[jira] [Commented] (GUACAMOLE-919) An I/O error occurred while sending to the backend
[
https://issues.apache.org/jira/browse/GUACAMOLE-919?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17026456#comment-17026456
]
Mike Jumper commented on GUACAMOLE-919:
---
{quote}
I have to say I disagree with this being a "minor" issue - it's preventing us
from using Guacamole at all!
{quote}
That may be so, but it doesn't appear to be encountered by most users. I would
definitely agree that "minor" is incorrect if this were an issue for any user
of PostgreSQL, but so far that doesn't seem to be the case.
Given that others are not encountering this, it also seems likely that there
may be a configuration change which allows things to work as expected, which
would mean any users that are affected would have a workaround in the meantime.
{quote}
It also seems like a regression - when running 1.0.0 it works, but in the
1.1.0-RC1 it doesn't work.
{quote}
This issue notes "1.0.0" as the affected version. Handling of database
connections has also not been touched between 1.0.0 and 1.1.0. Given that the
original reporter encountered this with 1.0.0, and given the nature of the
changes made to the database auth between the versions, this does not seem to
be a regression. If you are seeing things work with 1.0.0 but fail with 1.1.0,
I suggest looking elsewhere for other environmental differences which may have
taken effect at the same time.
> An I/O error occurred while sending to the backend
> --
>
> Key: GUACAMOLE-919
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-919
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole-auth-jdbc-postgresql
>Affects Versions: 1.0.0
>Reporter: Mechanix
>Assignee: Nick Couchman
>Priority: Minor
> Attachments: image-2020-01-27-15-19-26-634.png
>
>
> Hi,
> we use guacamole with postgresql and openid extension. Guacamole and guacd is
> deployed inside a k8s cluster.
> For some reason, the authentication doesn't succeed sporadically; there is
> only a blank page and this error message in the guacamole log:
> *[pool-1-thread-1] WARN o.a.i.d.pooled.PooledDataSource - Execution of ping
> query 'SELECT 1' failed: An I/O error occurred while sending to the backend.*
> I suspect there is a weird timeout happening between guacamole and postgresql
> but could figure out why.
> Any hints are much appreciated. Thanks
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (GUACAMOLE-919) An I/O error occurred while sending to the backend
[ https://issues.apache.org/jira/browse/GUACAMOLE-919?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17026455#comment-17026455 ] Nick Couchman commented on GUACAMOLE-919: - [~DouglasHeriot]: For you, yes, this is a show-stopper. The reason it has been classified as minor is that we only have two people reporting it at this time, and we don't really even know exactly what's causing it. We've identified a couple of possibilities for what might fix it, but, as far as Guacamole is concerned, it isn't a bug, it's an enhancement to overcome what we suspect is happening in a couple of specific situations related to timeout/latency between client and DB. It isn't being widely reported throughout the community on either 1.0.0 or 1.1.0, it seems to be pretty limited, so that's my rationale for having classified it as minor. As far as it being a regression - I'm skeptical of that. It is very interesting to me that it works for you in 1.0.0 and not in 1.1.0, but if you look at the original reported issue, it is against version 1.0.0, not 1.1.0-RC1. I don't know exactly what to make of that, but the fact that it is being reported by you and the original reporter in two different versions makes me think that it isn't a regression between those two versions, it's something else. Is your 1.1.0-RC1 deployment running on exactly the same systems as 1.0.0, and using exactly the same Postgres server, so that the only difference between the two is the Guacamole version? And you're saying that, if you go back to 1.0.0 right now (in the environment where 1.1.0-RC1 does ont work), that everything works as expected? > An I/O error occurred while sending to the backend > -- > > Key: GUACAMOLE-919 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-919 > Project: Guacamole > Issue Type: Bug > Components: guacamole-auth-jdbc-postgresql >Affects Versions: 1.0.0 >Reporter: Mechanix >Assignee: Nick Couchman >Priority: Minor > Attachments: image-2020-01-27-15-19-26-634.png > > > Hi, > we use guacamole with postgresql and openid extension. Guacamole and guacd is > deployed inside a k8s cluster. > For some reason, the authentication doesn't succeed sporadically; there is > only a blank page and this error message in the guacamole log: > *[pool-1-thread-1] WARN o.a.i.d.pooled.PooledDataSource - Execution of ping > query 'SELECT 1' failed: An I/O error occurred while sending to the backend.* > I suspect there is a weird timeout happening between guacamole and postgresql > but could figure out why. > Any hints are much appreciated. Thanks > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (GUACAMOLE-919) An I/O error occurred while sending to the backend
[ https://issues.apache.org/jira/browse/GUACAMOLE-919?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17026436#comment-17026436 ] Douglas Heriot commented on GUACAMOLE-919: -- I have to say I disagree with this being a "minor" issue - it's preventing us from using Guacamole at all! It also seems like a regression - when running 1.0.0 it works, but in the 1.1.0-RC1 it doesn't work. (We can't use 1.0.0 because it doesn't support using OpenID for authentication, and Postgres for assigning groups to access groups/connections) > An I/O error occurred while sending to the backend > -- > > Key: GUACAMOLE-919 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-919 > Project: Guacamole > Issue Type: Bug > Components: guacamole-auth-jdbc-postgresql >Affects Versions: 1.0.0 >Reporter: Mechanix >Assignee: Nick Couchman >Priority: Minor > Attachments: image-2020-01-27-15-19-26-634.png > > > Hi, > we use guacamole with postgresql and openid extension. Guacamole and guacd is > deployed inside a k8s cluster. > For some reason, the authentication doesn't succeed sporadically; there is > only a blank page and this error message in the guacamole log: > *[pool-1-thread-1] WARN o.a.i.d.pooled.PooledDataSource - Execution of ping > query 'SELECT 1' failed: An I/O error occurred while sending to the backend.* > I suspect there is a weird timeout happening between guacamole and postgresql > but could figure out why. > Any hints are much appreciated. Thanks > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (GUACAMOLE-753) Add TOTP auth method to start.sh for Docker image
[ https://issues.apache.org/jira/browse/GUACAMOLE-753?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17026108#comment-17026108 ] Jotam commented on GUACAMOLE-753: - Yes, has been done through this commit for Duo : https://github.com/apache/guacamole-client/commit/b9a99f0bc16181f2edcea86a90fb5738a760e90d So should be even easier for TOTP :) (y) > Add TOTP auth method to start.sh for Docker image > - > > Key: GUACAMOLE-753 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-753 > Project: Guacamole > Issue Type: New Feature >Reporter: LM >Priority: Minor > > I dont know how should I create PR. > TOTP should be easy to add to: > [https://github.com/apache/guacamole-client/blob/master/guacamole-docker/bin/start.sh] > and > [https://github.com/apache/guacamole-client/blob/master/guacamole-docker/bin/build-guacamole.sh] > Thanks -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (GUACAMOLE-890) Guacamole/Guacd Docker Process Privilege Drop
[ https://issues.apache.org/jira/browse/GUACAMOLE-890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17026039#comment-17026039 ] Jotam commented on GUACAMOLE-890: - chmoding /usr/local/tomcat/webapps/ of my local guacamole image does the trick, java properly starts as 65534:65534 user. So I think we are not so far from a proper fix ;) (y) > Guacamole/Guacd Docker Process Privilege Drop > - > > Key: GUACAMOLE-890 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-890 > Project: Guacamole > Issue Type: Improvement > Components: guacamole-docker >Reporter: Anthony Boccia >Priority: Minor > Labels: docker, security > > Hello, > I noticed after deploying Guacamole in docker that the processes all run as > the root user. Are there any plans to add support for specifying a user for > the processes to drop privs to and run as instead of root? I am currently > doing this rebuilding the containers for guacamole and guacd adding in my own > user and using docker compose to exec all processes triggered within the > container as that user. I feel like the option to specify this should be done > upstream. > Thank You -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Comment Edited] (GUACAMOLE-890) Guacamole/Guacd Docker Process Privilege Drop
[
https://issues.apache.org/jira/browse/GUACAMOLE-890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17026031#comment-17026031
]
Jotam edited comment on GUACAMOLE-890 at 1/29/20 4:51 PM:
--
OK, I made nice progress.
As 65534 user has {{/nonexistent}} as {{$HOME}} directory in the container, I
gave him another one so that he can do deployment, as required by
[start.sh|https://github.com/apache/guacamole-client/blob/master/guacamole-docker/bin/start.sh]
script.
{{# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -e HOME=/tmp -u 65534:65534 -p 8080:8080
guacamole/guacamole:1.1.0-RC1}}
{{{color:#DE350B}ln: failed to create symbolic link
'/usr/local/tomcat/webapps/guacamole.war': Permission denied{color}}}
Still fails, but then the error is rather relevant, a permission one.
It's the very last step before catalina starts.
Perhaps we could then find a fix, or at least a workaround.
was (Author: jotam):
OK, I made nice progress.
As 65534 user has {{/nonexistent}} as {{$HOME}} directory, I gave him another
one so that he can do deployment, as required by
[start.sh|https://github.com/apache/guacamole-client/blob/master/guacamole-docker/bin/start.sh]
script.
{{# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -e HOME=/tmp -u 65534:65534 -p 8080:8080
guacamole/guacamole:1.1.0-RC1}}
{{{color:#DE350B}ln: failed to create symbolic link
'/usr/local/tomcat/webapps/guacamole.war': Permission denied{color}}}
Still fails, but then the error is rather relevant, a permission one.
It's the very last step before catalina starts.
Perhaps we could then find a fix, or at least a workaround.
> Guacamole/Guacd Docker Process Privilege Drop
> -
>
> Key: GUACAMOLE-890
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-890
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-docker
>Reporter: Anthony Boccia
>Priority: Minor
> Labels: docker, security
>
> Hello,
> I noticed after deploying Guacamole in docker that the processes all run as
> the root user. Are there any plans to add support for specifying a user for
> the processes to drop privs to and run as instead of root? I am currently
> doing this rebuilding the containers for guacamole and guacd adding in my own
> user and using docker compose to exec all processes triggered within the
> container as that user. I feel like the option to specify this should be done
> upstream.
> Thank You
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Comment Edited] (GUACAMOLE-890) Guacamole/Guacd Docker Process Privilege Drop
[
https://issues.apache.org/jira/browse/GUACAMOLE-890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17026031#comment-17026031
]
Jotam edited comment on GUACAMOLE-890 at 1/29/20 4:51 PM:
--
OK, I made nice progress.
As 65534 user has {{/nonexistent}} as {{$HOME}} directory in the container, I
gave him another one so that he can do the deployment, as required by
[start.sh|https://github.com/apache/guacamole-client/blob/master/guacamole-docker/bin/start.sh]
script.
{{# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -e HOME=/tmp -u 65534:65534 -p 8080:8080
guacamole/guacamole:1.1.0-RC1}}
{{{color:#DE350B}ln: failed to create symbolic link
'/usr/local/tomcat/webapps/guacamole.war': Permission denied{color}}}
Still fails, but then the error is rather relevant, a permission one.
It's the very last step before catalina starts.
Perhaps we could then find a fix, or at least a workaround.
was (Author: jotam):
OK, I made nice progress.
As 65534 user has {{/nonexistent}} as {{$HOME}} directory in the container, I
gave him another one so that he can do deployment, as required by
[start.sh|https://github.com/apache/guacamole-client/blob/master/guacamole-docker/bin/start.sh]
script.
{{# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -e HOME=/tmp -u 65534:65534 -p 8080:8080
guacamole/guacamole:1.1.0-RC1}}
{{{color:#DE350B}ln: failed to create symbolic link
'/usr/local/tomcat/webapps/guacamole.war': Permission denied{color}}}
Still fails, but then the error is rather relevant, a permission one.
It's the very last step before catalina starts.
Perhaps we could then find a fix, or at least a workaround.
> Guacamole/Guacd Docker Process Privilege Drop
> -
>
> Key: GUACAMOLE-890
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-890
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-docker
>Reporter: Anthony Boccia
>Priority: Minor
> Labels: docker, security
>
> Hello,
> I noticed after deploying Guacamole in docker that the processes all run as
> the root user. Are there any plans to add support for specifying a user for
> the processes to drop privs to and run as instead of root? I am currently
> doing this rebuilding the containers for guacamole and guacd adding in my own
> user and using docker compose to exec all processes triggered within the
> container as that user. I feel like the option to specify this should be done
> upstream.
> Thank You
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (GUACAMOLE-890) Guacamole/Guacd Docker Process Privilege Drop
[
https://issues.apache.org/jira/browse/GUACAMOLE-890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17026031#comment-17026031
]
Jotam commented on GUACAMOLE-890:
-
OK, I made nice progress.
As 65534 user has {{/nonexistent}} as {{$HOME}} directory, I gave him another
one so that he can do deployment, as required by
[start.sh|https://github.com/apache/guacamole-client/blob/master/guacamole-docker/bin/start.sh]
script.
{{# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -e HOME=/tmp -u 65534:65534 -p 8080:8080
guacamole/guacamole:1.1.0-RC1}}
{{{color:#DE350B}ln: failed to create symbolic link
'/usr/local/tomcat/webapps/guacamole.war': Permission denied{color}}}
Still fails, but then the error is rather relevant, a permission one.
It's the very last step before catalina starts.
Perhaps we could then find a fix, or at least a workaround.
> Guacamole/Guacd Docker Process Privilege Drop
> -
>
> Key: GUACAMOLE-890
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-890
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-docker
>Reporter: Anthony Boccia
>Priority: Minor
> Labels: docker, security
>
> Hello,
> I noticed after deploying Guacamole in docker that the processes all run as
> the root user. Are there any plans to add support for specifying a user for
> the processes to drop privs to and run as instead of root? I am currently
> doing this rebuilding the containers for guacamole and guacd adding in my own
> user and using docker compose to exec all processes triggered within the
> container as that user. I feel like the option to specify this should be done
> upstream.
> Thank You
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Comment Edited] (GUACAMOLE-890) Guacamole/Guacd Docker Process Privilege Drop
[
https://issues.apache.org/jira/browse/GUACAMOLE-890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17025957#comment-17025957
]
Jotam edited comment on GUACAMOLE-890 at 1/29/20 3:32 PM:
--
So, below you can see that I easily start a guacd container using the
65534:65534 user.
I then try to do the same with the guacamole container, but it fails.
I then start it without the docker _-u_ option, and it flawlessly starts, but
then the _java_ process runs as root user.
Feel free if you need more test / info to try to sort this out.
Thank you Nick for your support (y)
{{# docker run --name some-guacd -d {color:#00875a}-u 65534:65534{color}
guacamole/guacd:1.1.0-RC1}}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 10 seconds ago
{color:#00875a}Up 9 seconds{color} 4822/tcp some-guacd}}
{{# ps -ef | grep guacd}}
{{{color:#00875a}nobody{color} 21286 21266 0 15:57 ? 00:00:00 /bin/sh -c
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L $GUACD_LOG_LEVEL -f}}
{{{color:#00875a}nobody{color} 21344 21286 0 15:57 ? 00:00:00
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L info -f}}
{{# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -d {color:#00875a}-u 65534:65534{color} -p
8080:8080 guacamole/guacamole:1.1.0-RC1}}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{b0826b7240c0 guacamole/guacamole:1.1.0-RC1 "/opt/guacamole/bin/…" 6 seconds
ago {color:#de350b}Exited (1) 4 seconds ago{color} some-guacamole}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 2 minutes
ago Up 2 minutes 4822/tcp some-guacd}}
{{# docker rm b0826b7240c0}}
{{# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -d -p 8080:8080 guacamole/guacamole:1.1.0-RC1}}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{b7e4d16aa766 guacamole/guacamole:1.1.0-RC1 "/opt/guacamole/bin/…" 13 seconds
ago {color:#00875a}Up 13 seconds{color} 8080->8080/tcp some-guacamole}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 3 minutes
ago Up 3 minutes 4822/tcp some-guacd}}
{{# ps -ef | grep java}}
{{{color:#de350b}root{color} 24724 24706 7 16:01 ? 00:00:14
/docker-java-home/jre/bin/java
-Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djdk.tls.ephemeralDHKeySize=2048
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources
-Dorg.apache.catalina.security.SecurityListener.UMASK=0027
-Dignore.endorsed.dirs= -classpath
/usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
-Dcatalina.base=/usr/local/tomcat -Dcatalina.home=/usr/local/tomcat
-Djava.io.tmpdir=/usr/local/tomcat/temp org.apache.catalina.startup.Bootstrap
start}}
was (Author: jotam):
So, below you can see that I easily start a guacd container using the
65534:65534 user.
I then try to do the same with the guacamole container, but it fails.
I then start it without the docker _-u_ option, and it flawlessly starts, but
then the _java_ process runs as root user.
Feel free if you need more test / info to try to sort this out.
Thank you Nick for your support (y)
{{# docker run --name some-guacd -d {color:#00875a}-u 65534:65534{color}
guacamole/guacd:1.1.0-RC1}}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 10 seconds ago
{color:#00875a}Up 9 seconds{color} 4822/tcp some-guacd}}
{{# ps -ef | grep guacd}}
{{{color:#00875a}nobody{color} 21286 21266 0 15:57 ? 00:00:00 /bin/sh -c
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L $GUACD_LOG_LEVEL -f}}
{{{color:#00875a}nobody{color} 21344 21286 0 15:57 ? 00:00:00
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L info -f}}
{{# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -d {color:#00875a}-u 65534:65534{color} -p
127.0.0.1:8080:8080 guacamole/guacamole:1.1.0-RC1}}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{b0826b7240c0 guacamole/guacamole:1.1.0-RC1 "/opt/guacamole/bin/…" 6 seconds
ago {color:#de350b}Exited (1) 4 seconds ago{color}
[jira] [Comment Edited] (GUACAMOLE-890) Guacamole/Guacd Docker Process Privilege Drop
[
https://issues.apache.org/jira/browse/GUACAMOLE-890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17025957#comment-17025957
]
Jotam edited comment on GUACAMOLE-890 at 1/29/20 3:30 PM:
--
So, below you can see that I easily start a guacd container using the
65534:65534 user.
I then try to do the same with the guacamole container, but it fails.
I then start it without the docker _-u_ option, and it flawlessly starts, but
then the _java_ process runs as root user.
Feel free if you need more test / info to try to sort this out.
Thank you Nick for your support (y)
{{# docker run --name some-guacd -d {color:#00875a}-u 65534:65534{color}
guacamole/guacd:1.1.0-RC1}}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 10 seconds ago
{color:#00875a}Up 9 seconds{color} 4822/tcp some-guacd}}
{{# ps -ef | grep guacd}}
{{{color:#00875a}nobody{color} 21286 21266 0 15:57 ? 00:00:00 /bin/sh -c
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L $GUACD_LOG_LEVEL -f}}
{{{color:#00875a}nobody{color} 21344 21286 0 15:57 ? 00:00:00
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L info -f}}
{{# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -d {color:#00875a}-u 65534:65534{color} -p
127.0.0.1:8080:8080 guacamole/guacamole:1.1.0-RC1}}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{b0826b7240c0 guacamole/guacamole:1.1.0-RC1 "/opt/guacamole/bin/…" 6 seconds
ago {color:#de350b}Exited (1) 4 seconds ago{color} some-guacamole}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 2 minutes
ago Up 2 minutes 4822/tcp some-guacd}}
{{# docker rm b0826b7240c0}}
{{# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -d -p 127.0.0.1:8080:8080
guacamole/guacamole:1.1.0-RC1}}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{b7e4d16aa766 guacamole/guacamole:1.1.0-RC1 "/opt/guacamole/bin/…" 13 seconds
ago {color:#00875a}Up 13 seconds{color} 127.0.0.1:8080->8080/tcp
some-guacamole}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 3 minutes
ago Up 3 minutes 4822/tcp some-guacd}}
{{# ps -ef | grep java}}
{{{color:#de350b}root{color} 24724 24706 7 16:01 ? 00:00:14
/docker-java-home/jre/bin/java
-Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djdk.tls.ephemeralDHKeySize=2048
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources
-Dorg.apache.catalina.security.SecurityListener.UMASK=0027
-Dignore.endorsed.dirs= -classpath
/usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
-Dcatalina.base=/usr/local/tomcat -Dcatalina.home=/usr/local/tomcat
-Djava.io.tmpdir=/usr/local/tomcat/temp org.apache.catalina.startup.Bootstrap
start}}
was (Author: jotam):
So, below you can see that I easily start a guacd container using the
65534:65534 user.
I then try to do the same with the guacamole container, but it fails.
I then start it without the docker _-u_ option, and it flawlessly starts, but
then the _java_ process runs as root user.
Feel free if you need more test / info to try to sort this out.
Thank you Nick for your support (y)
{{# docker run --name some-guacd -d {color:#00875a}-u 65534:65534{color}
guacamole/guacd:1.1.0-RC1}}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 10 seconds ago
{color:#00875a}Up 9 seconds{color} 4822/tcp some-guacd}}
{{# ps -ef | grep guacd}}
{{{color:#00875a}nobody{color} 21286 21266 0 15:57 ? 00:00:00 /bin/sh -c
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L $GUACD_LOG_LEVEL -f}}
{{{color:#00875a}nobody{color} 21344 21286 0 15:57 ? 00:00:00
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L info -f}}
{{# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -d {color:#00875a}-u 65534:65534{color} -p
127.0.0.1:8080:8080 guacamole/guacamole:1.1.0-RC1}}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{b0826b7240c0 guacamole/guacamole:1.1.0-RC1 "/opt/guacamole/bin/…" 6 seconds
ago
[jira] [Comment Edited] (GUACAMOLE-890) Guacamole/Guacd Docker Process Privilege Drop
[
https://issues.apache.org/jira/browse/GUACAMOLE-890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17025957#comment-17025957
]
Jotam edited comment on GUACAMOLE-890 at 1/29/20 3:29 PM:
--
So, below you can see that I easily start a guacd container using the
65534:65534 user.
I then try to do the same with the guacamole container, but it fails.
I then start it without the docker _-u_ option, and it flawlessly starts, but
then the _java_ process runs as root user.
Feel free if you need more test / info to try to sort this out.
Thank you Nick for your support (y)
{{# docker run --name some-guacd -d {color:#00875a}-u 65534:65534{color}
guacamole/guacd:1.1.0-RC1}}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 10 seconds ago
{color:#00875a}Up 9 seconds{color} 4822/tcp some-guacd}}
{{# ps -ef | grep guacd}}
{{{color:#00875a}nobody{color} 21286 21266 0 15:57 ? 00:00:00 /bin/sh -c
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L $GUACD_LOG_LEVEL -f}}
{{{color:#00875a}nobody{color} 21344 21286 0 15:57 ? 00:00:00
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L info -f}}
{{# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -d {color:#00875a}-u 65534:65534{color} -p
127.0.0.1:8080:8080 guacamole/guacamole:1.1.0-RC1}}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{b0826b7240c0 guacamole/guacamole:1.1.0-RC1 "/opt/guacamole/bin/…" 6 seconds
ago {color:#de350b}Exited (1) 4 seconds ago{color} some-guacamole}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 2 minutes
ago Up 2 minutes 4822/tcp some-guacd}}
{{# docker rm b0826b7240c0{color}}}
{{# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -d -p 127.0.0.1:8080:8080
guacamole/guacamole:1.1.0-RC1}}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{b7e4d16aa766 guacamole/guacamole:1.1.0-RC1 "/opt/guacamole/bin/…" 13 seconds
ago {color:#00875a}Up 13 seconds{color} 127.0.0.1:8080->8080/tcp
some-guacamole}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 3 minutes
ago Up 3 minutes 4822/tcp some-guacd}}
{{# ps -ef | grep java}}
{{{color:#de350b}root{color} 24724 24706 7 16:01 ? 00:00:14
/docker-java-home/jre/bin/java
-Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djdk.tls.ephemeralDHKeySize=2048
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources
-Dorg.apache.catalina.security.SecurityListener.UMASK=0027
-Dignore.endorsed.dirs= -classpath
/usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
-Dcatalina.base=/usr/local/tomcat -Dcatalina.home=/usr/local/tomcat
-Djava.io.tmpdir=/usr/local/tomcat/temp org.apache.catalina.startup.Bootstrap
start}}
was (Author: jotam):
So, below you can see that I easily start a guacd container using the
65534:65534 user.
I then try to do the same with the guacamole container, but it fails.
I then start it without the docker _-u_ option, and it flawlessly starts, but
then the _java_ process runs as root user.
Feel free if you need more test / info to try to sort this out.
Thank you Nick for your support (y)
{{# docker run --name some-guacd -d {color:#00875a}-u 65534:65534{color}
guacamole/guacd:1.1.0-RC1}}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 10 seconds ago
{color:#00875a}Up 9 seconds{color} 4822/tcp some-guacd}}
{{# ps -ef | grep guacd}}
{{{color:#00875a}nobody{color} 21286 21266 0 15:57 ? 00:00:00 /bin/sh -c
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L $GUACD_LOG_LEVEL -f}}
{{{color:#00875a}nobody{color} 21344 21286 0 15:57 ? 00:00:00
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L info -f}}
{{# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -d {color:#00875a}-u 65534:65534{color} -p
127.0.0.1:8080:8080 guacamole/guacamole:1.1.0-RC1}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{b0826b7240c0 guacamole/guacamole:1.1.0-RC1 "/opt/guacamole/bin/…" 6 seconds
ago
[jira] [Comment Edited] (GUACAMOLE-890) Guacamole/Guacd Docker Process Privilege Drop
[
https://issues.apache.org/jira/browse/GUACAMOLE-890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17025957#comment-17025957
]
Jotam edited comment on GUACAMOLE-890 at 1/29/20 3:28 PM:
--
So, below you can see that I easily start a guacd container using the
65534:65534 user.
I then try to do the same with the guacamole container, but it fails.
I then start it without the docker _-u_ option, and it flawlessly starts, but
then the _java_ process runs as root user.
Feel free if you need more test / info to try to sort this out.
Thank you Nick for your support (y)
{{# docker run --name some-guacd -d {color:#00875a}-u 65534:65534{color}
guacamole/guacd:1.1.0-RC1}}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 10 seconds ago
{color:#00875a}Up 9 seconds{color} 4822/tcp some-guacd}}
{{# ps -ef | grep guacd}}
{{{color:#00875a}nobody{color} 21286 21266 0 15:57 ? 00:00:00 /bin/sh -c
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L $GUACD_LOG_LEVEL -f}}
{{{color:#00875a}nobody{color} 21344 21286 0 15:57 ? 00:00:00
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L info -f}}
{{# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -d {color:#00875a}-u 65534:65534{color} -p
127.0.0.1:8080:8080 guacamole/guacamole:1.1.0-RC1}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{b0826b7240c0 guacamole/guacamole:1.1.0-RC1 "/opt/guacamole/bin/…" 6 seconds
ago {color:#de350b}Exited (1) 4 seconds ago{color} some-guacamole}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 2 minutes
ago Up 2 minutes 4822/tcp some-guacd}}
{{# docker rm b0826b7240c0{color}}}
{{# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -d -p 127.0.0.1:8080:8080
guacamole/guacamole:1.1.0-RC1}}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{b7e4d16aa766 guacamole/guacamole:1.1.0-RC1 "/opt/guacamole/bin/…" 13 seconds
ago {color:#00875a}Up 13 seconds{color} 127.0.0.1:8080->8080/tcp
some-guacamole}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 3 minutes
ago Up 3 minutes 4822/tcp some-guacd}}
{{# ps -ef | grep java}}
{{{color:#de350b}root{color} 24724 24706 7 16:01 ? 00:00:14
/docker-java-home/jre/bin/java
-Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djdk.tls.ephemeralDHKeySize=2048
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources
-Dorg.apache.catalina.security.SecurityListener.UMASK=0027
-Dignore.endorsed.dirs= -classpath
/usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
-Dcatalina.base=/usr/local/tomcat -Dcatalina.home=/usr/local/tomcat
-Djava.io.tmpdir=/usr/local/tomcat/temp org.apache.catalina.startup.Bootstrap
start}}
was (Author: jotam):
So, below you can see that I easily start a guacd container using the
65534:65534 user.
I then try to do the same with the guacamole container, but it fails.
I then start it without the docker _-u_ option, and it flawlessly starts, but
then the _java_ process runs as root user.
Feel free if you need more test / info to try to sort this out.
Thank you Nick for your support (y)
{{# docker run --name some-guacd -d {color:#00875a}-u 65534:65534{color}
guacamole/guacd:1.1.0-RC1}}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 10 seconds ago
{color:#00875a}Up 9 seconds{color} 4822/tcp some-guacd}}
{color:#4c9aff}{{# ps -ef | grep guacd}}{color}
{{{color:#00875a}nobody{color} 21286 21266 0 15:57 ? 00:00:00 /bin/sh -c
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L $GUACD_LOG_LEVEL -f}}
{{{color:#00875a}nobody{color} 21344 21286 0 15:57 ? 00:00:00
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L info -f}}
{{{color:#4c9aff}# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -d {color:#00875a}-u 65534:65534{color} -p
127.0.0.1:8080:8080 guacamole/guacamole:1.1.0-RC1{color}}}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{b0826b7240c0
[jira] [Comment Edited] (GUACAMOLE-890) Guacamole/Guacd Docker Process Privilege Drop
[
https://issues.apache.org/jira/browse/GUACAMOLE-890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17025957#comment-17025957
]
Jotam edited comment on GUACAMOLE-890 at 1/29/20 3:27 PM:
--
So, below you can see that I easily start a guacd container using the
65534:65534 user.
I then try to do the same with the guacamole container, but it fails.
I then start it without the docker _-u_ option, and it flawlessly starts, but
then the _java_ process runs as root user.
Feel free if you need more test / info to try to sort this out.
Thank you Nick for your support (y)
{{# docker run --name some-guacd -d {color:#00875a}-u 65534:65534{color}
guacamole/guacd:1.1.0-RC1}}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 10 seconds ago
{color:#00875a}Up 9 seconds{color} 4822/tcp some-guacd}}
{color:#4c9aff}{{# ps -ef | grep guacd}}{color}
{{{color:#00875a}nobody{color} 21286 21266 0 15:57 ? 00:00:00 /bin/sh -c
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L $GUACD_LOG_LEVEL -f}}
{{{color:#00875a}nobody{color} 21344 21286 0 15:57 ? 00:00:00
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L info -f}}
{{{color:#4c9aff}# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -d {color:#00875a}-u 65534:65534{color} -p
127.0.0.1:8080:8080 guacamole/guacamole:1.1.0-RC1{color}}}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{b0826b7240c0 guacamole/guacamole:1.1.0-RC1 "/opt/guacamole/bin/…" 6 seconds
ago {color:#de350b}Exited (1) 4 seconds ago{color} some-guacamole}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 2 minutes
ago Up 2 minutes 4822/tcp some-guacd}}
{{{color:#4c9aff}# docker rm b0826b7240c0{color}}}
{{{color:#4c9aff}# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -d -p 127.0.0.1:8080:8080
guacamole/guacamole:1.1.0-RC1{color}}}
{color:#4c9aff}{{# docker ps -a}}{color}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{b7e4d16aa766 guacamole/guacamole:1.1.0-RC1 "/opt/guacamole/bin/…" 13 seconds
ago {color:#00875a}Up 13 seconds{color} 127.0.0.1:8080->8080/tcp
some-guacamole}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 3 minutes
ago Up 3 minutes 4822/tcp some-guacd}}
{color:#4c9aff}{{# ps -ef | grep java}}{color}
{{{color:#de350b}root{color} 24724 24706 7 16:01 ? 00:00:14
/docker-java-home/jre/bin/java
-Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djdk.tls.ephemeralDHKeySize=2048
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources
-Dorg.apache.catalina.security.SecurityListener.UMASK=0027
-Dignore.endorsed.dirs= -classpath
/usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
-Dcatalina.base=/usr/local/tomcat -Dcatalina.home=/usr/local/tomcat
-Djava.io.tmpdir=/usr/local/tomcat/temp org.apache.catalina.startup.Bootstrap
start}}
was (Author: jotam):
So, below you can see that I easily start a guacd container using the
65534:65534 user.
I then try to do the same with the guacamole container, but it fails.
I then start it without the docker _-u_ option, and it flawlessly starts, but
then the _java_ process runs as root user.
Feel free if you need more test / info to try to sort this out.
Thank you Nick for your support (y)
{{# docker run --name some-guacd -d -u 65534:65534 guacamole/guacd:1.1.0-RC1}}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 10 seconds ago
{color:#00875a}Up 9 seconds{color} 4822/tcp some-guacd}}
{color:#4c9aff}{{# ps -ef | grep guacd}}{color}
{{{color:#00875a}nobody{color} 21286 21266 0 15:57 ? 00:00:00 /bin/sh -c
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L $GUACD_LOG_LEVEL -f}}
{{{color:#00875a}nobody{color} 21344 21286 0 15:57 ? 00:00:00
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L info -f}}
{{{color:#4c9aff}# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -d -u 65534:65534{color} -p 127.0.0.1:8080:8080
guacamole/guacamole:1.1.0-RC1{color}}}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
[jira] [Comment Edited] (GUACAMOLE-890) Guacamole/Guacd Docker Process Privilege Drop
[
https://issues.apache.org/jira/browse/GUACAMOLE-890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17025957#comment-17025957
]
Jotam edited comment on GUACAMOLE-890 at 1/29/20 3:25 PM:
--
So, below you can see that I easily start a guacd container using the
65534:65534 user.
I then try to do the same with the guacamole container, but it fails.
I then start it without the docker _-u_ option, and it flawlessly starts, but
then the _java_ process runs as root user.
Feel free if you need more test / info to try to sort this out.
Thank you Nick for your support (y)
{{# docker run --name some-guacd -d -u 65534:65534 guacamole/guacd:1.1.0-RC1}}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 10 seconds ago
{color:#00875a}Up 9 seconds{color} 4822/tcp some-guacd}}
{color:#4c9aff}{{# ps -ef | grep guacd}}{color}
{{{color:#00875a}nobody{color} 21286 21266 0 15:57 ? 00:00:00 /bin/sh -c
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L $GUACD_LOG_LEVEL -f}}
{{{color:#00875a}nobody{color} 21344 21286 0 15:57 ? 00:00:00
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L info -f}}
{{{color:#4c9aff}# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -d -u 65534:65534{color} -p 127.0.0.1:8080:8080
guacamole/guacamole:1.1.0-RC1{color}}}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{b0826b7240c0 guacamole/guacamole:1.1.0-RC1 "/opt/guacamole/bin/…" 6 seconds
ago {color:#de350b}Exited (1) 4 seconds ago{color} some-guacamole}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 2 minutes
ago Up 2 minutes 4822/tcp some-guacd}}
{{{color:#4c9aff}# docker rm b0826b7240c0{color}}}
{{{color:#4c9aff}# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -d -p 127.0.0.1:8080:8080
guacamole/guacamole:1.1.0-RC1{color}}}
{color:#4c9aff}{{# docker ps -a}}{color}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{b7e4d16aa766 guacamole/guacamole:1.1.0-RC1 "/opt/guacamole/bin/…" 13 seconds
ago {color:#00875a}Up 13 seconds{color} 127.0.0.1:8080->8080/tcp
some-guacamole}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 3 minutes
ago Up 3 minutes 4822/tcp some-guacd}}
{color:#4c9aff}{{# ps -ef | grep java}}{color}
{{{color:#de350b}root{color} 24724 24706 7 16:01 ? 00:00:14
/docker-java-home/jre/bin/java
-Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djdk.tls.ephemeralDHKeySize=2048
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources
-Dorg.apache.catalina.security.SecurityListener.UMASK=0027
-Dignore.endorsed.dirs= -classpath
/usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
-Dcatalina.base=/usr/local/tomcat -Dcatalina.home=/usr/local/tomcat
-Djava.io.tmpdir=/usr/local/tomcat/temp org.apache.catalina.startup.Bootstrap
start}}
was (Author: jotam):
So, below you can see that I easily start a guacd container using the
65534:65534 user.
I then try to do the same with the guacamole container, but it fails.
I then start it without the docker _-u_ option, and it flawlessly starts, but
then the _java_ process runs as root user.
Feel free if you need more test / info to try to sort this out.
Thank you Nick for your support (y)
{{# docker run --name some-guacd -d -u 65534:65534{color}
guacamole/guacd:1.1.0-RC1}}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 10 seconds ago
{color:#00875a}Up 9 seconds{color} 4822/tcp some-guacd}}
{color:#4c9aff}{{# ps -ef | grep guacd}}{color}
{{{color:#00875a}nobody{color} 21286 21266 0 15:57 ? 00:00:00 /bin/sh -c
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L $GUACD_LOG_LEVEL -f}}
{{{color:#00875a}nobody{color} 21344 21286 0 15:57 ? 00:00:00
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L info -f}}
{{{color:#4c9aff}# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -d -u 65534:65534{color} -p 127.0.0.1:8080:8080
guacamole/guacamole:1.1.0-RC1{color}}}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS
[jira] [Comment Edited] (GUACAMOLE-890) Guacamole/Guacd Docker Process Privilege Drop
[
https://issues.apache.org/jira/browse/GUACAMOLE-890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17025957#comment-17025957
]
Jotam edited comment on GUACAMOLE-890 at 1/29/20 3:23 PM:
--
So, below you can see that I easily start a guacd container using the
65534:65534 user.
I then try to do the same with the guacamole container, but it fails.
I then start it without the docker _-u_ option, and it flawlessly starts, but
then the _java_ process runs as root user.
Feel free if you need more test / info to try to sort this out.
Thank you Nick for your support (y)
{{# docker run --name some-guacd -d -u 65534:65534{color}
guacamole/guacd:1.1.0-RC1}}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 10 seconds ago
{color:#00875a}Up 9 seconds{color} 4822/tcp some-guacd}}
{color:#4c9aff}{{# ps -ef | grep guacd}}{color}
{{{color:#00875a}nobody{color} 21286 21266 0 15:57 ? 00:00:00 /bin/sh -c
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L $GUACD_LOG_LEVEL -f}}
{{{color:#00875a}nobody{color} 21344 21286 0 15:57 ? 00:00:00
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L info -f}}
{{{color:#4c9aff}# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -d -u 65534:65534{color} -p 127.0.0.1:8080:8080
guacamole/guacamole:1.1.0-RC1{color}}}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{b0826b7240c0 guacamole/guacamole:1.1.0-RC1 "/opt/guacamole/bin/…" 6 seconds
ago {color:#de350b}Exited (1) 4 seconds ago{color} some-guacamole}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 2 minutes
ago Up 2 minutes 4822/tcp some-guacd}}
{{{color:#4c9aff}# docker rm b0826b7240c0{color}}}
{{{color:#4c9aff}# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -d -p 127.0.0.1:8080:8080
guacamole/guacamole:1.1.0-RC1{color}}}
{color:#4c9aff}{{# docker ps -a}}{color}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{b7e4d16aa766 guacamole/guacamole:1.1.0-RC1 "/opt/guacamole/bin/…" 13 seconds
ago {color:#00875a}Up 13 seconds{color} 127.0.0.1:8080->8080/tcp
some-guacamole}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 3 minutes
ago Up 3 minutes 4822/tcp some-guacd}}
{color:#4c9aff}{{# ps -ef | grep java}}{color}
{{{color:#de350b}root{color} 24724 24706 7 16:01 ? 00:00:14
/docker-java-home/jre/bin/java
-Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djdk.tls.ephemeralDHKeySize=2048
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources
-Dorg.apache.catalina.security.SecurityListener.UMASK=0027
-Dignore.endorsed.dirs= -classpath
/usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
-Dcatalina.base=/usr/local/tomcat -Dcatalina.home=/usr/local/tomcat
-Djava.io.tmpdir=/usr/local/tomcat/temp org.apache.catalina.startup.Bootstrap
start}}
was (Author: jotam):
So, below you can see that I easily start a guacd container using the
65534:65534 user.
I then try to do the same with the guacamole container, but it fails.
I then start it without the docker _-u_ option, and it flawlessly starts, but
then the _java_ process runs as root user.
Feel free if you need more test / info to try to sort this out.
Thank you Nick for your support (y)
{color:#4c9aff}{{{color:#4c9aff}# docker run --name some-guacd -d -u
65534:65534{color} guacamole/guacd:1.1.0-RC1}}{color}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 10 seconds ago
{color:#00875a}Up 9 seconds{color} 4822/tcp some-guacd}}
{color:#4c9aff}{{# ps -ef | grep guacd}}{color}
{{{color:#00875a}nobody{color} 21286 21266 0 15:57 ? 00:00:00 /bin/sh -c
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L $GUACD_LOG_LEVEL -f}}
{{{color:#00875a}nobody{color} 21344 21286 0 15:57 ? 00:00:00
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L info -f}}
{color:#4c9aff}{{{color:#4c9aff}# docker run --name some-guacamole --link
some-guacd:guacd -e MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e
MYSQL_USER=guacamole -e MYSQL_PASSWORD='guacamole' -d -u 65534:65534{color} -p
127.0.0.1:8080:8080 guacamole/guacamole:1.1.0-RC1}}{color}
{{# docker ps -a}}
{{CONTAINER ID IMAGE
[jira] [Comment Edited] (GUACAMOLE-890) Guacamole/Guacd Docker Process Privilege Drop
[
https://issues.apache.org/jira/browse/GUACAMOLE-890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17025957#comment-17025957
]
Jotam edited comment on GUACAMOLE-890 at 1/29/20 3:20 PM:
--
So, below you can see that I easily start a guacd container using the
65534:65534 user.
I then try to do the same with the guacamole container, but it fails.
I then start it without the docker _-u_ option, and it flawlessly starts, but
then the _java_ process runs as root user.
Feel free if you need more test / info to try to sort this out.
Thank you Nick for your support (y)
{color:#4c9aff}{{{color:#4c9aff}# docker run --name some-guacd -d -u
65534:65534{color} guacamole/guacd:1.1.0-RC1}}{color}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 10 seconds ago
{color:#00875a}Up 9 seconds{color} 4822/tcp some-guacd}}
{color:#4c9aff}{{# ps -ef | grep guacd}}{color}
{{{color:#00875a}nobody{color} 21286 21266 0 15:57 ? 00:00:00 /bin/sh -c
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L $GUACD_LOG_LEVEL -f}}
{{{color:#00875a}nobody{color} 21344 21286 0 15:57 ? 00:00:00
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L info -f}}
{color:#4c9aff}{{{color:#4c9aff}# docker run --name some-guacamole --link
some-guacd:guacd -e MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e
MYSQL_USER=guacamole -e MYSQL_PASSWORD='guacamole' -d -u 65534:65534{color} -p
127.0.0.1:8080:8080 guacamole/guacamole:1.1.0-RC1}}{color}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{b0826b7240c0 guacamole/guacamole:1.1.0-RC1 "/opt/guacamole/bin/…" 6 seconds
ago {color:#de350b}Exited (1) 4 seconds ago{color} some-guacamole}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 2 minutes
ago Up 2 minutes 4822/tcp some-guacd}}
{color:#4c9aff}{{# docker rm b0826b7240c0}}{color}
{color:#4c9aff}{{# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -d -p 127.0.0.1:8080:8080
guacamole/guacamole:1.1.0-RC1}}{color}
{color:#4c9aff}{{# docker ps -a}}{color}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{b7e4d16aa766 guacamole/guacamole:1.1.0-RC1 "/opt/guacamole/bin/…" 13 seconds
ago {color:#00875a}Up 13 seconds{color} 127.0.0.1:8080->8080/tcp
some-guacamole}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 3 minutes
ago Up 3 minutes 4822/tcp some-guacd}}
{color:#4c9aff}{{# ps -ef | grep java}}{color}
{{{color:#de350b}root{color} 24724 24706 7 16:01 ? 00:00:14
/docker-java-home/jre/bin/java
-Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djdk.tls.ephemeralDHKeySize=2048
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources
-Dorg.apache.catalina.security.SecurityListener.UMASK=0027
-Dignore.endorsed.dirs= -classpath
/usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
-Dcatalina.base=/usr/local/tomcat -Dcatalina.home=/usr/local/tomcat
-Djava.io.tmpdir=/usr/local/tomcat/temp org.apache.catalina.startup.Bootstrap
start}}
was (Author: jotam):
So, below you can see that I easily start a guacd container using the
65534:65534 user.
I then try to do the same with the guacamole container, but it fails.
I then start it without the docker _-u_ option, and it flawlessly starts, but
then the _java_ process runs as root user.
Feel free if you need more test / info to try to sort this out.
Thank you Nick for your support (y)
{color:#4c9aff}{{{color:#4c9aff}# docker run --name some-guacd -d
{color:#00875a}-u 65534:65534{color}{color} guacamole/guacd:1.1.0-RC1}}{color}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 10 seconds ago
{color:#00875a}Up 9 seconds{color} 4822/tcp some-guacd}}
{color:#4c9aff}{{# ps -ef | grep guacd}}{color}
{{{color:#00875a}nobody{color} 21286 21266 0 15:57 ? 00:00:00 /bin/sh -c
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L $GUACD_LOG_LEVEL -f}}
{{{color:#00875a}nobody{color} 21344 21286 0 15:57 ? 00:00:00
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L info -f}}
{color:#4c9aff}{{{color:#4c9aff}# docker run --name some-guacamole --link
some-guacd:guacd -e MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e
MYSQL_USER=guacamole -e MYSQL_PASSWORD='guacamole' -d {color:#00875a}-u
65534:65534{color}{color} -p
[jira] [Comment Edited] (GUACAMOLE-890) Guacamole/Guacd Docker Process Privilege Drop
[
https://issues.apache.org/jira/browse/GUACAMOLE-890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17025957#comment-17025957
]
Jotam edited comment on GUACAMOLE-890 at 1/29/20 3:19 PM:
--
So, below you can see that I easily start a guacd container using the
65534:65534 user.
I then try to do the same with the guacamole container, but it fails.
I then start it without the docker _-u_ option, and it flawlessly starts, but
then the _java_ process runs as root user.
Feel free if you need more test / info to try to sort this out.
Thank you Nick for your support (y)
{color:#4c9aff}{{{color:#4c9aff}# docker run --name some-guacd -d
{color:#00875a}-u 65534:65534{color}{color} guacamole/guacd:1.1.0-RC1}}{color}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 10 seconds ago
{color:#00875a}Up 9 seconds{color} 4822/tcp some-guacd}}
{color:#4c9aff}{{# ps -ef | grep guacd}}{color}
{{{color:#00875a}nobody{color} 21286 21266 0 15:57 ? 00:00:00 /bin/sh -c
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L $GUACD_LOG_LEVEL -f}}
{{{color:#00875a}nobody{color} 21344 21286 0 15:57 ? 00:00:00
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L info -f}}
{color:#4c9aff}{{{color:#4c9aff}# docker run --name some-guacamole --link
some-guacd:guacd -e MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e
MYSQL_USER=guacamole -e MYSQL_PASSWORD='guacamole' -d {color:#00875a}-u
65534:65534{color}{color} -p 127.0.0.1:8080:8080
guacamole/guacamole:1.1.0-RC1}}{color}
{{# docker ps -a}}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{b0826b7240c0 guacamole/guacamole:1.1.0-RC1 "/opt/guacamole/bin/…" 6 seconds
ago {color:#de350b}Exited (1) 4 seconds ago{color} some-guacamole}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 2 minutes
ago Up 2 minutes 4822/tcp some-guacd}}
{color:#4c9aff}{{# docker rm b0826b7240c0}}{color}
{color:#4c9aff}{{# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -d -p 127.0.0.1:8080:8080
guacamole/guacamole:1.1.0-RC1}}{color}
{color:#4c9aff}{{# docker ps -a}}{color}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{b7e4d16aa766 guacamole/guacamole:1.1.0-RC1 "/opt/guacamole/bin/…" 13 seconds
ago {color:#00875a}Up 13 seconds{color} 127.0.0.1:8080->8080/tcp
some-guacamole}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 3 minutes
ago Up 3 minutes 4822/tcp some-guacd}}
{color:#4c9aff}{{# ps -ef | grep java}}{color}
{{{color:#de350b}root{color} 24724 24706 7 16:01 ? 00:00:14
/docker-java-home/jre/bin/java
-Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djdk.tls.ephemeralDHKeySize=2048
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources
-Dorg.apache.catalina.security.SecurityListener.UMASK=0027
-Dignore.endorsed.dirs= -classpath
/usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
-Dcatalina.base=/usr/local/tomcat -Dcatalina.home=/usr/local/tomcat
-Djava.io.tmpdir=/usr/local/tomcat/temp org.apache.catalina.startup.Bootstrap
start}}
was (Author: jotam):
So, below you can see that I easily start a guacd container using the
65534:65534 user.
I then try to do the same with the guacamole container, but it fails.
I then start it without the docker _-u_ option, and it flawlessly starts, but
then the _java_ process runs as root user.
Feel free if you need more test / info to try to sort this out.
Thank you Nick for your support (y)
{color:#4c9aff}{{# docker run --name some-guacd -d {color:#00875a}-u
65534:65534{color} guacamole/guacd:1.1.0-RC1}}{color}
{color:#4c9aff}{{# docker ps -a}}{color}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 10 seconds ago
{color:#00875a}Up 9 seconds{color} 4822/tcp some-guacd}}
{color:#4c9aff}{{# ps -ef | grep guacd}}{color}
{{{color:#00875a}nobody{color} 21286 21266 0 15:57 ? 00:00:00 /bin/sh -c
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L $GUACD_LOG_LEVEL -f}}
{{{color:#00875a}nobody{color} 21344 21286 0 15:57 ? 00:00:00
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L info -f}}
{color:#4c9aff}{{# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -d {color:#00875a}-u
[jira] [Comment Edited] (GUACAMOLE-890) Guacamole/Guacd Docker Process Privilege Drop
[
https://issues.apache.org/jira/browse/GUACAMOLE-890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17025957#comment-17025957
]
Jotam edited comment on GUACAMOLE-890 at 1/29/20 3:18 PM:
--
So, below you can see that I easily start a guacd container using the
65534:65534 user.
I then try to do the same with the guacamole container, but it fails.
I then start it without the docker _-u_ option, and it flawlessly starts, but
then the _java_ process runs as root user.
Feel free if you need more test / info to try to sort this out.
Thank you Nick for your support (y)
{color:#4c9aff}{{# docker run --name some-guacd -d {color:#00875a}-u
65534:65534{color} guacamole/guacd:1.1.0-RC1}}{color}
{color:#4c9aff}{{# docker ps -a}}{color}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 10 seconds ago
{color:#00875a}Up 9 seconds{color} 4822/tcp some-guacd}}
{color:#4c9aff}{{# ps -ef | grep guacd}}{color}
{{{color:#00875a}nobody{color} 21286 21266 0 15:57 ? 00:00:00 /bin/sh -c
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L $GUACD_LOG_LEVEL -f}}
{{{color:#00875a}nobody{color} 21344 21286 0 15:57 ? 00:00:00
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L info -f}}
{color:#4c9aff}{{# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -d {color:#00875a}-u 65534:65534{color} -p
127.0.0.1:8080:8080 guacamole/guacamole:1.1.0-RC1}}{color}
{color:#4c9aff}{{# docker ps -a}}{color}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{b0826b7240c0 guacamole/guacamole:1.1.0-RC1 "/opt/guacamole/bin/…" 6 seconds
ago {color:#de350b}Exited (1) 4 seconds ago{color} some-guacamole}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 2 minutes
ago Up 2 minutes 4822/tcp some-guacd}}
{color:#4c9aff}{{# docker rm b0826b7240c0}}{color}
{color:#4c9aff}{{# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -d -p 127.0.0.1:8080:8080
guacamole/guacamole:1.1.0-RC1}}{color}
{color:#4c9aff}{{# docker ps -a}}{color}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{b7e4d16aa766 guacamole/guacamole:1.1.0-RC1 "/opt/guacamole/bin/…" 13 seconds
ago {color:#00875a}Up 13 seconds{color} 127.0.0.1:8080->8080/tcp
some-guacamole}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 3 minutes
ago Up 3 minutes 4822/tcp some-guacd}}
{color:#4c9aff}{{# ps -ef | grep java}}{color}
{{{color:#de350b}root{color} 24724 24706 7 16:01 ? 00:00:14
/docker-java-home/jre/bin/java
-Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djdk.tls.ephemeralDHKeySize=2048
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources
-Dorg.apache.catalina.security.SecurityListener.UMASK=0027
-Dignore.endorsed.dirs= -classpath
/usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
-Dcatalina.base=/usr/local/tomcat -Dcatalina.home=/usr/local/tomcat
-Djava.io.tmpdir=/usr/local/tomcat/temp org.apache.catalina.startup.Bootstrap
start}}
was (Author: jotam):
So, below you can see that I easily start a guacd container using the
65534:65534 user.
I then try to do the same with the guacamole container, but it fails.
I then start it without the docker _-u_ option, and it flawlessly starts, but
the _java_ process runs as root user.
Feel free if you need more test / info to try to sort this out.
Thank you Nick for your support (y)
{color:#4c9aff}{{# docker run --name some-guacd -d {color:#00875a}-u
65534:65534{color} guacamole/guacd:1.1.0-RC1}}{color}
{color:#4c9aff}{{# docker ps -a}}{color}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 10 seconds ago
{color:#00875a}Up 9 seconds{color} 4822/tcp some-guacd}}
{color:#4c9aff}{{# ps -ef | grep guacd}}{color}
{{{color:#00875a}nobody{color} 21286 21266 0 15:57 ? 00:00:00 /bin/sh -c
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L $GUACD_LOG_LEVEL -f}}
{{{color:#00875a}nobody{color} 21344 21286 0 15:57 ? 00:00:00
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L info -f}}
{color:#4c9aff}{{# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -d {color:#00875a}-u 65534:65534{color}
[jira] [Comment Edited] (GUACAMOLE-890) Guacamole/Guacd Docker Process Privilege Drop
[
https://issues.apache.org/jira/browse/GUACAMOLE-890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17025957#comment-17025957
]
Jotam edited comment on GUACAMOLE-890 at 1/29/20 3:17 PM:
--
So, below you can see that I easily start a guacd container using the
65534:65534 user.
I then try to do the same with the guacamole container, but it fails.
I then start it without the docker _-u_ option, and it flawlessly starts, but
the _java_ process runs as root user.
Feel free if you need more test / info to try to sort this out.
Thank you Nick for your support (y)
{color:#4c9aff}{{# docker run --name some-guacd -d {color:#00875a}-u
65534:65534{color} guacamole/guacd:1.1.0-RC1}}{color}
{color:#4c9aff}{{# docker ps -a}}{color}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 10 seconds ago
{color:#00875a}Up 9 seconds{color} 4822/tcp some-guacd}}
{color:#4c9aff}{{# ps -ef | grep guacd}}{color}
{{{color:#00875a}nobody{color} 21286 21266 0 15:57 ? 00:00:00 /bin/sh -c
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L $GUACD_LOG_LEVEL -f}}
{{{color:#00875a}nobody{color} 21344 21286 0 15:57 ? 00:00:00
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L info -f}}
{color:#4c9aff}{{# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -d {color:#00875a}-u 65534:65534{color} -p
127.0.0.1:8080:8080 guacamole/guacamole:1.1.0-RC1}}{color}
{color:#4c9aff}{{# docker ps -a}}{color}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{b0826b7240c0 guacamole/guacamole:1.1.0-RC1 "/opt/guacamole/bin/…" 6 seconds
ago {color:#de350b}Exited (1) 4 seconds ago{color} some-guacamole}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 2 minutes
ago Up 2 minutes 4822/tcp some-guacd}}
{color:#4c9aff}{{# docker rm b0826b7240c0}}{color}
{color:#4c9aff}{{# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -d -p 127.0.0.1:8080:8080
guacamole/guacamole:1.1.0-RC1}}{color}
{color:#4c9aff}{{# docker ps -a}}{color}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{b7e4d16aa766 guacamole/guacamole:1.1.0-RC1 "/opt/guacamole/bin/…" 13 seconds
ago {color:#00875a}Up 13 seconds{color} 127.0.0.1:8080->8080/tcp
some-guacamole}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 3 minutes
ago Up 3 minutes 4822/tcp some-guacd}}
{color:#4c9aff}{{# ps -ef | grep java}}{color}
{{{color:#de350b}root{color} 24724 24706 7 16:01 ? 00:00:14
/docker-java-home/jre/bin/java
-Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djdk.tls.ephemeralDHKeySize=2048
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources
-Dorg.apache.catalina.security.SecurityListener.UMASK=0027
-Dignore.endorsed.dirs= -classpath
/usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
-Dcatalina.base=/usr/local/tomcat -Dcatalina.home=/usr/local/tomcat
-Djava.io.tmpdir=/usr/local/tomcat/temp org.apache.catalina.startup.Bootstrap
start}}
was (Author: jotam):
So, below you can see that I easily start a guacd container using the
65534:65534 user.
I then try to the the same with the guacamole container, but it fails.
I then start it without the docker _-u_ option, and it flawlessly starts, but
the _java_ process runs as root user.
Feel free if you need more test / info to try to sort this out.
Thank you Nick for your support (y)
{color:#4c9aff}{{# docker run --name some-guacd -d {color:#00875a}-u
65534:65534{color} guacamole/guacd:1.1.0-RC1}}{color}
{color:#4c9aff}{{# docker ps -a}}{color}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 10 seconds ago
{color:#00875a}Up 9 seconds{color} 4822/tcp some-guacd}}
{color:#4c9aff}{{# ps -ef | grep guacd}}{color}
{{{color:#00875a}nobody{color} 21286 21266 0 15:57 ? 00:00:00 /bin/sh -c
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L $GUACD_LOG_LEVEL -f}}
{{{color:#00875a}nobody{color} 21344 21286 0 15:57 ? 00:00:00
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L info -f}}
{color:#4c9aff}{{# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -d {color:#00875a}-u 65534:65534{color} -p
[jira] [Commented] (GUACAMOLE-890) Guacamole/Guacd Docker Process Privilege Drop
[
https://issues.apache.org/jira/browse/GUACAMOLE-890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17025957#comment-17025957
]
Jotam commented on GUACAMOLE-890:
-
So, below you can see that I easily start a guacd container using the
65534:65534 user.
I then try to the the same with the guacamole container, but it fails.
I then start it without the docker _-u_ option, and it flawlessly starts, but
the _java_ process runs as root user.
Feel free if you need more test / info to try to sort this out.
Thank you Nick for your support (y)
{color:#4c9aff}{{# docker run --name some-guacd -d {color:#00875a}-u
65534:65534{color} guacamole/guacd:1.1.0-RC1}}{color}
{color:#4c9aff}{{# docker ps -a}}{color}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 10 seconds ago
{color:#00875a}Up 9 seconds{color} 4822/tcp some-guacd}}
{color:#4c9aff}{{# ps -ef | grep guacd}}{color}
{{{color:#00875a}nobody{color} 21286 21266 0 15:57 ? 00:00:00 /bin/sh -c
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L $GUACD_LOG_LEVEL -f}}
{{{color:#00875a}nobody{color} 21344 21286 0 15:57 ? 00:00:00
/usr/local/guacamole/sbin/guacd -b 0.0.0.0 -L info -f}}
{color:#4c9aff}{{# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -d {color:#00875a}-u 65534:65534{color} -p
127.0.0.1:8080:8080 guacamole/guacamole:1.1.0-RC1}}{color}
{color:#4c9aff}{{# docker ps -a}}{color}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{b0826b7240c0 guacamole/guacamole:1.1.0-RC1 "/opt/guacamole/bin/…" 6 seconds
ago {color:#de350b}Exited (1) 4 seconds ago{color} some-guacamole}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 2 minutes
ago Up 2 minutes 4822/tcp some-guacd}}
{color:#4c9aff}{{# docker rm b0826b7240c0}}{color}
{color:#4c9aff}{{# docker run --name some-guacamole --link some-guacd:guacd -e
MYSQL_HOSTNAME=10.10.10.10 -e MYSQL_DATABASE=guacamole -e MYSQL_USER=guacamole
-e MYSQL_PASSWORD='guacamole' -d -p 127.0.0.1:8080:8080
guacamole/guacamole:1.1.0-RC1}}{color}
{color:#4c9aff}{{# docker ps -a}}{color}
{{CONTAINER ID IMAGE COMMAND CREATED
STATUS PORTS NAMES}}
{{b7e4d16aa766 guacamole/guacamole:1.1.0-RC1 "/opt/guacamole/bin/…" 13 seconds
ago {color:#00875a}Up 13 seconds{color} 127.0.0.1:8080->8080/tcp
some-guacamole}}
{{e145bb6006a2 guacamole/guacd:1.1.0-RC1 "/bin/sh -c '/usr/lo…" 3 minutes
ago Up 3 minutes 4822/tcp some-guacd}}
{color:#4c9aff}{{# ps -ef | grep java}}{color}
{{{color:#de350b}root{color} 24724 24706 7 16:01 ? 00:00:14
/docker-java-home/jre/bin/java
-Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djdk.tls.ephemeralDHKeySize=2048
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources
-Dorg.apache.catalina.security.SecurityListener.UMASK=0027
-Dignore.endorsed.dirs= -classpath
/usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar
-Dcatalina.base=/usr/local/tomcat -Dcatalina.home=/usr/local/tomcat
-Djava.io.tmpdir=/usr/local/tomcat/temp org.apache.catalina.startup.Bootstrap
start}}
> Guacamole/Guacd Docker Process Privilege Drop
> -
>
> Key: GUACAMOLE-890
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-890
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-docker
>Reporter: Anthony Boccia
>Priority: Minor
> Labels: docker, security
>
> Hello,
> I noticed after deploying Guacamole in docker that the processes all run as
> the root user. Are there any plans to add support for specifying a user for
> the processes to drop privs to and run as instead of root? I am currently
> doing this rebuilding the containers for guacamole and guacd adding in my own
> user and using docker compose to exec all processes triggered within the
> container as that user. I feel like the option to specify this should be done
> upstream.
> Thank You
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (GUACAMOLE-890) Guacamole/Guacd Docker Process Privilege Drop
[
https://issues.apache.org/jira/browse/GUACAMOLE-890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17025946#comment-17025946
]
Nick Couchman commented on GUACAMOLE-890:
-
{quote}
Server processes are usually ment to be run as non-root user, so I think this
report is rather important.
Perhaps it's a minor thing which prevents the guacamole container from starting
using a non-root user ?
In its startup script perhaps ? Some permission issue ?
{quote}
Yes, I understand and agree, and I would not suggest that anyone run something
like Guacamole as a root user. I do not use Docker, but I routinely run as
non-root users in my environment.
My question to you is for you to provide us with more detail on what you're
seeing that prevents you from running as a non-root user? Please help us
understand why this doesn't work, as I believe it should work perfectly fine.
{quote}
If so tiny / non-impacting thing, perhaps we could think about it as a
security improvement for 1.1.0 ?
{quote}
No, the only issues that will be included in 1.1.0 from this point are those
that are considered regressions in functionality. Because we haven't even
determined that there is an issue here, to begin with, let alone what needs to
be changed or the level of effort to change it, we will not alter the 1.1.0
release. The only way this would make it into the 1.1.0 release at this point
is if we determine very quickly that this is a regression due to another change
in 1.1.0. And, even then, it's getting a little late.
> Guacamole/Guacd Docker Process Privilege Drop
> -
>
> Key: GUACAMOLE-890
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-890
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-docker
>Reporter: Anthony Boccia
>Priority: Minor
> Labels: docker, security
>
> Hello,
> I noticed after deploying Guacamole in docker that the processes all run as
> the root user. Are there any plans to add support for specifying a user for
> the processes to drop privs to and run as instead of root? I am currently
> doing this rebuilding the containers for guacamole and guacd adding in my own
> user and using docker compose to exec all processes triggered within the
> container as that user. I feel like the option to specify this should be done
> upstream.
> Thank You
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (GUACAMOLE-890) Guacamole/Guacd Docker Process Privilege Drop
[ https://issues.apache.org/jira/browse/GUACAMOLE-890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17025929#comment-17025929 ] Jotam commented on GUACAMOLE-890: - Thank you Nick for your feedback. Server processes are usually ment to be run as non-root user, so I think this report is rather important. Perhaps it's a minor thing which prevents the guacamole container from starting using a non-root user ? In its startup script perhaps ? Some permission issue ? If so tiny / non-impacting thing, perhaps we could think about it as a security improvement for 1.1.0 ? Thank you again for your support & understanding ! > Guacamole/Guacd Docker Process Privilege Drop > - > > Key: GUACAMOLE-890 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-890 > Project: Guacamole > Issue Type: Improvement > Components: guacamole-docker >Reporter: Anthony Boccia >Priority: Minor > Labels: docker, security > > Hello, > I noticed after deploying Guacamole in docker that the processes all run as > the root user. Are there any plans to add support for specifying a user for > the processes to drop privs to and run as instead of root? I am currently > doing this rebuilding the containers for guacamole and guacd adding in my own > user and using docker compose to exec all processes triggered within the > container as that user. I feel like the option to specify this should be done > upstream. > Thank You -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (GUACAMOLE-890) Guacamole/Guacd Docker Process Privilege Drop
[
https://issues.apache.org/jira/browse/GUACAMOLE-890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17025925#comment-17025925
]
Nick Couchman commented on GUACAMOLE-890:
-
{quote}
Unfortunately, this does not work for the guacamole container... We then have
one of the 2 components running as root, which is not really a good thing...
{quote}
Why not?
{quote}
Would be nice to have this fixed for the 1.1.0 release.
{quote}
This will not be fixed or changed in the 1.1.0 release - the release is almost
completed and is in final RC stages, now. *If* any changes need to be made
they will be in a future release.
> Guacamole/Guacd Docker Process Privilege Drop
> -
>
> Key: GUACAMOLE-890
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-890
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-docker
>Reporter: Anthony Boccia
>Priority: Minor
> Labels: docker, security
>
> Hello,
> I noticed after deploying Guacamole in docker that the processes all run as
> the root user. Are there any plans to add support for specifying a user for
> the processes to drop privs to and run as instead of root? I am currently
> doing this rebuilding the containers for guacamole and guacd adding in my own
> user and using docker compose to exec all processes triggered within the
> container as that user. I feel like the option to specify this should be done
> upstream.
> Thank You
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (GUACAMOLE-890) Guacamole/Guacd Docker Process Privilege Drop
[ https://issues.apache.org/jira/browse/GUACAMOLE-890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17025917#comment-17025917 ] Jotam commented on GUACAMOLE-890: - You're right, we can easily choose a non-root user for the _guacd_ container, through the compose file, or using _-u_ option of the _docker run_ command. Unfortunately, this does not work for the guacamole container... We then have one of the 2 components running as root, which is not really a good thing... Could we then have a look at this security issue please ? Would be nice to have this fixed for the 1.1.0 release. Many thanks ! > Guacamole/Guacd Docker Process Privilege Drop > - > > Key: GUACAMOLE-890 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-890 > Project: Guacamole > Issue Type: Improvement > Components: guacamole-docker >Reporter: Anthony Boccia >Priority: Minor > Labels: docker, security > > Hello, > I noticed after deploying Guacamole in docker that the processes all run as > the root user. Are there any plans to add support for specifying a user for > the processes to drop privs to and run as instead of root? I am currently > doing this rebuilding the containers for guacamole and guacd adding in my own > user and using docker compose to exec all processes triggered within the > container as that user. I feel like the option to specify this should be done > upstream. > Thank You -- This message was sent by Atlassian Jira (v8.3.4#803005)
