starred/pocket-id
1
0
Fork 0
mirror of https://github.com/pocket-id/pocket-id.git synced 2025-12-06 09:13:19 +03:00
Code Issues 121 Packages Projects Releases 16 Wiki Activity

🐛 Bug Report: Scripts inside /app/scripts/docker are non-executable #306

New Issue
Closed
opened 2025-10-07 00:09:51 +03:00 by OVERLORD · 7 comments
OVERLORD commented 2025-10-07 00:09:51 +03:00
Owner
Copy Link

Originally created by @MrRubberDucky on GitHub.

Reproduction steps

I realize there's a way to do it via PGID and PUID, though I'm personally not a fan of such workaround as it uses su-exec under the hood. That's why I wanted to execute the entrypoint script directly, for now I work around this issue by mounting entrypoint script over /sbin/su-exec and that works.

Not sure if oversight, or intentional since I can see in Dockerfile that we are doing chmod +x /scripts/*.sh but this only affects one of the scripts (which is the token generation one) and any other script in any other folder is still treated as non-executable.

(I'm omitting fixing up permissions on file mounts for this one, it will still launch but you'll mostly likely get an error on the actual app - that doesn't matter for this issue though as container will still launch.)

  1. Launch container as user ex. 1001:1001
  2. Change entrypoint to /app/scripts/docker/entrypoint.sh
  3. Container exits with permission denied error

Expected behavior

Container starts up.

Actual Behavior

Container exits with /bin/sh: /app/scripts/docker/entrypoint.sh: Permission denied

Version and Environment

Podman v5.4.0 (Quadlet), Pocket-ID v0.39.0 , User set to 1001:1001 and Exec=/bin/sh -c /app/scripts/docker/entrypoint.sh

Log Output

mar 12 20:57:04 systemd[694]: Starting POCKETID.service - PocketID - OIDC...
(...)
mar 12 20:57:05 systemd[694]: Started POCKETID.service - PocketID.
(...)
mar 12 20:57:05 pocket-id[1077427]: /bin/sh: /app/scripts/docker/entrypoint.sh: Permission denied
(...)
mar 12 20:57:05 systemd[694]: POCKETID.service: Main process exited, code=exited, status=126/n/a
Originally created by @MrRubberDucky on GitHub. ### Reproduction steps I realize there's a way to do it via PGID and PUID, though I'm personally not a fan of such workaround as it uses `su-exec` under the hood. That's why I wanted to execute the entrypoint script directly, for now I work around this issue by mounting entrypoint script over `/sbin/su-exec` and that works. Not sure if oversight, or intentional since I can see in Dockerfile that we are doing `chmod +x /scripts/*.sh` but this only affects one of the scripts (which is the token generation one) and any other script in any other folder is still treated as non-executable. (I'm omitting fixing up permissions on file mounts for this one, it will still launch but you'll mostly likely get an error on the actual app - that doesn't matter for this issue though as container will still launch.) 1. Launch container as user ex. `1001:1001` 2. Change entrypoint to /app/scripts/docker/entrypoint.sh 3. Container exits with permission denied error ### Expected behavior Container starts up. ### Actual Behavior Container exits with `/bin/sh: /app/scripts/docker/entrypoint.sh: Permission denied` ### Version and Environment Podman v5.4.0 (Quadlet), Pocket-ID v0.39.0 , User set to `1001:1001` and `Exec=/bin/sh -c /app/scripts/docker/entrypoint.sh` ### Log Output ```bash mar 12 20:57:04 systemd[694]: Starting POCKETID.service - PocketID - OIDC... (...) mar 12 20:57:05 systemd[694]: Started POCKETID.service - PocketID. (...) mar 12 20:57:05 pocket-id[1077427]: /bin/sh: /app/scripts/docker/entrypoint.sh: Permission denied (...) mar 12 20:57:05 systemd[694]: POCKETID.service: Main process exited, code=exited, status=126/n/a ```
OVERLORD added the bug label 2025-10-07 00:09:51 +03:00
OVERLORD commented 2025-10-07 00:09:54 +03:00
Author
Owner
Copy Link

@MrRubberDucky commented on GitHub:

Just to confirm here, if you run it as GID and UID 1000 does it work?

No, same error.

$> podman logs pocket-id
/bin/sh: /app/scripts/docker/entrypoint.sh: Permission denied
@MrRubberDucky commented on GitHub: > Just to confirm here, if you run it as GID and UID 1000 does it work? No, same error. ```bash $> podman logs pocket-id /bin/sh: /app/scripts/docker/entrypoint.sh: Permission denied ```
OVERLORD commented 2025-10-07 00:09:54 +03:00
Author
Owner
Copy Link

@MrRubberDucky commented on GitHub:

The issue is probably caused by the chmod command that doesn't add write permissions to the scripts inside the docker folder. This probably works in Docker but not with Podman as Podman doesn't start the container as a root user.

Could you test the ghcr.io/pocket-id/pocket-id:development and let me know if this is fixed?

Yup, it's fixed. Thanks ❤

@MrRubberDucky commented on GitHub: > The issue is probably caused by the `chmod` command that doesn't add write permissions to the scripts inside the docker folder. This probably works in Docker but not with Podman as Podman doesn't start the container as a root user. > > Could you test the `ghcr.io/pocket-id/pocket-id:development` and let me know if this is fixed? Yup, it's fixed. Thanks ❤
OVERLORD commented 2025-10-07 00:09:55 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

The issue is probably caused by the chmod command that doesn't add write permissions to the scripts inside the docker folder. This probably works in Docker but not with Podman as Podman doesn't start the container as a root user.

Could you test the ghcr.io/pocket-id/pocket-id:development and let me know if this is fixed?

@stonith404 commented on GitHub: The issue is probably caused by the `chmod` command that doesn't add write permissions to the scripts inside the docker folder. This probably works in Docker but not with Podman as Podman doesn't start the container as a root user. Could you test the `ghcr.io/pocket-id/pocket-id:development` and let me know if this is fixed?
OVERLORD commented 2025-10-07 00:09:55 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

I cant seem to replicate this, i would guess this is a podman quadlet thing, it doesn't happen with docker. I dont use podman, nor do i know much about quadlets, so im not sure how these work.. or why it would work on docker and not those.

@stonith404 Ideas?

@kmendell commented on GitHub: I cant seem to replicate this, i would guess this is a podman quadlet thing, it doesn't happen with docker. I dont use podman, nor do i know much about quadlets, so im not sure how these work.. or why it would work on docker and not those. @stonith404 Ideas?
OVERLORD commented 2025-10-07 00:09:56 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

Just to confirm here, if you run it as GID and UID 1000 does it work?

@kmendell commented on GitHub: Just to confirm here, if you run it as GID and UID 1000 does it work?
OVERLORD commented 2025-10-07 00:09:57 +03:00
Author
Owner
Copy Link

@kmendell commented on GitHub:

Adding for reference.

This was fixed in: ec4b41a1d2.

@kmendell commented on GitHub: Adding for reference. This was fixed in: ec4b41a1d26ea00bb4a95f654ac4cc745b2ce2e8.
OVERLORD commented 2025-10-07 00:09:57 +03:00
Author
Owner
Copy Link

@stonith404 commented on GitHub:

Fixed in the latest version.

@stonith404 commented on GitHub: Fixed in the latest version.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
breaking
bug
documentation
feature
needs more upvotes
open to pull requests
pull-request
Mirrored from GitHub Pull Request
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id#306
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?