-
Error implementing PandoraFMS on Docker
Hi,
I’m trying to implement PandoraFMS using Docker. I’ve opted for the advanced installation according to the manual because I want to make MySQL isolated on a separated network and I want to use two different containers for Console and Server due to security purposes. I’m trying to run the MySQL Docker image as follows:
docker run -idt –name PandoraFMS-MySQL –network PandoraFMS -v /mnt/pandorafms/mysql/var/lib/mysql:/var/lib/mysql -v /mnt/pandorafms/mysql/etc/mysql:/etc/mysql -e MYSQL_ROOT_PASSWORD=SomeGoodPassword -e MYSQL_DATABASE=pandora -e MYSQL_USER=pandora -e MYSQL_PASSWORD=SomeOtherGoodPassword pandorafms/pandorafms-mysql:6But the lauch fail. Checking for the container log, I’ve got the following output:
MySQL init process failed.
2016-07-29 21:13:20 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use –explicit_defaults_for_timestamp server option (see documentation for more details).
2016-07-29 21:13:20 0 [Note] mysqld (mysqld 5.6.29) starting as process 1 …
2016-07-29 21:13:20 1 [ERROR] Fatal error: Please read “Security” section of the manual to find out how to run mysqld as root!2016-07-29 21:13:20 1 [ERROR] Aborting
2016-07-29 21:13:20 1 [Note] Binlog end
2016-07-29 21:13:20 1 [Note] mysqld: Shutdown completeCould someone please help me with this issue? If someone from PandoraFMS could only provide the Dockerfile for this image, I could better troubleshoot this and help to get it working.
-
14 Replies
-
Hi Thiago,
I’ve been able to replicate the issue using the -v flags. Without them, it works just fine. I’ll open up a internal incident to review this. You can find the dockerfile in our GitHub repository: https://github.com/pandorafms/pandorafms/blob/develop/extras/Dockerfile
Any help would be very much appreciated! 🙂
-
Hi Axel,
Thank you very much for your attention on this issue. I was looking the Dockerfile and I think that I might have found the conflit.
Well, first of all, let me share with you my goals when using the -v option. What I really want is to make all of the data inside the database to be persistent even if I have to destroy the container for any reason. Thus I’m using the -v and pointing the folder /mnt/pandorafms/mysql/var/lib/mysql to the container folder /var/lib/mysql.
Other motivation for this is to have separate volumes on the host machine so I can easily attach and detach volumes when I add or remove containers. This is importante since the host is running on a cloud environment which charges me for the used Gb.
What I think that might be the conflict is the directive && rm -rf /var/lib/mysql && mkdir -p /var/lib/mysql at the line 32 of the Docker file when it is said to be removed the /var/lib/mysql folder and recreated. I believe that this is being done so the folder ends up with the right permissions.
But, as long as I’ve mapped this folder to one of the host, docker can’t remove it because it is trying actually to remove a folder on the host from the container, and this perhaps isn’t allowed due to file permissions at the host.
I’m not completely sure about that, but I think that this is denying the container to be built properly. I’m gonna try to implement this with these changes on the Dockerfile to see if I can have any success.
And perhaps my lack of acknowledge in docker is causing this trouble. Perhaps the VOLUME directive inside the Dockerfile can solve it all and I’m trying to overkill it using the -v parameter. I’m still not sure about it and I’m gonna do some more ressearch about it.
Please let me know your findings as well. Perhaps we can find a solution which fulfill both requirements.
Regards,
Thiago Lima -
Hi Axel,
I think I was right regarding the directive && rm -rf /var/lib/mysql && mkdir -p /var/lib/mysql at the line 32 of the Dockerfile. I’ve tried to build the server from scratch following each step of the Dockerfile and it fails on this step with the error message "rm: cannot remove '/var/lib/mysql': Device or resource busy".
So, first of all, I’ve changed the Dockerfile to just remove the content of the directory instead of removing it all. So, the line 32 now is && rm -rf /var/lib/mysql/*.
Well, one issue solved. But following the steps I wasn’t still able to run the container. Looking further on the container logs, I’ve noticed the following error message:
[ERROR] /usr/sbin/mysqld: unknown option '--skip-host-cachenskip-name-resolve'
So I double checked the Dockerfile and saw that there’s a typo at the line 37. Then I’ve changed it to the following:
&& echo 'skip-host-cacheskip-name-resolve' | awk '{ print } $1 == "[mysqld]" && c == 0 { c = 1; system("cat") }' /etc/mysql/my.cnf > /tmp/my.cnf
And at last, I was still getting the error message [ERROR] Fatal error: Please read "Security" section of the manual to find out how to run mysqld as root. Doing some ressearch, I saw that the mysql was being tried to run as root. So, I’ve changed the last line of the Dockerfile to CMD ["mysqld", "--user=mysql"] and I was able to run the container.
Well, now I’m going to run the console and server containers and check if everything is working. I’ll let you guys know as soon as I get something. I hope this troubleshooting can be useful for the PandoraFMS community and that you can use the information aforementioned to improve the Dockerfile and the PandoraFMS-MySQL image at DockerHub. 😀
Regards,
Thiago Lima -
Hi Axel,
With these changes on Dockerfile I wasn’t able to connect onto the database :/
So, I was inspecting the Dockerfile for the default mysql:5.6 image and they are almost the same with the pandorafms/pandorafms-mysql:6. So, I decided to go with a default mysql:5.6 image than the PandoraFMS one. Since I was using PandoraFMS on AWS with RDS with no problem, I don’t think this is gonna be a issue.
Then I was able to run all of the containers. Here comes the commands I’ve used in order to start all of them:
- docker run -idt --name PandoraFMS-MySQL --network PandoraFMS -v /mnt/pandorafms/mysql/var/lib/mysql:/var/lib/mysql -v /mnt/pandorafms/mysql/etc/mysql:/etc/mysql -e MYSQL_ROOT_PASSWORD=pandora -e MYSQL_DATABASE=pandora -e MYSQL_USER=pandora -e MYSQL_PASSWORD=pandora mysql:5.6
- docker run -idt --name PandoraFMS-Console --network PandoraFMS -p 8022:8022 -p 8023:8023 --link PandoraFMS-MySQL:mysql -e PANDORA_DB_HOST=172.18.0.2:3306 -e PANDORA_DB_PASSWORD=pandora -e PANDORA_DB_USER=pandora -e PANDORA_DB_NAME=pandora pandorafms/pandorafms-console:6
- docker run -idt --name PandoraFMS-Server --network PandoraFMS -v /mnt/pandorafms/server/var/spool/pandora:/var/spool/pandora -e PANDORA_DB_HOST=172.18.0.2:3306 -e PANDORA_DB_PASSWORD=pandora -e PANDORA_DB_USER=pandora -e PANDORA_DB_NAME=pandora pandorafms/pandorafms-server:6
But now, the only page that I’m able to see when I try to reach the IP Address of the Console container on port 80 is the apache default page. I’ve tried to run on a lab machine the same environment but strictly following the documentation regarding the installation under docker (http://wiki.pandorafms.com/index.php?title=Pandora:Documentation_en:Installing#Installation_under_Docker) and yet still I’m only able to see the apache default page. When I try to access the path /install.php I can’t access it either.
Could you please let me know if something is missing at this point most specifically regarding the Console container?
Regards,
Thiago Lima -
Hello Thiago.
I’m glad you sorted that out! We’re still looking into it to see if we can adapt our MySQL image to a different folder.
You should access /pandora_console/install.php, not just /install.php.
Double check in the console container if the route /var/www/html/pandora_console is present! (it should be)
-
Hi Axel,
That would be good to have a different image so you can use the -v option, I think. This could ease three scenarios:
- When you don’t want to use the inner disk of your docker host for some reason (for me it is because I think it is easiest to manage on my Cloud provider – Oracle);
- When you want to be sure where and what it is the volume for your container (let’s say you have lots of MySQL images into your host, it could be difficult to identify which one is which and then perform backups, maintenance, and so on);
- When you wanna have a distributed MySQL farm onto different host machines.
That’s just my opinion, of course. I’m not even that much experienced with docker yet, but accordingly to some reading about it on the documentation and some other sources, these are the reasons I can think right now.
Regarding the Console issue, yes. You are completely right. Actually before your post I was able to check this getting access to the console container bash. After this step I could inspect the proper path to the destination. I was going to let you know that, sorry for the delay 🙂
Now I have just one more thing to figure out and it is how to bypass the install since I’m migrating an already running PandoraFMS build to a Docker Container environment. This is where I’m gonna spend some time now.
But thank you for all of your help so far! It is being very good to share these steps with you.
-
Hi Axel,
Here comes some troubles with the initial setup:
Inside the official image for the Console (pandorafms/pandorafms-console:6), the install.php file is renamed as install.php.done. That’s odd, but I had to rename it back to install.php in order to the initial wizard run properly;
When using any version of MySQL (5.6, 5.7 or latest), when I try to create the database on step 3 (or use the existing one), I insert all of the needed information as per the MySQL container creation (root password, database name and MySQL host). But it fails with the following error message:- Invalid default value for 'last_pass_change'
Investigating a little further about it, I saw that the default script tries to create the table tusuario with the following parameter:
- `last_pass_change` DATETIME NOT NULL DEFAULT 0
Well, as it seems, 0 isn’t an accepted value for DATETIME, so you should use CURRENT_TIMESTAMP instead:
- `last_pass_change` DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
It fails for fields last_pass_change and last_failed_login. So it must be changed on both of them so the table can get properly created.
So I ran the two scripts for the following step manually inside MySQL and the database is created. But I can’t get the system running anyways.
I had to do that because the system won’t start because of the wizard. I’ve tried to follow it telling that I already have a database so it could do the remaining routines to get the system done. But since this query fails, I can proceed with the deploy. When I restart the server, I get the following error message:
- DBD::mysql::st execute failed: Table 'pandora.tconfig' doesn't exist at /usr/lib/perl5/PandoraFMS/DB.pm line 576.
Before I was able to run the server because I have
cheatedput a backup of the database and the table was being found. (rs)Now I can see two paths:
- Deviate from the initial wizard;
- Solve all of these issues.
I think the first one will be the fastest and the one that will attend me right now. Could you please help me on this then I can help you on any further test if you need to?
-
EDIT: I’ve just discovered that, according to Docker’s official documentation, environment variable injection does not work when you use the –network feature, so you’ll need to be careful and specify the environment variables yourself when creating the console and server containers:
One notable missing functionality compared to legacy links is the injection of environment variables. Though very useful, environment variable injection is static in nature and must be injected when the container is started. One cannot inject environment variables into a running container without significant effort and hence it is not compatible with docker network which provides a dynamic way to connect/ disconnect containers to/from a network.
(Source)Hi Thiago,
I’ve been able to replicate your issue. I solved it using the mysql:5.5 docker (our official supported MySQL version). The steps I followed:
docker run --name some-mysql -e MYSQL_ROOT_PASSWORD=pandora -d mysql:5.5 docker run --name pandorafms-console -p 80:80 -p 8022:8022 -p 8023:8023 --link some-mysql:mysql -d pandorafms/pandorafms-console:6
Then, we need to enter to the console container and remove a couple of files:
docker exec -it pandorafms-console mv -f /var/www/html/pandora_console/install.php.done /var/www/html/pandora_console/install.php docker exec -it pandorafms-console rm -f /var/www/html/pandora_console/include/config.php
After that, access to Pandora FMS’s console and do the installation. In the MySQL step, when you type the hostname, you’ll be prompted for the IP of the console’s container. Do a ifconfig and select the docker interface (something like 172.17.0.5).
Finally, we need to start the server:
docker run -p 41121:41121 --link some-mysql:mysql -d pandorafms/pandorafms-server:6
Hope this helps! 🙂
-
Hi Axel,
Thank you for your edit about the networks and the environment variables. I’ve replicated the tests onto my local machine (my own workstation, actually) and I’m able to run PandoraFMS not using any network parameter.
But we’re intending to build individual networks for each environment on our Moby Dick server in order to increase security. Let me ask you something: Why is it really necessary to use environment variables (through -e option on docker run) since I’m gonna set all of these parameters on install.php anyway?
Another issue that I’ve noticed, even with this limitation, when I launch the container with environment variables and network options, I can see the Env section of the inspect json telling me that the environment variables are set:
"Env": [ Â Â "PANDORA_DB_HOST=mysql:3306", Â Â "PANDORA_DB_PASSWORD=pandora", Â Â "PANDORA_DB_USER=pandora", Â Â "PANDORA_DB_NAME=pandora", Â Â "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ],
Besides, when I launch the container using both of these parameters, I still can get the information from the environment variable as follows:
$ docker run -idt --name PandoraFMS-Console --network PandoraFMS -p 8022:8022 -p 8023:8023 -e PANDORA_DB_HOST=172.18.0.19:3306 -e PANDORA_DB_PASSWORD=pandora -e PANDORA_DB_USER=pandora -e PANDORA_DB_NAME=pandora pandorafms/pandorafms-console:6 $ docker exec -it PandoraFMS-Console printenv PANDORA_DB_HOST 172.18.0.19:3306
So I think the documentation might be outdated or something. At least it doesn’t seems that this limitation is affecting me.
Anyway, I’ve made some adjustments and now I’m able to run the install.php script. But when I get it done, the main page of Pandora FMS gets disfigured and the only thing I can see is the main logo, the user and the password fields. When I try to login using the default credentials (user admin and password pandora), I can’t get access.
I don’t understand why this works on our lab environments but not on my Moby Dick host. Do you have any clew on why is this happening so I can better troubleshoot that over here?
-
Axel,
I’m using a Nginx container to reverse proxy the requests towards the Moby Dick host. I’ve lots of web services there so the Nginx can orchestrate the flow and provide a additional security layer. If I set docker to publish some port directly (e.g 9080 of the host to 80 of the container), the page works flawlessly. So I think that it can be some misconfiguration of the reverse proxy. Perhaps the PHP part isn’t working properly.
I’m gonna solve this and then I’m gonna build some sumarized tutorial on how to start PandoraFMS using the -v parameter for Database persistence, --network for environment isolation and some other info. So people can get that easily in the future.
Thank you again for all the helping and for all the talking. It’s been an awesome learning proccess here about docker and also about PandoraFMS.
-
Hi Axel,
It was really some misconfiguration on Nginx reverse proxy that was affecting my installation. I was making access using SSL on port 443 to the reverse proxy and it was proxy passing the access to PandoraFMS Console on port 80. Well, Google Chrome intercept this port and protocol change and flag the access as insecure giving me the following error message:
Mixed Content: The page at 'https://servername/pandora_console/index.php' was loaded over HTTPS, but requested an insecure script 'http://servername/pandora_console/include/graphs/flot/pandora.flot.js'. This request has been blocked; the content must be served over HTTPS.
The way out (since I really do wanna use SSL) was to enable mod_ssl.so onto the Apache of the PandoraFMS Console container, but it isn’t installed and I’m unable to install it using apt as well.
Why isn’t it ready for SSL already? Could you please help me on enabling mod_ssl.so in order to be able to only communicate using SSL between the containers?
Regards,
Thiago Lima -
-
Hi Axel,
Thank you for that information, I’ve forgotten. this option But I’ve done that and yet still I’m unable to bind on HTTPS port. Inspecting the container, I can see that the 443 port isn’t exposed:
"Ports": { "162/udp": null, "41121/tcp": null, "80/tcp": null, "8022/tcp": [ { "HostIp": "0.0.0.0", "HostPort": "8022" } ], "8023/tcp": [ { "HostIp": "0.0.0.0", "HostPort": "8023" } ] }So I’ve launched it once again with the --expose argument in order to make the 443 port available for connections.
After that, I’ve seen that the bind with SSL was still being refused. So I’ve run netstat-lnp and this is the output:
$ docker exec -it PandoraFMS-Console netstat -lnp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.11:41124 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:8022 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:8023 0.0.0.0:* LISTEN - tcp 0 0 :::80 :::* LISTEN 39/httpd udp 0 0 127.0.0.11:45726 0.0.0.0:*
Checking the available mods, the mod_ssl wasn’t installed either. So I’ve run the following command:
docker exec -it PandoraFMS-Console yum -y install mod_ssl
But it fails with the following message:
error: %posttrans(httpd-2.2.15-54.el6.centos.x86_64) scriptlet failed, signal 15 Error in POSTTRANS scriptlet in rpm package httpd-2.2.15-54.el6.centos.x86_64
Which seems to be some bug regarding the SELINUX. Well, at this point I’d like to ask you for a Console image ready for SSL since it is not just a application issue. Could you please consider that?
-
Hi Axel,
I’ve built my own image which is ready for SSL. It is hosted as a public image so anyone can pull from Dockerhub and following you can find the Dockerfile so people can see how it was built.
It was built based on the PHP official docker image and the main difference is that it was based on Debian. I don’t think it would be an issue because nowadays I’m running it over Ubuntu (on my legacy environment not Dockerized). It seems to be working, I’ll let you know about any issue I could find. Feel free to have a look, use it, and of course to suggest any enhancements.
Here it go:
Dockerhub: https://hub.docker.com/r/tdsis/pandorafms-console/Dockerfile:
FROM php:5.6.25-apache RUN apt-get update && apt-get install -y -o Dpkg::Options::="--force-confnew" libapache2-mod-php5 php5 php5-mysql php5-gd php5-curl php-pear php5-snmp php-db php-gettext graphviz php5-xmlrpc php5-ldap dbconfig-common mysql-client ssl-cert COPY apache2-foreground /usr/local/bin/ COPY pandorafms.console_6.0SP3.deb /tmp/ COPY pandorafms.conf /etc/apache2/sites-available/ RUN dpkg -i /tmp/pandorafms.console_6.0SP3.deb && apt-get -f install WORKDIR /etc/apache2/mods-enabled RUN ln -s ../mods-available/ssl.conf ssl.conf && ln -s ../mods-available/ssl.load ssl.load && ln -s ../mods-available/rewrite.load rewrite.load && ln -s ../mods-available/socache_shmcb.load socache_shmcb.load WORKDIR /etc/apache2/sites-enabled RUN rm -f 000-default.conf && rm -f default-ssl.conf && ln -s ../sites-available/pandorafms.conf pandorafms.conf ENV MAX_INPUT_TIME=-1 ENV MAX_EXECUTION_TIME=0 ENV UPLOAD_MAX_FILESIZE=800M ENV MEMORY_LIMIT=1024M RUN sed -i "s/max_input_time = 60/max_input_time = ${MAX_INPUT_TIME}/g" /etc/php5/apache2/php.ini && sed -i "s/max_execution_time = 30/max_execution_time = ${MAX_EXECUTION_TIME}/g" /etc/php5/apache2/php.ini && sed -i "s/upload_max_filesize = 2M/upload_max_filesize = ${UPLOAD_MAX_FILESIZE}/g" /etc/php5/apache2/php.ini && sed -i "s/memory_limit = 128M/memory_limit = ${MEMORY_LIMIT}/g" /etc/php5/apache2/php.ini && sed -i "s/pcntl_exec,//g" /etc/php5/apache2/php.ini RUN apt-get autoremove -y && apt-get autoclean EXPOSE 80 443 41121 162/udp CMD ["apache2-foreground"]Now I’ve pulled the pandorafms/pandorafms-server:6 image and the Server is running as well. I’m gonna perform some tests and I’ll share here the results. Thank you for all the helping so far.
Regards!
