Mandos in Docker

Question

I try to setup Mandos inside a Docker container and failed with dbus errors. It's possible to run the server without dbus, but mandos-ctl and mandos-monitor need dbus to run.

my Dockerfile

FROM ubuntu:16.04
RUN locale-gen de_DE.UTF-8
ENV TERM=xterm
RUN apt-get update \
    && apt-get install -y mandos \
        fping \
        dbus \
    && rm -rf /var/lib/apt/lists/*

Build it: docker build -t mandos-server .

If I host mount /var/run/dbus and start the container with: docker run -v /dev/log:/dev/log -v /var/run/dbus:/var/run/dbus -it mandos-server bash and start mandos --debug I get the following errors:

2016-06-16 15:26:30,278 root [11]: DEBUG: Did setuid/setgid to 108:111
2016-06-16 15:26:30,280 root [11]: ERROR: Disabling D-Bus:
Traceback (most recent call last):
  File "/usr/sbin/mandos", line 3009, in main
    do_not_queue=True)
  File "/usr/lib/python2.7/dist-packages/dbus/service.py", line 131, in __new__
    retval = bus.request_name(name, name_flags)
  File "/usr/lib/python2.7/dist-packages/dbus/bus.py", line 303, in request_name
    'su', (name, flags))
  File "/usr/lib/python2.7/dist-packages/dbus/connection.py", line 651, in call_blocking
    message, timeout)
DBusException: org.freedesktop.DBus.Error.AccessDenied: Connection ":1.362" is not allowed to own the service "se.recompile.Mandos" due to security policies in the configuration file

Second trial: Starting the container without mounting dbus docker run -v /dev/log:/dev/log -it mandos-server bash and starting dbus by hand: /etc/init.d/dbus start * Starting system message bus dbus [ OK ]

mandos --debug leeds to the following error:

2016-06-16 15:36:38,338 root [40]: DEBUG: Did setuid/setgid to 108:111
2016-06-16 15:36:38,353 root [40]: WARNING: Could not load persistent state: No such file or directory
2016-06-16 15:36:38,359 root [40]: WARNING: No clients defined
2016-06-16 15:36:38,361 root [40]: INFO: Now listening on address '::', port 39145, flowinfo 0, scope_id 0
2016-06-16 15:36:38,363 dbus.proxies [40]: ERROR: Introspect error on org.freedesktop.Avahi:/: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.Spawn.FileInvalid: Cannot do system-bus activation with no user

2016-06-16 15:36:38,363 dbus.proxies [40]: DEBUG: Executing introspect queue due to error
2016-06-16 15:36:38,363 root [40]: CRITICAL: D-Bus Exception
Traceback (most recent call last):
  File "/usr/sbin/mandos", line 3415, in main
    service.activate()
  File "/usr/sbin/mandos", line 470, in activate
    self.server_state_changed(self.server.GetState())
  File "/usr/lib/python2.7/dist-packages/dbus/proxies.py", line 70, in __call__
    return self._proxy_method(*args, **keywords)
  File "/usr/lib/python2.7/dist-packages/dbus/proxies.py", line 145, in __call__
    **keywords)
  File "/usr/lib/python2.7/dist-packages/dbus/connection.py", line 651, in call_blocking
    message, timeout)
DBusException: org.freedesktop.DBus.Error.Spawn.FileInvalid: Cannot do system-bus activation with no user

Any idea whats going wrong and maybe a solution?

Did you get this working? I understand Teddy's point about Avahi on the host, but am hoping I don't have to reinvent the wheel. — claytond, Oct 27 '16 at 16:00

score 2 · Answer 1 · answered Jun 17 '16 at 21:27

That error message (on that line) does not refer to Mandos’ usage of D-Bus to be able to be controlled by mandos-ctl and mandos-monitor – it refers to the Mandos’ use of D-Bus to communicate with Avahi in order to ask Avahi to announce Mandos’ Zeroconf service. You can either avoid announcing a Zercoconf service (but be aware that Mandos clients by default use Zeroconf to find the server) by using the --no-zeroconf option, or you could make sure that Mandos is able to communicate with Avahi from inside the Docker container.

claytond · Answer 2 · 2016-11-02T18:28:34.683

Docker Plex provides the following instructions to address a comparable issue:

Secure method

NOTE: due to some problems inside Plex, it appears not to know it's local IP address inside Docker subnet, avoiding the local discovery to work. If you really want to use this feature, look below for the insecure method.

Avahi daemon is commonly used to help your computers to find the services provided by a server.

Avahi isn't built into this Docker image because, due to Docker's networking limitations, Avahi can't spread it's messages to announce the services out of the Docker virtual network.

If you want to enable this feature, you can install Avahi daemon in your host following this steps (Ubuntu version):

Install avahi-daemon: run sudo apt-get install avahi-daemon avahi-utils

Copy the file from avahi/nsswitch.conf to /etc/nsswitch.conf

Copy the service description file from avahi/plex.service to /etc/avahi/services/plex.service

Restart Avahi's daemon: sudo /etc/init.d/avahi-daemon restart

But why you need to install this on your host and not in the container? Because if you don't do it this way, the discovery message won't be able to reach your computers.

What will I get with this approach?: The service will be announced on the network, but you will have to login with your account to detect your server. Also, all the streaming you receive is going to be reduced as if you are in an external network.

While this may be the right ideaI was unable to find enough parallels in Mandos to complete the procedure successfully. In particular, I didn't find a mandos.service (or similar) in any of the install directories. I'll also draw attention to the statement The service will be announced on the network, but you will have to login with your account to detect your server. I'm not clear if this would be fatal for Mandos or not.

Mandos listens on a dynamic port number by default, so it has no .service file – Mandos announces itself to Avahi via its D-Bus interface. However, if you configured the Mandos server to use a specific port in its configuration, you could turn off ZeroConf in Mandos and write a service file (announcing that port) for Avahi to use. — Teddy, Dec 30 '16 at 22:26

score 1 · Accepted Answer · answered Nov 24 '16 at 21:02

I don't know whats wrong...but my answer to this post was deleted... Here is the full solution:

Dockerfile:

FROM ubuntu:14.04

RUN apt-get update \
    && apt-get install -y supervisor \
        mandos \
        fping \
        rsyslog \
        dbus \
        avahi-daemon \
        avahi-utils \
        libnss-mdns \
    && mkdir -p /var/log/supervisor \
    && mkdir -p /var/run/rsyslog \
    && mkdir -p /var/run/dbus \
    && sed -i.bak s/xconsole/console/g /etc/rsyslog.conf \
    && rm -rf /var/lib/apt/lists/*

COPY ./config/mandos.conf /etc/mandos/mandos.conf
COPY ./config/clients.conf /etc/mandos/clients.conf
COPY ./config/supervisord.conf /etc/supervisor/conf.d/supervisord.conf

EXPOSE 55555
CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]

supervisord config file:

[supervisord]
nodaemon=true
#loglevel=debug

[program:rsyslog]
command=/usr/sbin/rsyslogd -n
autostart=true
autorestart=true
redirect_stderr=true

[program:dbus]
command=/bin/sh -c "rm /var/run/dbus/pid || true && dbus-daemon --system --nofork"
priority=1
redirect_stderr=true

[program:avahi-daemon]
command=/usr/sbin/avahi-daemon --no-chroot

[program:mandos]
command=mandos --foreground

The mandos.conf and clients.conf files are from a default mandos installation.

Hope this works for others.

Mandos in Docker

3 Answers3