docker secrets with non root user











up vote
0
down vote

favorite












I have a docker container run with a non root user for better security, but it seems it can't access the secrets I'm sharing with it:



Importing account from "/run/secrets/authority.priv.json" failed: Permission denied (os error 13)


I tried different solutions in my docker compose:
1. Setting the uid and gid to 1000 (uid/gid if the user inside the container)
2. Settting the mode to 0444 and even 0777



But none of these have worked, only using root allows me to use these secrets.



Any idea?



Bonus question: will it be the same issue within kubernetes?



The dockerfile:



FROM parity/parity:v2.2.1

LABEL maintainer="vincent@serpoul.com"



# SAD but It seems impossible to read the secrets otherwise

USER root



VOLUME ["/home/parity/.local/share/io.parity.ethereum"]



ADD ./configPoANode.toml /home/parity/configPoANode.toml

ADD ./PoA.json /home/parity/PoA.json

ADD ./entrypoint.sh /home/parity/entrypoint.sh



ENTRYPOINT ["/home/parity/entrypoint.sh"]


appendix: repository (with user ROOT in the dockerfile):






docker security docker-secrets







share|improve this question




























    up vote
    0
    down vote

    favorite












    I have a docker container run with a non root user for better security, but it seems it can't access the secrets I'm sharing with it:



    Importing account from "/run/secrets/authority.priv.json" failed: Permission denied (os error 13)


    I tried different solutions in my docker compose:
    1. Setting the uid and gid to 1000 (uid/gid if the user inside the container)
    2. Settting the mode to 0444 and even 0777



    But none of these have worked, only using root allows me to use these secrets.



    Any idea?



    Bonus question: will it be the same issue within kubernetes?



    The dockerfile:



    FROM parity/parity:v2.2.1
    
LABEL maintainer="vincent@serpoul.com"
    

    
# SAD but It seems impossible to read the secrets otherwise
    
USER root
    

    
VOLUME ["/home/parity/.local/share/io.parity.ethereum"]
    

    
ADD ./configPoANode.toml /home/parity/configPoANode.toml
    
ADD ./PoA.json /home/parity/PoA.json
    
ADD ./entrypoint.sh /home/parity/entrypoint.sh
    

    
ENTRYPOINT ["/home/parity/entrypoint.sh"]


    appendix: repository (with user ROOT in the dockerfile):






    docker security docker-secrets







    share|improve this question


























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I have a docker container run with a non root user for better security, but it seems it can't access the secrets I'm sharing with it:



      Importing account from "/run/secrets/authority.priv.json" failed: Permission denied (os error 13)


      I tried different solutions in my docker compose:
      1. Setting the uid and gid to 1000 (uid/gid if the user inside the container)
      2. Settting the mode to 0444 and even 0777



      But none of these have worked, only using root allows me to use these secrets.



      Any idea?



      Bonus question: will it be the same issue within kubernetes?



      The dockerfile:



      FROM parity/parity:v2.2.1
      
LABEL maintainer="vincent@serpoul.com"
      

      
# SAD but It seems impossible to read the secrets otherwise
      
USER root
      

      
VOLUME ["/home/parity/.local/share/io.parity.ethereum"]
      

      
ADD ./configPoANode.toml /home/parity/configPoANode.toml
      
ADD ./PoA.json /home/parity/PoA.json
      
ADD ./entrypoint.sh /home/parity/entrypoint.sh
      

      
ENTRYPOINT ["/home/parity/entrypoint.sh"]


      appendix: repository (with user ROOT in the dockerfile):






      docker security docker-secrets







      share|improve this question















      I have a docker container run with a non root user for better security, but it seems it can't access the secrets I'm sharing with it:



      Importing account from "/run/secrets/authority.priv.json" failed: Permission denied (os error 13)


      I tried different solutions in my docker compose:
      1. Setting the uid and gid to 1000 (uid/gid if the user inside the container)
      2. Settting the mode to 0444 and even 0777



      But none of these have worked, only using root allows me to use these secrets.



      Any idea?



      Bonus question: will it be the same issue within kubernetes?



      The dockerfile:



      FROM parity/parity:v2.2.1
      
LABEL maintainer="vincent@serpoul.com"
      

      
# SAD but It seems impossible to read the secrets otherwise
      
USER root
      

      
VOLUME ["/home/parity/.local/share/io.parity.ethereum"]
      

      
ADD ./configPoANode.toml /home/parity/configPoANode.toml
      
ADD ./PoA.json /home/parity/PoA.json
      
ADD ./entrypoint.sh /home/parity/entrypoint.sh
      

      
ENTRYPOINT ["/home/parity/entrypoint.sh"]


      appendix: repository (with user ROOT in the dockerfile):






      docker security docker-secrets




      docker security docker-secrets






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 20 at 8:57

























      asked Nov 20 at 3:47









      VincentSerpoul

      155214




      155214
























          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote













          This is because you are setting root user in the docker container and root owns all the monted volumes and files, not the parity user which I am not sure even exists.

          I would dothe following:



          Remove USER root from the dockerfile. It is root by default.



          Check if parity user even exists in the container.



          If not create it with the /home/parity directory.



          Mount the volume and files as you did.



          RUN chown -R parity:parity /home/parity gives the ownership of the newly created user.



          Then tell the container to use the newly created user by default with USER parity



          Add the entrypoint you might need to RUN chmod ug+x /home/parity/entrypoint.sh Which makes it executable for sure.



          You are good to go (hopefully), you don't need to set any user when running the container, with the line USER parity it will use the parity user by default.






          share|improve this answer





















          • The user is actually parity by default (from the parent image). I wanted to keep it but this is my issue, it doesnt work, which is why i added the user root. User parity already exists and owns the home/parity folder and the entrypoint is already executable. Now the issue with all that is that the secret doesnt seem to be accessible by the user parity
            – VincentSerpoul
            Nov 20 at 7:50










          • Did you try to chown the added files?
            – lependu
            Nov 20 at 7:54












          • Also note that in this case i think COPY is more appropiate than ADD.
            – lependu
            Nov 20 at 7:58












          • Thanks for the COPY, it's a good advice indeed. The issue doesnt come from the COPIED files but comes from the secrets that are mounted later on (mounted on /run/secrets).
            – VincentSerpoul
            Nov 20 at 8:59











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53385930%2fdocker-secrets-with-non-root-user%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          0
          down vote













          This is because you are setting root user in the docker container and root owns all the monted volumes and files, not the parity user which I am not sure even exists.

          I would dothe following:



          Remove USER root from the dockerfile. It is root by default.



          Check if parity user even exists in the container.



          If not create it with the /home/parity directory.



          Mount the volume and files as you did.



          RUN chown -R parity:parity /home/parity gives the ownership of the newly created user.



          Then tell the container to use the newly created user by default with USER parity



          Add the entrypoint you might need to RUN chmod ug+x /home/parity/entrypoint.sh Which makes it executable for sure.



          You are good to go (hopefully), you don't need to set any user when running the container, with the line USER parity it will use the parity user by default.






          share|improve this answer





















          • The user is actually parity by default (from the parent image). I wanted to keep it but this is my issue, it doesnt work, which is why i added the user root. User parity already exists and owns the home/parity folder and the entrypoint is already executable. Now the issue with all that is that the secret doesnt seem to be accessible by the user parity
            – VincentSerpoul
            Nov 20 at 7:50










          • Did you try to chown the added files?
            – lependu
            Nov 20 at 7:54












          • Also note that in this case i think COPY is more appropiate than ADD.
            – lependu
            Nov 20 at 7:58












          • Thanks for the COPY, it's a good advice indeed. The issue doesnt come from the COPIED files but comes from the secrets that are mounted later on (mounted on /run/secrets).
            – VincentSerpoul
            Nov 20 at 8:59















          up vote
          0
          down vote













          This is because you are setting root user in the docker container and root owns all the monted volumes and files, not the parity user which I am not sure even exists.

          I would dothe following:



          Remove USER root from the dockerfile. It is root by default.



          Check if parity user even exists in the container.



          If not create it with the /home/parity directory.



          Mount the volume and files as you did.



          RUN chown -R parity:parity /home/parity gives the ownership of the newly created user.



          Then tell the container to use the newly created user by default with USER parity



          Add the entrypoint you might need to RUN chmod ug+x /home/parity/entrypoint.sh Which makes it executable for sure.



          You are good to go (hopefully), you don't need to set any user when running the container, with the line USER parity it will use the parity user by default.






          share|improve this answer





















          • The user is actually parity by default (from the parent image). I wanted to keep it but this is my issue, it doesnt work, which is why i added the user root. User parity already exists and owns the home/parity folder and the entrypoint is already executable. Now the issue with all that is that the secret doesnt seem to be accessible by the user parity
            – VincentSerpoul
            Nov 20 at 7:50










          • Did you try to chown the added files?
            – lependu
            Nov 20 at 7:54












          • Also note that in this case i think COPY is more appropiate than ADD.
            – lependu
            Nov 20 at 7:58












          • Thanks for the COPY, it's a good advice indeed. The issue doesnt come from the COPIED files but comes from the secrets that are mounted later on (mounted on /run/secrets).
            – VincentSerpoul
            Nov 20 at 8:59













          up vote
          0
          down vote










          up vote
          0
          down vote









          This is because you are setting root user in the docker container and root owns all the monted volumes and files, not the parity user which I am not sure even exists.

          I would dothe following:



          Remove USER root from the dockerfile. It is root by default.



          Check if parity user even exists in the container.



          If not create it with the /home/parity directory.



          Mount the volume and files as you did.



          RUN chown -R parity:parity /home/parity gives the ownership of the newly created user.



          Then tell the container to use the newly created user by default with USER parity



          Add the entrypoint you might need to RUN chmod ug+x /home/parity/entrypoint.sh Which makes it executable for sure.



          You are good to go (hopefully), you don't need to set any user when running the container, with the line USER parity it will use the parity user by default.






          share|improve this answer












          This is because you are setting root user in the docker container and root owns all the monted volumes and files, not the parity user which I am not sure even exists.

          I would dothe following:



          Remove USER root from the dockerfile. It is root by default.



          Check if parity user even exists in the container.



          If not create it with the /home/parity directory.



          Mount the volume and files as you did.



          RUN chown -R parity:parity /home/parity gives the ownership of the newly created user.



          Then tell the container to use the newly created user by default with USER parity



          Add the entrypoint you might need to RUN chmod ug+x /home/parity/entrypoint.sh Which makes it executable for sure.



          You are good to go (hopefully), you don't need to set any user when running the container, with the line USER parity it will use the parity user by default.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 20 at 7:13









          lependu

          669314




          669314












          • The user is actually parity by default (from the parent image). I wanted to keep it but this is my issue, it doesnt work, which is why i added the user root. User parity already exists and owns the home/parity folder and the entrypoint is already executable. Now the issue with all that is that the secret doesnt seem to be accessible by the user parity
            – VincentSerpoul
            Nov 20 at 7:50










          • Did you try to chown the added files?
            – lependu
            Nov 20 at 7:54












          • Also note that in this case i think COPY is more appropiate than ADD.
            – lependu
            Nov 20 at 7:58












          • Thanks for the COPY, it's a good advice indeed. The issue doesnt come from the COPIED files but comes from the secrets that are mounted later on (mounted on /run/secrets).
            – VincentSerpoul
            Nov 20 at 8:59


















          • The user is actually parity by default (from the parent image). I wanted to keep it but this is my issue, it doesnt work, which is why i added the user root. User parity already exists and owns the home/parity folder and the entrypoint is already executable. Now the issue with all that is that the secret doesnt seem to be accessible by the user parity
            – VincentSerpoul
            Nov 20 at 7:50










          • Did you try to chown the added files?
            – lependu
            Nov 20 at 7:54












          • Also note that in this case i think COPY is more appropiate than ADD.
            – lependu
            Nov 20 at 7:58












          • Thanks for the COPY, it's a good advice indeed. The issue doesnt come from the COPIED files but comes from the secrets that are mounted later on (mounted on /run/secrets).
            – VincentSerpoul
            Nov 20 at 8:59
















          The user is actually parity by default (from the parent image). I wanted to keep it but this is my issue, it doesnt work, which is why i added the user root. User parity already exists and owns the home/parity folder and the entrypoint is already executable. Now the issue with all that is that the secret doesnt seem to be accessible by the user parity
          – VincentSerpoul
          Nov 20 at 7:50




          The user is actually parity by default (from the parent image). I wanted to keep it but this is my issue, it doesnt work, which is why i added the user root. User parity already exists and owns the home/parity folder and the entrypoint is already executable. Now the issue with all that is that the secret doesnt seem to be accessible by the user parity
          – VincentSerpoul
          Nov 20 at 7:50












          Did you try to chown the added files?
          – lependu
          Nov 20 at 7:54






          Did you try to chown the added files?
          – lependu
          Nov 20 at 7:54














          Also note that in this case i think COPY is more appropiate than ADD.
          – lependu
          Nov 20 at 7:58






          Also note that in this case i think COPY is more appropiate than ADD.
          – lependu
          Nov 20 at 7:58














          Thanks for the COPY, it's a good advice indeed. The issue doesnt come from the COPIED files but comes from the secrets that are mounted later on (mounted on /run/secrets).
          – VincentSerpoul
          Nov 20 at 8:59




          Thanks for the COPY, it's a good advice indeed. The issue doesnt come from the COPIED files but comes from the secrets that are mounted later on (mounted on /run/secrets).
          – VincentSerpoul
          Nov 20 at 8:59


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53385930%2fdocker-secrets-with-non-root-user%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          To store a contact into the json file from server.js file using a class in NodeJS

          Image
          0 I have created three files -contactPresentation.js, contactService.js, contacts.json. I will run the contactService.js file. And it will navigate to contactPresentation.js file that will only choose an option to either add or display a file. If add(), then add the data into add of service file.And the data will be added to the contacts.json file . And if display(), then display the display() of service file. And the display will take the data from contacts.json file. However, i know my code is flawed. Please correct it . I am also getting an error - this.contacts.push(new ContactService(userName, contactNumber, emailId)); ^ TypeError: Cannot read property 'push' of undefined at ContactService.add (e:NodeJSProjectcontactManager2contactService.js:57:23) at new C
          Read more

          Redirect URL with Chrome Remote Debugging Android Devices

          Image
          1 How can i redirect an URL with Chrome Remote Debugging Android Devices? like Requestly Chrome extension on desktop. google-chrome debugging url redirect testing share | improve this question edited Nov 24 '18 at 8:16 sachinjain024 14.7k 23 73 129 asked Nov 23 '18 at 16:09 Momen Momen 91 10
          Read more

          Dieringhausen

          Image
          Dieringhausen Stadt Gummersbach 50.982777777778 7.5316666666667 165 Koordinaten: 50° 58′ 58″  N , 7° 31′ 54″  O Höhe: 165  (160–245)  m Einwohner: 5055  (30. Jun. 2016) Postleitzahl: 51645 Vorwahl: 02261 Lage von Dieringhausen in Gummersbach Im Hohl ca. 1927–1930 Ansicht von Südwesten bei Bünghausen Dieringhausen (im örtlichen Dialekt Dierkesen ) ist ein Ortsteil von Gummersbach im Oberbergischen Kreis, Regierungsbezirk Köln, Nordrhein-Westfalen (Deutschland). Inhaltsverzeichnis 1 Geographie 2 Geschichte 3 Kultur 3.1 Sehenswürdigkeiten 3.2 Regelmäßige Veranstaltungen 4 Infrastruktur und Wirtschaft 4.1 Verkehr 4.1.1 Schienen- und Busverkehr 4.1.2 Straßen 4.2 Öffentliche Einrichtungen 4.2.1 Schulen und Bildungseinrichtungen 4.2.2 Kirchliche Einrichtungen 5 Persönlichkeiten 5.1 In Dieringhausen geboren 5.2 In Dieringhausen gelebt 6 Einzelnachweise 7
          Read more