bc-server runs as root - web server can't access recordings

[dseven]

Me again. Hope the feedback is useful. Let me know if not, and I'll go away :)

So I found that I was unable to playback recordings, through either the remote client or web. This is because bc-server is running as root, the files (and subdirectories) are created with only owner and group access, and the web server (running as www-data) is not in the root group.

I found an old motherboard to install Ubuntu on to experiment with non-docker. There, I see that bc-server is running as the bluecherry user and group, and that www-data is a member of the bluecherry group, so it does have access to the recordings.

root@gwmobo:~# ls -l /var/lib/bluecherry/recordings/2019/12/20/000001
total 52440
-rw-rw---- 1 bluecherry bluecherry   165201 Dec 20 01:15 01-15-48.jpg
-rw-rw---- 1 bluecherry bluecherry 53525027 Dec 20 01:20 01-15-48.mkv
root@gwmobo:~# ps -fu bluecherry
UID        PID  PPID  C STIME TTY          TIME CMD
blueche+ 16203     1 47 01:04 ?        00:35:38 /usr/sbin/bc-server -s -u bluecherry -g bluecherry
root@gwmobo:~# id www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data),4(adm),20(dialout),29(audio),44(video),999(bluecherry)
root@gwmobo:~#

[rayzorben]

Can you try the recent commit?

Use id $(whoami) and set the BLUECHERRY_GROUP_ID and BLUECHERRY_USER_ID to the same as your user account in .env file.

I have also added a new volume for /etc/bluecherry.conf so that the settings are retained between rebuilds/upgrades of the docker image - this is in docker-compose.yml

[rayzorben]

Nevermind if you haven't started yet hold off. Found an issue.

[rayzorben]

Okay feel free to try now.

[dseven]

Failing with:

# docker-compose up -d bluecherry
mysql is up-to-date
Creating bluecherry ... error

ERROR: for bluecherry  Cannot start service bluecherry: OCI runtime create failed: container_linux.go:346: starting container process caused "process_linux.go:449: container init caused \"rootfs_linux.go:58: mounting \\\"/root/ws/bluecherry-docker/etc/bluecherry.conf\\\" to rootfs \\\"/var/lib/docker/overlay2/60e3ce438bce58daea4489fa0f5ff99643ae3bd7b902534f8b6d4906e516a2a7/merged\\\" at \\\"/var/lib/docker/overlay2/60e3ce438bce58daea4489fa0f5ff99643ae3bd7b902534f8b6d4906e516a2a7/merged/etc/bluecherry.conf\\\" caused \\\"not a directory\\\"\"": unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type

Not sure if I have some cleanup to do, or ....... I'll poke at it some more as I get time.

[dseven]

I think the issue is that etc/bluecherry.conf has to exist for the mount to work. If it doesn't exist, it gets created as a directory, not a file:

# find etc -ls
 36030024      0 drwxr-xr-x   3  root     root           29 Dec 23 16:57 etc
 72160757      0 drwxr-xr-x   2  root     root            6 Dec 23 16:57 etc/bluecherry.conf
# rmdir etc/bluecherry.conf
# touch etc/bluecherry.conf
# docker-compose up -d bluecherry
mysql is up-to-date
Starting bluecherry ... done
# 

[dseven]

Of course now it doesn't work, because the config is blank. Where is the content for bluecherry.conf supposed to come from in the initial case?

[dseven]

So in the Dockerfile, you're copying etc/bluecherry.conf* to /etc, and in docker-compose.yml you're mounting etc/bluecherry.conf. Seems you'd want to do one or the other, but not both? In any case, the file needs to not exist on initial startup - otherwise the database doesn't get created.

[rayzorben]

Thanks for trying it out. It is weird, I got a similar message but then it worked for me. I built it with and without the file existing. I'll try to reproduce it on my end.

[dseven]

No problem. I'm actually running BC on "bare metal" for now, but may consider docker in the future, and interested in learning more about it anyway.

A couple of other notes ... you're mounting /mnt/security on /recordings, but the recordings actually go in /var/lib/bluecherry/recordings (at least by default)...

root@17a0d6692c31:~# find /recordings -ls
 36030007      0 drwxr-xr-x   2 bluecherry bluecherry        6 Dec 24 04:38 /recordings
root@17a0d6692c31:~#
root@17a0d6692c31:~# find /var/lib/bluecherry/recordings -ls
 70954433      0 drwxr-x---   3 bluecherry bluecherry       18 Dec 24 07:33 /var/lib/bluecherry/recordings
 70954435      0 drwxr-x---   3 bluecherry bluecherry       16 Dec 24 07:33 /var/lib/bluecherry/recordings/2019
101560760      0 drwxr-x---   3 bluecherry bluecherry       16 Dec 24 07:33 /var/lib/bluecherry/recordings/2019/12        2133420      0 drwxr-x---   3 bluecherry bluecherry       20 Dec 24 07:33 /var/lib/bluecherry/recordings/2019/12/24    37733159      0 drwxr-x---   2 bluecherry bluecherry       46 Dec 24 07:33 /var/lib/bluecherry/recordings/2019/12/24/000001
 37733160  32704 -rw-rw----   1 bluecherry bluecherry 28441133 Dec 24 07:35 /var/lib/bluecherry/recordings/2019/12/24/000001/07-33-07.mkv
 37733161    184 -rw-rw----   1 bluecherry bluecherry   187492 Dec 24 07:33 /var/lib/bluecherry/recordings/2019/12/24/000001/07-33-07.jpg
root@17a0d6692c31:~#

It might be nice to make a variable in .env to specify where to store them too - not everyone would want to use /mnt/security.

By way of good news; the permissions fix looks good - I can play back recordings through the client now.

[rayzorben]

Good news on the permissions. Just need to somehow fix the bluecherry.conf. It doesn't seem like there is a 'copy file if it exists' functionality. It should be created by the dockerbuild file as a file that exists on first run, so I am not sure why it would create it as a directory. I am playing with it.