execution of assets/custom-scripts throws "permission denied"

[financelurker]

Summary

After setting up this container we were also spinning up a fusiondirectory container pointing to that openldap-fusiondirectory backend.
With the openldap-fusiondirectory container version 1.4-7.1.5 the custom init scripts are not executed.

Steps to reproduce

First spin up the openldap-fusiondirectory setup:

apiVersion: v1
kind: Secret
metadata:
  name:  openldap-passwords
  namespace: fusiondirectory
data:
   ADMIN_PASS:  <pw>
   CONFIG_PASS: <pw>
   FUSIONDIRECTORY_ADMIN_PASS: <pw>
type: Opaque
---
apiVersion: v1
kind: Secret
metadata:
  name:  openldap-readonly-password
  namespace: fusiondirectory
data:
   secretKey:  <ro-pw>
type: Opaque
---
apiVersion: v1
kind: Service
metadata:
  name: openldap-headless
  namespace: fusiondirectory
  labels:
    app: openldap
    ver: v1
spec:
  ports:
  - port: 389
    name: ldap  
  selector:
    app: openldap
    ver: v1
---
apiVersion: v1
kind: Service
metadata:
  name: openldap-writer
  namespace: fusiondirectory
  labels:
    app: openldap-writer
    ver: v1
spec:
  ports:
  - port: 389
    name: ldap
  selector:
    statefulset.kubernetes.io/pod-name: openldap-0
    ver: v1    
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  labels:
    app: openldap
    ver: v1
  name: openldap
  namespace: fusiondirectory
spec:
  replicas: 1
  serviceName: openldap-headless
  selector:
    matchLabels:
      app: openldap
      ver: v1
  volumeClaimTemplates:
  - metadata:
      name: openldap-data
    spec:
      accessModes: [ "ReadWriteOnce" ]
      storageClassName: "fusiondirectory-data-pv"
      resources:
        requests:
          storage: 1000Mi
  - metadata:
      name: openldap-config
    spec:
      accessModes: [ "ReadWriteOnce" ]
      storageClassName: "fusiondirectory-config-pv"
      resources:
        requests:
          storage: 500Mi
  template:
    metadata:
      labels:
        app: openldap
        ver: v1
    spec:
      containers:
      - image: tiredofit/openldap-fusiondirectory:1.4-7.1.5
        imagePullPolicy: IfNotPresent
        name: openldap
        volumeMounts:
        - mountPath: /var/lib/openldap
          name: openldap-data
        - mountPath: /etc/openldap/slapd.d
          name: openldap-config
        env:

        # Container ############################################
        - name: ENABLE_CRON
          value: "TRUE"
        - name: ENABLE_ZABBIX
          value: "FALSE"
        - name: CONTAINER_LOG_LEVEL
          value: "NOTICE"
        - name: DEBUG_MODE
          value: "FALSE"

        # Settings ###############################################
        - name: INTERNAL_HOSTNAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: HOSTNAME
          #TODO Setting the fqdn automatically
          value: "$(INTERNAL_HOSTNAME).openldap-headless.fusiondirectory.svc.cluster.local"
        - name: BACKEND
          value: "mdb"
        - name: ULIMIT_N
          value: "21000"
        - name: LOG_LEVEL
          value: "256"
        - name: DOMAIN
          value: "example.com"
        - name: ADMIN_PASS
          valueFrom:
            secretKeyRef:
              name: openldap-passwords
              key: ADMIN_PASS
        - name: CONFIG_PASS
          valueFrom:
            secretKeyRef:
              name: openldap-passwords
              key: CONFIG_PASS
        - name: KEEP_EXISTING_CONFIG
          value: "FALSE"

        # FUSIONDIRECTORY ACCESS #################################
        - name: FUSIONDIRECTORY_ADMIN_USER
          value: "admin"
        - name: FUSIONDIRECTORY_ADMIN_PASS
          valueFrom:
            secretKeyRef:
              name: openldap-passwords
              key: FUSIONDIRECTORY_ADMIN_PASS
        - name: ORGANIZATION
          value: "organization"

        # LDAP Settings ##########################################
        - name: BASE_DN
          value: "dc=example,dc=com"
        - name: ENABLE_READONLY_USER
          value: "TRUE"
        - name: READONLY_USER_USER
          value: "reader"
        - name: READONLY_USER_PASS
          valueFrom:
            secretKeyRef:
              name: openldap-readonly-password
              key: secretKey

        # TLS ######################################################
        - name: ENABLE_TLS
          value: "FALSE"

        # REPLICATION ##############################################
        - name: ENABLE_REPLICATION
          value: "FALSE"

        # Replication without tls tls_reqcert=never
#        - name: REPLICATION_CONFIG_SYNCPROV
#          value: "binddn=\"cn=config\" bindmethod=simple credentials=$(CONFIG_PASS) searchbase=\"cn=config\" type=refreshAndPersist retry=\"5 5 60 +\" timeout=1 filter=\"(!(objectclass=olcGlobal))\" tls_reqcert=never"
#         # Replication without tls tls_reqcert=never
#        - name: REPLICATION_DB_SYNCPROV
#          value: "binddn=\"cn=admin,$(BASE_DN)\" bindmethod=simple credentials=$(ADMIN_PASS) searchbase=\"$(BASE_DN)\" type=refreshAndPersist interval=00:00:00:10 retry=\"60 +\" timeout=1 tls_reqcert=never"
#
#        #TODO  Scaling of the Statefulset won't work -> olcServerID in the config database has to be changed!
#        # Please use the correct fqdn 
#        - name: REPLICATION_HOSTS
#          value: "ldap://openldap-0.openldap-headless.fusiondirectory.svc.cluster.local ldap://openldap-1.openldap-headless.fusiondirectory.svc.cluster.local"

        - name: REMOVE_CONFIG_AFTER_SETUP
          value: "FALSE"

        # ZABBIX #################################################
        - name: ZABBIX_HOSTNAME
          value: "openldap-fusiondirectory-app"

        - name: REAPPLY_PLUGIN_SCHEMAS
          value: "TRUE"
        - name: PLUGIN_ARGONAUT
          value: "TRUE"
        - name: PLUGIN_MAIL
          value: "TRUE"
        - name: PLUGIN_ALIAS
          value: "TRUE"
        - name: PLUGIN_PERSONAL
          value: "TRUE"
        - name: PLUGIN_POSIX
          value: "TRUE"
        - name: PLUGIN_DNS
          value: "TRUE"
        - name: PLUGIN_SUDO
          value: "TRUE"
        - name: PLUGIN_SYSTEMS
          value: "TRUE"
        - name: PLUGIN_NEXTCLOUD
          value: "TRUE"
        - name: PLUGIN_POSTFIX
          value: "TRUE"
        - name: PLUGIN_DOVECOT
          value: "TRUE"
        - name: PLUGIN_DHCP
          value: "TRUE"
        - name: PLUGIN_FUSIONINVENTORY
          value: "TRUE"
        - name: PLUGIN_GPG
          value: "TRUE"
        - name: PLUGIN_REPOSITORY
          value: "TRUE"
        - name: PLUGIN_SPAMASSASSIN
          value: "TRUE"
        - name: PLUGIN_SSH
          value: "TRUE"
        - name: PLUGIN_USER_REMINDER
          value: "TRUE"

        ports:
        - containerPort: 389

      restartPolicy: Always

Then spin up the fusiondirectory UI:

apiVersion: v1
kind: Service
metadata:
  name: fusiondirectory
  namespace: fusiondirectory
  labels:
    app: fusiondirectory
    ver: v1
spec:
  type: NodePort
  ports:
  - port: 80
    targetPort: 80
    nodePort: 30067
    protocol: TCP
    name: http-fusiondirectory
  selector:
    app: fusiondirectory
    ver: v1
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: fusiondirectory
    ver: v1
  name: fusiondirectory
  namespace: fusiondirectory
spec:
  replicas: 1
  selector:
    matchLabels:
      app: fusiondirectory
      ver: v1
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: fusiondirectory
        ver: v1
    spec:
      volumes:
      - name: apachelogs
        emptyDir: {}
      containers:
      - image: tiredofit/fusiondirectory:1.4-2.7.11
        imagePullPolicy: IfNotPresent
        name: fusiondirectory
        resources:
          limits:
            memory: 500Mi
            cpu: "0.5"
          requests:
            memory: 100Mi
            cpu: "0.1"
        volumeMounts:
        - mountPath: /www/logs
          name: apachelogs
        env:
          #- name: DEBUG_SMTP
          #value: TRUE
          #- name: DEBUG_MODE
          #value: TRUE

        - name: VIRTUAL_HOST
          value: "directory.example.com"
        - name: VIRTUAL_PORT
          value: "80"
        - name: ENABLE_ZABBIX
          value: "FALSE"

        - name: PLUGIN_ARGONAUT
          value: "TRUE"
        - name: PLUGIN_MAIL
          value: "TRUE"
        - name: PLUGIN_ALIAS
          value: "TRUE"
        - name: PLUGIN_PERSONAL
          value: "TRUE"
        - name: PLUGIN_POSIX
          value: "TRUE"
        - name: PLUGIN_DNS
          value: "TRUE"
        - name: PLUGIN_SUDO
          value: "TRUE"
        - name: PLUGIN_SYSTEMS
          value: "TRUE"
        - name: PLUGIN_NEXTCLOUD
          value: "TRUE"
        - name: PLUGIN_POSTFIX
          value: "TRUE"
        - name: PLUGIN_DOVECOT
          value: "TRUE"
        - name: PLUGIN_DHCP
          value: "TRUE"
        - name: PLUGIN_FUSIONINVENTORY
          value: "TRUE"
        - name: PLUGIN_GPG
          value: "TRUE"
        - name: PLUGIN_REPOSITORY
          value: "TRUE"
        - name: PLUGIN_SPAMASSASSIN
          value: "TRUE"
        - name: PLUGIN_SSH
          value: "TRUE"
        - name: PLUGIN_USER_REMINDER
          value: "TRUE"

        - name: PLUGIN_LDAPDUMP
          value: "TRUE"
        - name: PLUGIN_LDAPMANAGER
          value: "TRUE"
        - name: PLUGIN_WEBSERVICE
          value: "TRUE"

        # Connect to only one openldap server
        # in case of a openldap replication setup
        - name: LDAP1_HOST
          value: "openldap-writer"
        - name: LDAP1_TLS
          value: "FALSE"
        - name: LDAP1_SSL
          value: "FALSE"
        - name: LDAP1_BASE_DN
          value: "dc=example,dc=com"
        - name: LDAP1_ADMIN_DN
          value: "cn=admin,dc=example,dc=com"
        # Defined in the openldap-fusiondirectory
        # kubernetes exampel installation
        # using the same password/secret
        - name: LDAP1_ADMIN_PASS
          valueFrom:
            secretKeyRef:
              name: openldap-passwords
              key: ADMIN_PASS          
        - name: LDAP1_PORT
          value: "389"
        - name: LDAP1_NAME
          value: "ldap"

        - name: ENABLE_SMTP
          value: "FALSE"
#        - name: ENABLE_SMTP
#          value: "TRUE"
#        - name: SMTP_HOST
#          value: "smtp.example.net"
#        - name: SMTP_PORT
#          value: "25"
#        - name: SMTP_DOMAIN
#          value: "example.net"
#        - name: SMTP_MAILDOMAIN
#          value: "example.net"
#        - name: SMTP_TLS
#          value: "off"   
        ports:
        - containerPort: 80 
        
      restartPolicy: Always

What is the expected correct behavior?

The login through the fusiondirectory UI is possible.
The scripts being executed, so that the fusiondirectory UI can actually access.

Relevant logs and/or screenshots

While starting the docker container the first time, the logs show:

2021-10-20-05:30:08 [NOTICE] ** [openldap] Found custom scripts to execute
/assets/functions/10-openldap: line 558: /assets/custom-scripts/001-install-fusiondirectory.sh: Permission denied
/assets/functions/10-openldap: line 558: /assets/custom-scripts/002-update-schemas.sh: Permission denied

After getting a listing of the custom-scripts directory within the container it shows that the scripts are not executable:

total 36K
drwxr-xr-x 2 root root 4.0K Oct 16 17:06 .
drwxr-xr-x 1 root root 4.0K Oct 20 05:30 ..
-rw-r--r-- 1 root root  19K Oct 16 17:06 001-install-fusiondirectory.sh
-rw-r--r-- 1 root root  969 Oct 16 17:06 002-update-schemas.sh

Environment

• Image version / tag: 1.4-7.1.5
• Host OS:
  • Ubuntu (5.4.0-73-generic #82-Ubuntu SMP Wed Apr 14 17:39:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux)
  • k8s (v1.22.2)

Any logs | docker-compose.yml

Possible fixes

Not only chmod +x /usr/sbin/fusiondirectory-insert-schema but also chmod +x the other necessary scripts.

Actually, adding the line in the Dockerfile worked for me:

    chmod +x /assets/custom-scripts/*.sh && \