Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Atlassian public docker hub images updated massively

Daniele Cortis
Daniele Cortis January 31, 2024

Hello,

in our environment, we use Confluence, Jira, and Bitbucket on Kubernetes. We noticed that the pod containing the Jira image (version 9.4.14) no longer starts. In the logs we observed the following:

INFO:root:Generating /opt/atlassian/jira/conf/server.xml from template server.xml.j2 │
WARNING:root:Permission problem writing '/opt/atlassian/jira/conf/server.xml'; skipping │
INFO:root:Generating /opt/atlassian/jira/atlassian-jira/WEB-INF/classes/seraph-config.xml from template seraph-config.xml.j2 │
WARNING:root:Permission problem writing '/opt/atlassian/jira/atlassian-jira/WEB-INF/classes/seraph-config.xml'; skipping │
INFO:root:/var/atlassian/application-data/jira/dbconfig.xml exists; skipping. │
INFO:root:Running Jira with command '/opt/atlassian/jira/bin/start-jira.sh', arguments ['/opt/atlassian/jira/bin/start-jira.sh', '-fg'] │
Traceback (most recent call last): │
File "/entrypoint.py", line 31, in <module> │
exec_app([f'{JIRA_INSTALL_DIR}/bin/start-jira.sh', '-fg'], JIRA_HOME, │
File "/entrypoint_helpers.py", line 168, in exec_app │
os.execv(cmd, args) │
PermissionError: [Errno 13] Permission denied

We noticed that the permissions on the "/opt/atlassian/jira" folder has changed (from rwxr-xr-x jira root to r-xr-x--- jira root). After our investigation we found that the version 9.4.14 (and many others) of the Jira image, released in December, was updated three days ago by "rtcentraluploader". We can also confirm that Confluence and Bitbucket have the same permission issue (in /opt/atlassian/confluence and /opt/atlassian/bitbucket).

Did anyone have the same problem?

Thanks.

Answer
Watch
Like Stephen Garber likes this
1023 views

1 answer

0 votes
Yevhen
Yevhen
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 31, 2024

@Daniele Cortis Permissions for install dir have indeed been updated. However, It looks like you start containers as some different user. Jira (like Confluence and Bitbucket) user has read and execute permissions for the install directory (550). Can you share the securityContext that you use?

Also, I expected to find the following line just before Running Jira with command:

INFO:root:User is currently root. Will downgrade run user to jira

 

Or if you run container as jira user, it should say, running as current user.

View More Comments
Daniele Cortis
Daniele Cortis January 31, 2024

@Yevhen in our environment we have more than 200 application. We mount data folder of the application in a nfs. In order to access this filesystem we use a specific Active Directory user, which is different for each microservice so each microservice start with a specific uid/gid and we cannot switch to user jira, bitbucket and confluence. 

Like
Yevhen
Yevhen
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 31, 2024

I see. Access to others have been revoked on purpose, following recent DC CVEs. Is it an option for your to make nfs dirs writable for respective container users and run containers with the default securityContext?

Also, it'd be great if you can share your existing securityContext. I think it's runAsGroup that makes things break. Will it work for you to keep runAsUser: <your-nfs-user> but drop runAsGroup or set it to 0? This way, a user will belong to a root group and root group has rx permissions for the install dir, and at the same time this user is allowed to read and write to your nfs partition.

Like
Haquiel Jusino
Haquiel Jusino
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
February 17, 2024

Hello, 

I am currently running into a similar issue. Here are my logs for the issue:

INFO:root:Generating /etc/container_id from template container_id.j2
INFO:root:Generating /opt/atlassian/jira/conf/server.xml from template server.xml.j2
WARNING:root:Permission problem writing '/opt/atlassian/jira/conf/server.xml'; skipping
INFO:root:Generating /opt/atlassian/jira/atlassian-jira/WEB-INF/classes/seraph-config.xml from template seraph-config.xml.j2
WARNING:root:Permission problem writing '/opt/atlassian/jira/atlassian-jira/WEB-INF/classes/seraph-config.xml'; skipping
INFO:root:Generating /var/atlassian/application-data/jira/dbconfig.xml from template dbconfig.xml.j2
INFO:root:Generating /var/atlassian/application-data/jira/cluster.properties from template cluster.properties.j2
WARNING:root:Unsetting environment var ATL_JDBC_PASSWORD
INFO:root:Running Jira with command '/opt/atlassian/jira/bin/start-jira.sh', arguments ['/opt/atlassian/jira/bin/start-jira.sh', '-fg']
executing as current user

and for reference, here is the securityContext:

securityContextEnabled: true
securityContext:
fsGroup: 2001
containerSecurityContext:
runAsUser: 2001

Like
Yevhen
Yevhen
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 17, 2024

@Haquiel Jusino make sure you set https://github.com/atlassian/data-center-helm-charts/blob/main/src/main/charts/jira/values.yaml#L753 and https://github.com/atlassian/data-center-helm-charts/blob/main/src/main/charts/jira/values.yaml#L789 to true. This way, configmaps will be created and mounted as files to the container.

Like Stephen Garber likes this
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.