[BUG] temp user creation on container creation

Question

[BUG] temp user creation on container creation

JDDyson opened this issue a year ago · comments

Describe the bug
Creating the container causes a user "temp_X". Seems to be using the gwcmd.sh to with -r to create temp user for gateway access. This occurs every time the container is created.

To Reproduce
Down the container and create a new one docker-compose down && docker-compose up -d creates another temp user

Expected behavior
Should have no "temp_X" users.

Screenshots

Development Environment (please complete the following information):

- OS: Windows / RHEL
- Version 8 / release 8.7 (Ootpa)

Eric Knorr · Answer 1 · Tue Feb 28 2023 12:55:55 GMT+0800 (China Standard Time)

Would you be able to share your docker-compose file?

Keith Gamble · Answer 2 · Tue Feb 28 2023 22:39:42 GMT+0800 (China Standard Time)

My guess is this is from a compose-up when the data folder is already present. Is causing the gwcmd command that resets the password to execute.

Haven't tested that idea yet though

JDDyson · Answer 3 · Thu Mar 02 2023 10:17:04 GMT+0800 (China Standard Time)

docker-compose

services:
  proxy:
    image: traefik:v2.9
    container_name: proxy
    restart: always
    ports:
      - 80:80
    environment: # https://docs.traefik.io/reference/static-configuration/env/
      - TRAEFIK_ENTRYPOINTS_WEB_ADDRESS=:80
      - TRAEFIK_API_DASHBOARD=true
      - TRAEFIK_PROVIDERS_DOCKER=true
      - TRAEFIK_PROVIDERS_DOCKER_EXPOSEDBYDEFAULT=true
      - TRAEFIK_PROVIDERS_DOCKER_NETWORK=proxy
      - TRAEFIK_PROVIDERS_DOCKER_ALLOWEMPTYSERVICES=true
    labels:
      traefik.enable: "true"
      traefik.http.routers.proxy.entrypoints: "web"
      traefik.http.routers.proxy.rule: "Host(`proxy.dco.int`)"
      traefik.http.routers.proxy.service: "api@internal"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro

  data-hub:
    image: bwdesigngroup/ignition-docker-iiot:latest
    hostname: data-hub
    container_name: data-hub
    ports:
      - 8088
    volumes:
            #      - ./data-hub-data:/workdir
      - ./backups/data-hub.gwbk:/restore.gwbk
      - ./modules/data-hub/Azure-Injector-signed.modl:/modules/Azure-Injector-signed.modl
      - ./modules/Enterprise-Administration-module.modl:/modules/Enterprise-Administration-module.modl
    environment:
      - SYMLINK_GITIGNORE=false
      - SYMLINK_LOGBACK=false
      - IIOT_MODULES_ENABLED=mqtt-engine, mqtt-transmission
    command: >
      -r /restore.gwbk

  broker:
    image: bwdesigngroup/ignition-docker-iiot:latest
    hostname: broker
    container_name: broker
    ports:
      - 8088
    volumes:
      - ./backups/broker.gwbk:/restore.gwbk
    environment:
      - SYMLINK_GITIGNORE=false
      - SYMLINK_LOGBACK=false
      - IIOT_MODULES_ENABLED=mqtt-distributor
    command: >
      -r /restore.gwbk

  data-collector:
    image: bwdesigngroup/ignition-docker-iiot:latest
    hostname: data-collector
    container_name: data-collector
    ports:
      - 8088
    volumes:
            #      - ./data-collector-data:/workdir
      - ./backups/data-collector.gwbk:/restore.gwbk
      - ./modules/data-collector/snmp-1.11.7.modl:/modules/snmp-1.11.7.modl
      - ./modules/Enterprise-Administration-module.modl:/modules/Enterprise-Administration-module.modl
    environment:
      - SYMLINK_GITIGNORE=false
      - SYMLINK_LOGBACK=false
      - SYMLINK_THEMES=false
      - IIOT_MODULES_ENABLED=mqtt-transmission        
    command: >
      -r /restore.gwbk

networks:
  default:
  proxy:

docker-compose.traefik.yml

services:
  data-hub:
    labels:
      traefik.enable: "true"
      traefik.http.routers.data-hub.entrypoints: "web"
      traefik.http.routers.data-hub.rule: "Host(`data-hub.dco.int`)"
      traefik.http.services.data-hub.loadbalancer.server.port: "8088"
    environment:
      GATEWAY_SYSTEM_NAME: data-hub
      GATEWAY_PUBLIC_HTTP_PORT: 80
      GATEWAY_PUBLIC_HTTPS_PORT: 443
      GATEWAY_PUBLIC_ADDRESS: data-hub.dco.int
    networks:
      - default
      - proxy

  data-collector:
    labels:
      traefik.enable: "true"
      traefik.http.routers.data-collector.entrypoints: "web"
      traefik.http.routers.data-collector.rule: "Host(`data-collector.dco.int`)"
      traefik.http.services.data-collector.loadbalancer.server.port: "8088"
    environment:
      GATEWAY_SYSTEM_NAME: data-collector
      GATEWAY_PUBLIC_HTTP_PORT: 80
      GATEWAY_PUBLIC_HTTPS_PORT: 443
      GATEWAY_PUBLIC_ADDRESS: data-collector.dco.int
      GATEWAY_NETWORK_0_HOST: data-hub
    networks:
      - default
      - proxy
  
  broker:
    labels:
      traefik.enable: "true"
      traefik.http.routers.broker.entrypoints: "web"
      traefik.http.routers.broker.rule: "Host(`broker.dco.int`)"
      traefik.http.services.broker.loadbalancer.server.port: "8088"
    environment:
      GATEWAY_SYSTEM_NAME: broker
      GATEWAY_PUBLIC_HTTP_PORT: 80
      GATEWAY_PUBLIC_HTTPS_PORT: 443
      GATEWAY_PUBLIC_ADDRESS: broker.dco.int
    networks:
      - default
      - proxy

I'm using both yml files; These are the same compose files as the issue #56

Keith Gamble · Answer 4 · Wed Mar 08 2023 23:08:05 GMT+0800 (China Standard Time)

This is likely happening due to the use of GATEWAY_ADMIN_PASSWORD being pre-loaded by the image.

When that environment variable is used, it uses the gwcmd.sh utility to reset the password on container creation, meaning there will always be at least 1 of those tmp user sources. Take a few backups over time, and they increase.

To fix this I would likely need to implement the register-password scripts located in this @thirdgen88 repo