1. Environment
– Linux 환경
– MCCS-ENT(4.5.6-A3 이하 모든버전)
2. Symptoms
1) Docker 특성 상, 호스트와 컨테이너 간에 Namespace 분리 된 환경으로 각각의 user가 별도로 존재
2) Gam Container 내부에 존재하는 Application user는 아래와 같음
user | uid | gid |
www-data | 33 | 33 |
rabbitmq | 102 | 106 |
postgres | 106 | 111 |
3) 이에 호스트서버에서 ps -ef 명령어 사용 시, 호스트서버에 유저가 없어 UID가 숫자로 표기됨(숫자는 Gam Container 내부 유저의 UID)
[demo-mdrm]root:> ps -ef
UID PID PPID C STIME TTY TIME CMD
106 26418 24229 0 10:41 ? 00:00:01 /usr/lib/postgresql/9.6/bin/postgres -D /var/lib/postgresql/9.6/main -c config_file=/etc/postgresql/9.6/main/postgresql.conf
106 26421 26418 0 10:41 ? 00:00:00 postgres: 9.6/main: checkpointer process
106 26422 26418 0 10:41 ? 00:00:00 postgres: 9.6/main: writer process
106 26423 26418 0 10:41 ? 00:00:00 postgres: 9.6/main: wal writer process
106 26424 26418 0 10:41 ? 00:00:00 postgres: 9.6/main: autovacuum launcher process
106 26425 26418 0 10:41 ? 00:00:03 postgres: 9.6/main: stats collector process
106 26426 26418 0 10:41 ? 00:00:00 postgres: 9.6/main: opscode_chef opscode_chef 127.0.0.1(44180) idle
106 26427 26418 0 10:41 ? 00:00:00 postgres: 9.6/main: opscode_chef opscode_chef 127.0.0.1(40291) idle
106 26428 26418 0 10:41 ? 00:00:00 postgres: 9.6/main: opscode_chef opscode_chef 127.0.0.1(46144) idle
106 26429 26418 0 10:41 ? 00:00:00 postgres: 9.6/main: opscode_chef opscode_chef 127.0.0.1(33355) idle
106 26430 26418 0 10:41 ? 00:00:00 postgres: 9.6/main: opscode_chef opscode_chef 127.0.0.1(41825) idle
106 26432 26418 0 10:41 ? 00:00:00 postgres: 9.6/main: opscode_chef opscode_chef 127.0.0.1(56739) idle
106 26433 26418 0 10:41 ? 00:00:00 postgres: 9.6/main: opscode_chef opscode_chef 127.0.0.1(50394) idle
106 26434 26418 0 10:41 ? 00:00:00 postgres: 9.6/main: opscode_chef opscode_chef 127.0.0.1(44894) idle
106 26435 26418 0 10:41 ? 00:00:00 postgres: 9.6/main: opscode_chef opscode_chef 127.0.0.1(60976) idle
102 26540 24229 0 10:41 ? 00:00:00 /bin/sh /usr/sbin/rabbitmq-server
102 26568 26540 0 10:41 ? 00:01:14 /usr/lib/erlang/erts-5.10.4/bin/beam.smp -W w -K true -A30 -P 1048576 -- -root /usr/lib/erlang -progname erl -- -home /var/lib/rabbitmq -- -pa /usr/lib/rabbitmq/lib/rabbitmq_server-3.2.4/sbin/../ebin -noshell -noinput
33 26785 26782 0 10:42 ? 00:00:00 /usr/sbin/apache2 -k start
33 26786 26782 0 10:42 ? 00:00:00 /usr/sbin/apache2 -k start
33 26787 26782 0 10:42 ? 00:00:00 /usr/sbin/apache2 -k start
33 26788 26782 0 10:42 ? 00:00:00 /usr/sbin/apache2 -k start
33 26789 26782 0 10:42 ? 00:00:00 /usr/sbin/apache2 -k start
106 26907 26418 0 10:42 ? 00:00:00 postgres: 9.6/main: mccs mccs 127.0.0.1(49576) idle
106 27154 26418 0 10:42 ? 00:00:03 postgres: 9.6/main: mccs mccs 127.0.0.1(49602) idle
106 27181 26418 0 10:42 ? 00:00:01 postgres: 9.6/main: mccs mccs 127.0.0.1(49606) idle
106 27778 26418 0 10:45 ? 00:00:00 postgres: 9.6/main: mccs mccs 127.0.0.1(49636) idle
106 27779 26418 0 10:45 ? 00:00:01 postgres: 9.6/main: mccs mccs 127.0.0.1(49638) idle
106 27780 26418 0 10:45 ? 00:00:01 postgres: 9.6/main: mccs mccs 127.0.0.1(49640) idle
106 27902 26418 0 10:45 ? 00:00:01 postgres: 9.6/main: mccs mccs 127.0.0.1(49648) idle
3. Solution
– 향 후 MCCS-ENT 4.5.6에 해당 부분 수정되어 빌드 될 예정
– Gam Container 내부의 user는 3000 이후의 UID로 생성 될 예정
– Gam Container 기동 후, 생성된 번호와 동일한 번호로 호스트서버에 user를 생성
4. Workaround
– 패치 전, 아래와 같이 수정한다.
<Gam Container>
1) 서비스 종료
$ service rabbitmq-server stop
$ service nagios stop
$ service postgresql stop
$ /usr/sbin/apache2ctl stop
2) UID, GID 변경
/etc/passwd, /etc/group 파일을 아래와 같이 변경
Host Server | Gam Container | ||||
user | uid | gid | user | uid | gid |
www-data | 3101 | 3000 | www-data | 3101 | 3101 |
rabbitmq | 3102 | 3000 | rabbitmq | 3102 | 3102 |
postgres | 5011 | 5000 | postgres | 5011 | 5000 |
3) 디렉터리 및 파일 권한 변경하기
# www-data
find / ! \( -path '/proc' -prune \) -user 33 -exec chown 3101.3001 {} \;
# rabbitmq
find / ! \( -path '/proc' -prune \) -user 102 -exec chown 3102.3002 {} \;
# postgres
find / ! \( -path '/proc' -prune \) -user 106 -exec chown 5011.5000 {} \;
<호스트 서버>
4) 호스트 서버의 유저 생성
$ useradd -M -u 3101 www-data -s /usr/sbin/nologin
$ useradd -M -u 3102 rabbitmq -s /bin/false
$ groupadd -g 5000 postgres
$ useradd -M -u 5011 -g 5000 postgres
5) Gam Container 재시작
$ docker stop gam
$ docker start gam
<<주의사항>>
docker rm으로 Gam Container를 완전히 종료할 경우, 초기화 되므로 5번 작업을 다시 해주어야 합니다.