Troubleshooting¶
Read container logs:
docker logs -f gemnasium
Enter running container:
docker exec -it gemnasium /bin/bash
Known issues¶
Gemnasium Enterprise is using setcap
to allow our process running on port 80 and 443 (unless SSL is disabled via REDIRECT_HTTP_TO_HTTPS
to false).
Some kernels don’t support capacities operations inside containers, especially when AUFS is being used.
To avoid an error while running Gemnasium Enterprise, the api server will fallback to use a setuid bit on the server, meaning in the case the service is running as root inside the container.
While this is not a security issue for your host, it means the api has full control inside the container, including reading passwords and tokens.
If you are unsure your system is affected by this issue, check the logs of the api service in /var/log/gemnasium/api/current
. If setcap
is failing, the message Warning: setcap not available, falling back to setuid
will be displayed at the top of the log file.
If you want to avoid this issue, you can bind your own ports, higher then 1024, using the env vars GEMNASIUM_API_PORT_8080_TCP_PORT
GEMNASIUM_API_SSL_PORT_8443_TCP_PORT
. If they are both above 1024, no setcap or setuid method will be used, and the webserver will run as a limited-rights user.