Wrong filesystem permissions when using .withClasspathResourceMapping

[cremich]

Hey all,

first of all: thanks for this awesome project. Really enjoyed using testcontainers. But i am facing a problem, when running my junit tests on a gitlab shell runner. What am i trying to do:

I want to test an oauth2 authentication flow based on keycloak. Therefor i setup a keycloak container with "testcontainers". On my local machine everything works pretty well. But on gitlab, i see a strange behaviour.

Here my Container-Setup:

    private GenericContainer keycloak =
        new GenericContainer("jboss/keycloak:4.6.0.Final")
            .withExposedPorts(8080)
            .withEnv("KEYCLOAK_USER", "admin")
            .withEnv("KEYCLOAK_PASSWORD", "admin")
            .withEnv("KEYCLOAK_IMPORT", "/tmp/realm.json")
            .withClasspathResourceMapping("realm-export.json", "/tmp/realm.json", BindMode.READ_ONLY)
            .withClasspathResourceMapping("create-keycloak-user.sh", "/opt/jboss/create-user.sh", BindMode.READ_WRITE)
            .waitingFor(Wait.forHttp("/auth"));

I use withClassPathResourceMapping to copy a realm export and a little script to create some test-users. On gitlab i see, that the permissions are set weird:

drwxr-xr-x 1 jboss jboss    4096 Dec  2 20:03 .
drwxr-xr-x 1 root  root     4096 Nov  2 11:13 ..
-rw-r--r-- 1 jboss jboss      18 Apr 11  2018 .bash_logout
-rw-r--r-- 1 jboss jboss     193 Apr 11  2018 .bash_profile
-rw-r--r-- 1 jboss jboss     231 Apr 11  2018 .bashrc
-rw-rw-r-- 1   999 ssh_keys 1370 Nov 30 15:52 create-user.sh
drwxrwxr-x 1 jboss root     4096 Nov 14 20:51 keycloak
-rw------- 1 jboss jboss    1024 Dec  2 20:03 .rnd
drwxr-xr-x 4 root  root     4096 Nov 14 22:47 tools

First, the create-user.sh is set without execution permission. Second a user 999 from group ssh:keys owns the file. Due to the wrong permissions i get the following error on my gitlab shell runner:

ℹ︎ Checking the system...
        ✔ Docker version should be at least 1.6.0
        ✔ Docker environment should have more than 2GB free disk space
OCI runtime exec failed: exec failed: container_linux.go:296: starting container process caused "exec: \"/opt/jboss/create-user.sh\": permission denied": unknown

On my local machine is see the following permissions_

drwxr-xr-x 1 jboss jboss 4096 Dec  2 20:12 .
drwxr-xr-x 1 root  root  4096 Nov  2 11:13 ..
-rw-r--r-- 1 jboss jboss   18 Apr 11  2018 .bash_logout
-rw-r--r-- 1 jboss jboss  193 Apr 11  2018 .bash_profile
-rw-r--r-- 1 jboss jboss  231 Apr 11  2018 .bashrc
-rwxrwxr-x 1 jboss jboss 1370 Dec  2 20:12 create-user.sh
drwxrwxr-x 1 jboss root  4096 Nov 14 20:51 keycloak
-rw------- 1 jboss jboss 1024 Dec  2 20:12 .rnd
drwxr-xr-x 4 root  root  4096 Nov 14 22:47 tools

[kiview]

Hi @cremich,

file mounting in CI environments can sometimes be a bit confusing, so I'd argue it might be better to try out the copy API ;)

Can you try out the following?

GenericContainer keycloak =
            new GenericContainer("jboss/keycloak:4.6.0.Final")
                .withExposedPorts(8080)
                .withEnv("KEYCLOAK_USER", "admin")
                .withEnv("KEYCLOAK_PASSWORD", "admin")
                .withEnv("KEYCLOAK_IMPORT", "/tmp/realm.json")
                .withCopyFileToContainer(MountableFile.forClasspathResource("realm-export.json"), "/tmp/realm.json")
                .withCopyFileToContainer(MountableFile.forClasspathResource("create-keycloak-user.sh", 700), "/opt/jboss/create-user.sh")
                .waitingFor(Wait.forHttp("/auth"));

[sonerd]

Hi @cremich,

what a coincidence currently I am also working on a keycloak based project and I also use testcontainers to run selenium tests for authentication 😄
To setup the realm and etc. in keycloak I am using a Dockerfile:

FROM jboss/keycloak
ENV KEYCLOAK_HOME /opt/jboss/keycloak

COPY ./themes/myproject/ $KEYCLOAK_HOME/themes/myproject/
COPY ./etc/sample-realm.json /tmp/sample-realm.json
COPY ./etc/dev-standalone.xml $KEYCLOAK_HOME/standalone/configuration/standalone.xml

EXPOSE 8080 8787

CMD ["--debug", "-c", "standalone.xml"]

To setup the test I am using the docker-compose approach. I have a separate compose file for my testcontainers based tests:

version: '2'

services:
  sso:
    build:
      context: .
    image: registry.gitlab.com/myproject/sso
    ports:
      - "8080:8080"
    environment:
      - KEYCLOAK_USER=admin
      - KEYCLOAK_PASSWORD=admin
      - KEYCLOAK_IMPORT=/tmp/sample-realm.json

And in my test I am doing:

@ClassRule
public static DockerComposeContainer compose = new DockerComposeContainer(new File("src/test/resources/test-compose.yaml"))
            .withExposedService(SSO_SERVICE, SSO_PORT)
            .waitingFor(SSO_SERVICE, new HttpWaitStrategy().forPath("/auth").withStartupTimeout(Duration.ofSeconds(30)));

Maybe it helps you to copy your scripts by Dockerfile

Beside that I am facing some other issues while running tests in gitlab-ci. Somehow I am not able to login to the private registry from the docker container where I want to run the tests.
Even though I have this part in my gitlab-ci file

before_script:
    - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN registry.gitlab.com

I also tried to mount the /.docker/config.json to the container. But the mounting is not working.
Because of that I am getting following error from testcontainers:

11:25:10.051 [main] DEBUG org.testcontainers.utility.RegistryAuthLocator - Looking up auth config for image: alpine:3.5
11:25:10.052 [main] DEBUG org.testcontainers.utility.RegistryAuthLocator - RegistryAuthLocator has configFile: /root/.docker/config.json (exists) and commandPathPrefix: 
11:25:10.053 [main] WARN org.testcontainers.utility.RegistryAuthLocator - Failure when attempting to lookup auth config (dockerImageName: alpine:3.5, configFile: /root/.docker/config.json. Falling back to docker-java default behaviour. Exception message: /root/.docker/config.json (Is a directory)

Do you have similar issues or how are you setting up your test in gitlab-ci?

[cremich]

Hi @cremich,

file mounting in CI environments can sometimes be a bit confusing, so I'd argue it might be better to try out the copy API ;)

Can you try out the following?

GenericContainer keycloak =
            new GenericContainer("jboss/keycloak:4.6.0.Final")
                .withExposedPorts(8080)
                .withEnv("KEYCLOAK_USER", "admin")
                .withEnv("KEYCLOAK_PASSWORD", "admin")
                .withEnv("KEYCLOAK_IMPORT", "/tmp/realm.json")
                .withCopyFileToContainer(MountableFile.forClasspathResource("realm-export.json"), "/tmp/realm.json")
                .withCopyFileToContainer(MountableFile.forClasspathResource("create-keycloak-user.sh", 700), "/opt/jboss/create-user.sh")
                .waitingFor(Wait.forHttp("/auth"));

@kiview sorry for not responding that long time. Really got a lot to do and had no time to check your comment. i will close this issue and open it, if the problem occurs again 👍

@sonerd i think i have a different setup than you. i configured a shell-runner and used it for my jobs. there i have full control about the running docker and the container must not run in privileged mode.

[fokoenecke]

.withCopyFileToContainer(MountableFile.forClasspathResource("create-keycloak-user.sh", 700), "/opt/jboss/create-user.sh")

Following might be obvious, but it wasn't for me, so for everyone trying this:

I expected the file mode (700 in this case) to follow the normal posix pattern. So this would be rwx for owner. But, this didn't work for me.

The code documentation says it expects * @param mode octal value of posix file mode (000..777). What it wants you to do, is convert the posix pattern interpreted as octal to decimal and provide that. In this case 448.

Coming from Kotlin, this felt strange. It might be a little more intuitive in Java, where you can just write 0700.