I try to setup Mandos inside a Docker container and failed with dbus errors. It's possible to run the server without dbus, but mandos-ctl and mandos-monitor need dbus to run.
my Dockerfile
FROM ubuntu:16.04
RUN locale-gen de_DE.UTF-8
ENV TERM=xterm
RUN apt-get update \
&& apt-get install -y mandos \
fping \
dbus \
&& rm -rf /var/lib/apt/lists/*
Build it: docker build -t mandos-server .
If I host mount /var/run/dbus and start the container with:
docker run -v /dev/log:/dev/log -v /var/run/dbus:/var/run/dbus -it mandos-server bash and start mandos --debug I get the following errors:
2016-06-16 15:26:30,278 root [11]: DEBUG: Did setuid/setgid to 108:111
2016-06-16 15:26:30,280 root [11]: ERROR: Disabling D-Bus:
Traceback (most recent call last):
File "/usr/sbin/mandos", line 3009, in main
do_not_queue=True)
File "/usr/lib/python2.7/dist-packages/dbus/service.py", line 131, in __new__
retval = bus.request_name(name, name_flags)
File "/usr/lib/python2.7/dist-packages/dbus/bus.py", line 303, in request_name
'su', (name, flags))
File "/usr/lib/python2.7/dist-packages/dbus/connection.py", line 651, in call_blocking
message, timeout)
DBusException: org.freedesktop.DBus.Error.AccessDenied: Connection ":1.362" is not allowed to own the service "se.recompile.Mandos" due to security policies in the configuration file
Second trial:
Starting the container without mounting dbus docker run -v /dev/log:/dev/log -it mandos-server bash
and starting dbus by hand:
/etc/init.d/dbus start
* Starting system message bus dbus [ OK ]
mandos --debug leeds to the following error:
2016-06-16 15:36:38,338 root [40]: DEBUG: Did setuid/setgid to 108:111
2016-06-16 15:36:38,353 root [40]: WARNING: Could not load persistent state: No such file or directory
2016-06-16 15:36:38,359 root [40]: WARNING: No clients defined
2016-06-16 15:36:38,361 root [40]: INFO: Now listening on address '::', port 39145, flowinfo 0, scope_id 0
2016-06-16 15:36:38,363 dbus.proxies [40]: ERROR: Introspect error on org.freedesktop.Avahi:/: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.Spawn.FileInvalid: Cannot do system-bus activation with no user
2016-06-16 15:36:38,363 dbus.proxies [40]: DEBUG: Executing introspect queue due to error
2016-06-16 15:36:38,363 root [40]: CRITICAL: D-Bus Exception
Traceback (most recent call last):
File "/usr/sbin/mandos", line 3415, in main
service.activate()
File "/usr/sbin/mandos", line 470, in activate
self.server_state_changed(self.server.GetState())
File "/usr/lib/python2.7/dist-packages/dbus/proxies.py", line 70, in __call__
return self._proxy_method(*args, **keywords)
File "/usr/lib/python2.7/dist-packages/dbus/proxies.py", line 145, in __call__
**keywords)
File "/usr/lib/python2.7/dist-packages/dbus/connection.py", line 651, in call_blocking
message, timeout)
DBusException: org.freedesktop.DBus.Error.Spawn.FileInvalid: Cannot do system-bus activation with no user
Any idea whats going wrong and maybe a solution?
I don't know whats wrong...but my answer to this post was deleted... Here is the full solution:
Dockerfile:
FROM ubuntu:14.04
RUN apt-get update \
&& apt-get install -y supervisor \
mandos \
fping \
rsyslog \
dbus \
avahi-daemon \
avahi-utils \
libnss-mdns \
&& mkdir -p /var/log/supervisor \
&& mkdir -p /var/run/rsyslog \
&& mkdir -p /var/run/dbus \
&& sed -i.bak s/xconsole/console/g /etc/rsyslog.conf \
&& rm -rf /var/lib/apt/lists/*
COPY ./config/mandos.conf /etc/mandos/mandos.conf
COPY ./config/clients.conf /etc/mandos/clients.conf
COPY ./config/supervisord.conf /etc/supervisor/conf.d/supervisord.conf
EXPOSE 55555
CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]
supervisord config file:
[supervisord]
nodaemon=true
#loglevel=debug
[program:rsyslog]
command=/usr/sbin/rsyslogd -n
autostart=true
autorestart=true
redirect_stderr=true
[program:dbus]
command=/bin/sh -c "rm /var/run/dbus/pid || true && dbus-daemon --system --nofork"
priority=1
redirect_stderr=true
[program:avahi-daemon]
command=/usr/sbin/avahi-daemon --no-chroot
[program:mandos]
command=mandos --foreground
The mandos.conf and clients.conf files are from a default mandos installation.
Hope this works for others.