34)
6d9c8b1 
* mark deleted slot during clear storage step (hyperledger#6305)

Signed-off-by: Karim Taam <[email protected]>
Co-authored-by: garyschulte <[email protected]>

* made directory structure of tests match source; fixed one typo (hyperledger#6337)

Signed-off-by: Sally MacFarlane <[email protected]>

* migrate controller tests to junit 5 (hyperledger#6338)

Signed-off-by: Sally MacFarlane <[email protected]>

* add new forkids for testnets, update forkid test to Junit5, no longer need named network specific trusted setups (hyperledger#6322)

Signed-off-by: jflo <[email protected]>

* Fix trielog shipping issue during self destruct (hyperledger#6340)

* fix trielog shipping issue

Signed-off-by: Karim Taam <[email protected]>

* bump gradle properties version and adjust changelog to match release (hyperledger#6347)

Signed-off-by: garyschulte <[email protected]>

* finalized cancun spec (hyperledger#6351)

* finalized cancun spec

Signed-off-by: jflo <[email protected]>

* finalized cancun spec

Signed-off-by: jflo <[email protected]>

---------

Signed-off-by: jflo <[email protected]>

* Optimize RocksDB WAL file (hyperledger#6328)


Signed-off-by: Fabio Di Fabio <[email protected]>

* Make RPC reason settable, pass execution failure reason in RPC error message (hyperledger#6343)

* Make RPC reason settable, pass execution failure reason in RPC error message

Signed-off-by: Matthew Whitehead <[email protected]>

* Update unit tests

Signed-off-by: Matthew Whitehead <[email protected]>

* Update tests

Signed-off-by: Matthew Whitehead <[email protected]>

* Update change log

Signed-off-by: Matthew Whitehead <[email protected]>

* Update integration tests

Signed-off-by: Matthew Whitehead <[email protected]>

---------

Signed-off-by: Matthew Whitehead <[email protected]>

* TestWatcher junit5 (hyperledger#6339)

* TestWatcher junit5
* add test class and method name to context
* moved the testwatcher junit5 function to a new junit5 superclass
* one qbft test to junit5 superclass

Signed-off-by: Sally MacFarlane <[email protected]>

---------

Signed-off-by: Sally MacFarlane <[email protected]>
Co-authored-by: Stefan Pingel <[email protected]>

* Migrate BFT tests to junit 5 (hyperledger#6350)

* bft tests to junit 5
* base class for pki extend AcceptanceTestBaseJunit5
* try/catch in case of empty optionals
* fixed parameterization method

Signed-off-by: Sally MacFarlane <[email protected]>

---------

Signed-off-by: Sally MacFarlane <[email protected]>

* fixing on selfdestruct (hyperledger#6359)

Signed-off-by: Karim Taam <[email protected]>

* migrate clique tests fully to junit5 (hyperledger#6362)

* migrate clique tests fully to junit5

Signed-off-by: Sally MacFarlane <[email protected]>

---------

Signed-off-by: Sally MacFarlane <[email protected]>

* fixed link to logging docs (hyperledger#6366)

Signed-off-by: Sally MacFarlane <[email protected]>

* Move logging to RunnerBuilder (hyperledger#6367)

Signed-off-by: Gabriel-Trintinalia <[email protected]>

* Use synchronized call to access the chain head block in `eth_estimateGas` (hyperledger#6345)

* Use synchronized call to access the chain head block in estimateGas()

Signed-off-by: Matthew Whitehead <[email protected]>

* Add error log entries when throwing internal error from estimateGas()

Signed-off-by: Matthew Whitehead <[email protected]>

* Update unit tests

Signed-off-by: Matthew Whitehead <[email protected]>

* Update changelog

Signed-off-by: Matthew Whitehead <[email protected]>

---------

Signed-off-by: Matthew Whitehead <[email protected]>

* Add --X-trie-log subcommand (hyperledger#6303)

* Add x-trie-log subcommand for one-off trie log backlog prune

Signed-off-by: Simon Dudley <[email protected]>
Signed-off-by: Gabriel Fukushima <[email protected]>

---------

Signed-off-by: Simon Dudley <[email protected]>
Signed-off-by: Gabriel Fukushima <[email protected]>
Co-authored-by: Simon Dudley <[email protected]>

* fix typos (hyperledger#6368)

Signed-off-by: vuittont60 <[email protected]>

* Added alias --sync-min-peers for --fast-sync-min-peers (hyperledger#6372)

* sync-min-peers as an alias
* added unit tests

Signed-off-by: Sally MacFarlane <[email protected]>

---------

Signed-off-by: Sally MacFarlane <[email protected]>

* Fix: Fallback to getName when canonicalName is null in BlockHeaderValidator DEBUG log (hyperledger#6332)

* fallback to simple name when canonical name is null
* use getName instead of getSimpleName to include the package name

Signed-off-by: Manoj P R <[email protected]>

---------

Signed-off-by: Manoj P R <[email protected]>
Co-authored-by: Sally MacFarlane <[email protected]>

* fix: use UID 1000 for besu user (hyperledger#6358) (hyperledger#6360)

The openjdk-latest Docker image is using UID 1001 for besu, because its
base image ubuntu:23.10 now contains a default "ubuntu" user with UID
1000. (This UID change causes the besu user with UID 1001 to not have
access to files created for past versions with UID 1000.)

We now remove the default ubuntu user and explicitly use UID 1000 when
creating the besu user.

Signed-off-by: Hal Blackburn <[email protected]>

* Ignore generated files when running the spdx license check (hyperledger#6379)

Signed-off-by: Meredith Baxter <[email protected]>

* full sync - don't fail startup if sync-min-peers specified (hyperledger#6373)

Signed-off-by: Sally MacFarlane <[email protected]>

* Copy also computed fields, when doing a Transaction detached copy (hyperledger#6329)

Signed-off-by: Fabio Di Fabio <[email protected]>

* Disable txpool when not in sync (hyperledger#6302)


Signed-off-by: Fabio Di Fabio <[email protected]>

* Bump to nex release snapshot 24.1.1 (hyperledger#6383)

* release next snapshot 24.1.1

Signed-off-by: garyschulte <[email protected]>

* move recent changelog items to 24.1.1-SNAPSHOT

Signed-off-by: garyschulte <[email protected]>

---------

Signed-off-by: garyschulte <[email protected]>

* Correct Tangerine Whistle definition in Fluent EVM APIs. (hyperledger#6382)

The fluent API incorrectly added the code size limit in Tangerine
Whistle instead of first adding it in Spurious Dragon.

Signed-off-by: Danno Ferrin <[email protected]>

* [MINOR] Fix pki tests condition check on mac (hyperledger#6387)

Signed-off-by: Gabriel-Trintinalia <[email protected]>

* Upgrade dependencies (hyperledger#6377)

* Bump com.github.oshi:oshi-core to 6.4.10

Signed-off-by: Fabio Di Fabio <[email protected]>

* Bump com.github.tomakehurst to org.wiremock 3.3.1

Signed-off-by: Fabio Di Fabio <[email protected]>

* Bump com.google.auto.service:auto-service to 1.1.1

Signed-off-by: Fabio Di Fabio <[email protected]>

* Bump com.google.dagger group to 2.50

Signed-off-by: Fabio Di Fabio <[email protected]>

* Bump com.graphql-java:graphql-java to 21.3

Signed-off-by: Fabio Di Fabio <[email protected]>

* Bump com.splunk.logging:splunk-library-javalogging to 1.11.8

Signed-off-by: Fabio Di Fabio <[email protected]>

* Bump com.squareup.okhttp3:okhttp to 4.12.0
Signed-off-by: Fabio Di Fabio <[email protected]>

* Bump commons-io:commons-io to 2.15.1

Signed-off-by: Fabio Di Fabio <[email protected]>

* Bump dnsjava:dnsjava to 3.5.3

Signed-off-by: Fabio Di Fabio <[email protected]>

* Bump info.picocli group to 4.7.5

Signed-off-by: Fabio Di Fabio <[email protected]>

* Bump io.grpc group to 1.60.1

Signed-off-by: Fabio Di Fabio <[email protected]>

* Bump io.kubernetes:client-java to 18.0.1

Signed-off-by: Fabio Di Fabio <[email protected]>

* Bump io.netty group to 4.1.104.Final

Signed-off-by: Fabio Di Fabio <[email protected]>

* Bump net.java.dev.jna:jna to 5.14.0

Signed-off-by: Fabio Di Fabio <[email protected]>

* Bump org.apache.commons:commons-compress to 1.25.0

Signed-off-by: Fabio Di Fabio <[email protected]>

* Bump org.apache.commons:commons-lang3 to 3.14.0

Signed-off-by: Fabio Di Fabio <[email protected]>

* Bump org.apache.commons:commons-text to 1.11.0

Signed-off-by: Fabio Di Fabio <[email protected]>

* Bump org.apache.logging.log4j group to 2.22.1

Signed-off-by: Fabio Di Fabio <[email protected]>

* Redorder io.tmio group

Signed-off-by: Fabio Di Fabio <[email protected]>

* Bump org.assertj:assertj-core to 3.25.1

Signed-off-by: Fabio Di Fabio <[email protected]>

* Bump org.bouncycastle group to 1.77

Signed-off-by: Fabio Di Fabio <[email protected]>

* Bump org.fusesource.jansi:jansi to 2.4.1

Signed-off-by: Fabio Di Fabio <[email protected]>

* Bump org.immutables group 2.10.0

Signed-off-by: Fabio Di Fabio <[email protected]>

* Bump org.java-websocket:Java-WebSocket to 1.5.5

Signed-off-by: Fabio Di Fabio <[email protected]>

* Bump org.jetbrains.kotlin:kotlin-stdlib to 1.9.22

Signed-off-by: Fabio Di Fabio <[email protected]>

* Bump org.junit.jupiter group to 5.10.1

Signed-off-by: Fabio Di Fabio <[email protected]>

* Bump org.jupnp group to 2.7.1

Signed-off-by: Fabio Di Fabio <[email protected]>

* Bump org.rocksdb:rocksdbjni to 8.9.1

Signed-off-by: Fabio Di Fabio <[email protected]>

* Bump org.slf4j group to 2.0.10

Signed-off-by: Fabio Di Fabio <[email protected]>

* Bump org.springframework.security:spring-security-crypto to 6.2.1

Signed-off-by: Fabio Di Fabio <[email protected]>

* Bump org.testcontainers:testcontainers to 1.19.3

Signed-off-by: Fabio Di Fabio <[email protected]>

* Bump org.web3j group to 4.10.3

Signed-off-by: Fabio Di Fabio <[email protected]>

* Bump org.xerial.snappy:snappy-java to 1.1.10.5

Signed-off-by: Fabio Di Fabio <[email protected]>

* Regenerate gradle verification metadata

Signed-off-by: Fabio Di Fabio <[email protected]>

* Update commons-codec:commons-codec to 1.16.0

Signed-off-by: Fabio Di Fabio <[email protected]>

* Update org.junit.vintage:junit-vintage-engine to 5.10.1

Signed-off-by: Fabio Di Fabio <[email protected]>

* Update CHANGELOG

Signed-off-by: Fabio Di Fabio <[email protected]>

---------

Signed-off-by: Fabio Di Fabio <[email protected]>

* add a fallback for docker detection on Mac (hyperledger#6356)

Signed-off-by: garyschulte <[email protected]>

* Fix test flackyness of acceptanceTestsPermissioning  (hyperledger#6384)


Signed-off-by: Fabio Di Fabio <[email protected]>
Signed-off-by: Sally MacFarlane <[email protected]>
Co-authored-by: Sally MacFarlane <[email protected]>

* Upgrade `com.fasterxml.jackson` dependencies (hyperledger#6378)


Signed-off-by: Fabio Di Fabio <[email protected]>

* Use mining beneficiary from protocol spec in TraceServiceImpl (hyperledger#6390)

* use mining beneficiary from protocol spec

Signed-off-by: Daniel Lehrner <[email protected]>

---------

Signed-off-by: Daniel Lehrner <[email protected]>
Co-authored-by: Sally MacFarlane <[email protected]>

* Update verification metadata and allowed licenses for Linea-Besu

---------

Signed-off-by: Karim Taam <[email protected]>
Signed-off-by: Sally MacFarlane <[email protected]>
Signed-off-by: jflo <[email protected]>
Signed-off-by: garyschulte <[email protected]>
Signed-off-by: Fabio Di Fabio <[email protected]>
Signed-off-by: Matthew Whitehead <[email protected]>
Signed-off-by: Gabriel-Trintinalia <[email protected]>
Signed-off-by: Simon Dudley <[email protected]>
Signed-off-by: Gabriel Fukushima <[email protected]>
Signed-off-by: vuittont60 <[email protected]>
Signed-off-by: Manoj P R <[email protected]>
Signed-off-by: Hal Blackburn <[email protected]>
Signed-off-by: Meredith Baxter <[email protected]>
Signed-off-by: Danno Ferrin <[email protected]>
Signed-off-by: Daniel Lehrner <[email protected]>
Co-authored-by: Karim TAAM <[email protected]>
Co-authored-by: garyschulte <[email protected]>
Co-authored-by: Sally MacFarlane <[email protected]>
Co-authored-by: Justin Florentine <[email protected]>
Co-authored-by: Fabio Di Fabio <[email protected]>
Co-authored-by: Matt Whitehead <[email protected]>
Co-authored-by: Stefan Pingel <[email protected]>
Co-authored-by: Gabriel-Trintinalia <[email protected]>
Co-authored-by: Gabriel Fukushima <[email protected]>
Co-authored-by: Simon Dudley <[email protected]>
Co-authored-by: vuittont60 <[email protected]>
Co-authored-by: Manoj P R <[email protected]>
Co-authored-by: Hal Blackburn <[email protected]>
Co-authored-by: mbaxter <[email protected]>
Co-authored-by: Danno Ferrin <[email protected]>
Co-authored-by: daniellehrner <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dev experience The build system, things that enable easier development etc. docker mainnet P4 Low (ex: Node doesn't start up when the configuration file has unexpected "end-of-line" character)
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: use UID 1000 for besu user (#6358) h4l/besu
2 participants
@h4l @non-fungible-nelson