docker secrets with non root user
up vote
0
down vote
favorite
I have a docker container run with a non root user for better security, but it seems it can't access the secrets I'm sharing with it:
Importing account from "/run/secrets/authority.priv.json" failed: Permission denied (os error 13)
I tried different solutions in my docker compose:
1. Setting the uid and gid to 1000 (uid/gid if the user inside the container)
2. Settting the mode to 0444 and even 0777
But none of these have worked, only using root allows me to use these secrets.
Any idea?
Bonus question: will it be the same issue within kubernetes?
The dockerfile:
FROM parity/parity:v2.2.1
LABEL maintainer="vincent@serpoul.com"
# SAD but It seems impossible to read the secrets otherwise
USER root
VOLUME ["/home/parity/.local/share/io.parity.ethereum"]
ADD ./configPoANode.toml /home/parity/configPoANode.toml
ADD ./PoA.json /home/parity/PoA.json
ADD ./entrypoint.sh /home/parity/entrypoint.sh
ENTRYPOINT ["/home/parity/entrypoint.sh"]
appendix: repository (with user ROOT in the dockerfile):
docker security docker-secrets
asked Nov 20 at 3:47
VincentSerpoul
155214
add a comment |
up vote
0
down vote
favorite
I have a docker container run with a non root user for better security, but it seems it can't access the secrets I'm sharing with it:
Importing account from "/run/secrets/authority.priv.json" failed: Permission denied (os error 13)
I tried different solutions in my docker compose:
1. Setting the uid and gid to 1000 (uid/gid if the user inside the container)
2. Settting the mode to 0444 and even 0777
But none of these have worked, only using root allows me to use these secrets.
Any idea?
Bonus question: will it be the same issue within kubernetes?
The dockerfile:
FROM parity/parity:v2.2.1
LABEL maintainer="vincent@serpoul.com"
# SAD but It seems impossible to read the secrets otherwise
USER root
VOLUME ["/home/parity/.local/share/io.parity.ethereum"]
ADD ./configPoANode.toml /home/parity/configPoANode.toml
ADD ./PoA.json /home/parity/PoA.json
ADD ./entrypoint.sh /home/parity/entrypoint.sh
ENTRYPOINT ["/home/parity/entrypoint.sh"]
appendix: repository (with user ROOT in the dockerfile):
docker security docker-secrets
asked Nov 20 at 3:47
VincentSerpoul
155214
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I have a docker container run with a non root user for better security, but it seems it can't access the secrets I'm sharing with it:
Importing account from "/run/secrets/authority.priv.json" failed: Permission denied (os error 13)
I tried different solutions in my docker compose:
1. Setting the uid and gid to 1000 (uid/gid if the user inside the container)
2. Settting the mode to 0444 and even 0777
But none of these have worked, only using root allows me to use these secrets.
Any idea?
Bonus question: will it be the same issue within kubernetes?
The dockerfile:
FROM parity/parity:v2.2.1
LABEL maintainer="vincent@serpoul.com"
# SAD but It seems impossible to read the secrets otherwise
USER root
VOLUME ["/home/parity/.local/share/io.parity.ethereum"]
ADD ./configPoANode.toml /home/parity/configPoANode.toml
ADD ./PoA.json /home/parity/PoA.json
ADD ./entrypoint.sh /home/parity/entrypoint.sh
ENTRYPOINT ["/home/parity/entrypoint.sh"]
appendix: repository (with user ROOT in the dockerfile):
docker security docker-secrets
asked Nov 20 at 3:47
VincentSerpoul
155214
I have a docker container run with a non root user for better security, but it seems it can't access the secrets I'm sharing with it:
Importing account from "/run/secrets/authority.priv.json" failed: Permission denied (os error 13)
I tried different solutions in my docker compose:
1. Setting the uid and gid to 1000 (uid/gid if the user inside the container)
2. Settting the mode to 0444 and even 0777
But none of these have worked, only using root allows me to use these secrets.
Any idea?
Bonus question: will it be the same issue within kubernetes?
The dockerfile:
FROM parity/parity:v2.2.1
LABEL maintainer="vincent@serpoul.com"
# SAD but It seems impossible to read the secrets otherwise
USER root
VOLUME ["/home/parity/.local/share/io.parity.ethereum"]
ADD ./configPoANode.toml /home/parity/configPoANode.toml
ADD ./PoA.json /home/parity/PoA.json
ADD ./entrypoint.sh /home/parity/entrypoint.sh
ENTRYPOINT ["/home/parity/entrypoint.sh"]
appendix: repository (with user ROOT in the dockerfile):
docker security docker-secrets
docker security docker-secrets
asked Nov 20 at 3:47
VincentSerpoul
155214
asked Nov 20 at 3:47
VincentSerpoul
155214
edited Nov 20 at 8:57
asked Nov 20 at 3:47
VincentSerpoul
155214
asked Nov 20 at 3:47
VincentSerpoul
155214
asked Nov 20 at 3:47
VincentSerpoul
155214
155214
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
0
down vote
This is because you are setting root user in the docker container and root owns all the monted volumes and files, not the parity user which I am not sure even exists.
I would dothe following:
Remove USER root from the dockerfile. It is root by default.
Check if parity user even exists in the container.
If not create it with the /home/parity directory.
Mount the volume and files as you did.
RUN chown -R parity:parity /home/parity gives the ownership of the newly created user.
Then tell the container to use the newly created user by default with USER parity
Add the entrypoint you might need to RUN chmod ug+x /home/parity/entrypoint.sh Which makes it executable for sure.
You are good to go (hopefully), you don't need to set any user when running the container, with the line USER parity it will use the parity user by default.
answered Nov 20 at 7:13
lependu
669314
The user is actually parity by default (from the parent image). I wanted to keep it but this is my issue, it doesnt work, which is why i added the user root. User parity already exists and owns the home/parity folder and the entrypoint is already executable. Now the issue with all that is that the secret doesnt seem to be accessible by the user parity
– VincentSerpoul
Nov 20 at 7:50
Did you try tochownthe added files?
– lependu
Nov 20 at 7:54
Also note that in this case i thinkCOPYis more appropiate thanADD.
– lependu
Nov 20 at 7:58
Thanks for the COPY, it's a good advice indeed. The issue doesnt come from the COPIED files but comes from the secrets that are mounted later on (mounted on /run/secrets).
– VincentSerpoul
Nov 20 at 8:59
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
This is because you are setting root user in the docker container and root owns all the monted volumes and files, not the parity user which I am not sure even exists.
I would dothe following:
Remove USER root from the dockerfile. It is root by default.
Check if parity user even exists in the container.
If not create it with the /home/parity directory.
Mount the volume and files as you did.
RUN chown -R parity:parity /home/parity gives the ownership of the newly created user.
Then tell the container to use the newly created user by default with USER parity
Add the entrypoint you might need to RUN chmod ug+x /home/parity/entrypoint.sh Which makes it executable for sure.
You are good to go (hopefully), you don't need to set any user when running the container, with the line USER parity it will use the parity user by default.
answered Nov 20 at 7:13
lependu
669314
The user is actually parity by default (from the parent image). I wanted to keep it but this is my issue, it doesnt work, which is why i added the user root. User parity already exists and owns the home/parity folder and the entrypoint is already executable. Now the issue with all that is that the secret doesnt seem to be accessible by the user parity
– VincentSerpoul
Nov 20 at 7:50
Did you try tochownthe added files?
– lependu
Nov 20 at 7:54
Also note that in this case i thinkCOPYis more appropiate thanADD.
– lependu
Nov 20 at 7:58
Thanks for the COPY, it's a good advice indeed. The issue doesnt come from the COPIED files but comes from the secrets that are mounted later on (mounted on /run/secrets).
– VincentSerpoul
Nov 20 at 8:59
add a comment |
up vote
0
down vote
This is because you are setting root user in the docker container and root owns all the monted volumes and files, not the parity user which I am not sure even exists.
I would dothe following:
Remove USER root from the dockerfile. It is root by default.
Check if parity user even exists in the container.
If not create it with the /home/parity directory.
Mount the volume and files as you did.
RUN chown -R parity:parity /home/parity gives the ownership of the newly created user.
Then tell the container to use the newly created user by default with USER parity
Add the entrypoint you might need to RUN chmod ug+x /home/parity/entrypoint.sh Which makes it executable for sure.
You are good to go (hopefully), you don't need to set any user when running the container, with the line USER parity it will use the parity user by default.
answered Nov 20 at 7:13
lependu
669314
The user is actually parity by default (from the parent image). I wanted to keep it but this is my issue, it doesnt work, which is why i added the user root. User parity already exists and owns the home/parity folder and the entrypoint is already executable. Now the issue with all that is that the secret doesnt seem to be accessible by the user parity
– VincentSerpoul
Nov 20 at 7:50
Did you try tochownthe added files?
– lependu
Nov 20 at 7:54
Also note that in this case i thinkCOPYis more appropiate thanADD.
– lependu
Nov 20 at 7:58
Thanks for the COPY, it's a good advice indeed. The issue doesnt come from the COPIED files but comes from the secrets that are mounted later on (mounted on /run/secrets).
– VincentSerpoul
Nov 20 at 8:59
add a comment |
up vote
0
down vote
up vote
0
down vote
This is because you are setting root user in the docker container and root owns all the monted volumes and files, not the parity user which I am not sure even exists.
I would dothe following:
Remove USER root from the dockerfile. It is root by default.
Check if parity user even exists in the container.
If not create it with the /home/parity directory.
Mount the volume and files as you did.
RUN chown -R parity:parity /home/parity gives the ownership of the newly created user.
Then tell the container to use the newly created user by default with USER parity
Add the entrypoint you might need to RUN chmod ug+x /home/parity/entrypoint.sh Which makes it executable for sure.
You are good to go (hopefully), you don't need to set any user when running the container, with the line USER parity it will use the parity user by default.
answered Nov 20 at 7:13
lependu
669314
This is because you are setting root user in the docker container and root owns all the monted volumes and files, not the parity user which I am not sure even exists.
I would dothe following:
Remove USER root from the dockerfile. It is root by default.
Check if parity user even exists in the container.
If not create it with the /home/parity directory.
Mount the volume and files as you did.
RUN chown -R parity:parity /home/parity gives the ownership of the newly created user.
Then tell the container to use the newly created user by default with USER parity
Add the entrypoint you might need to RUN chmod ug+x /home/parity/entrypoint.sh Which makes it executable for sure.
You are good to go (hopefully), you don't need to set any user when running the container, with the line USER parity it will use the parity user by default.
answered Nov 20 at 7:13
lependu
669314
answered Nov 20 at 7:13
lependu
669314
answered Nov 20 at 7:13
lependu
669314
answered Nov 20 at 7:13
lependu
669314
669314
The user is actually parity by default (from the parent image). I wanted to keep it but this is my issue, it doesnt work, which is why i added the user root. User parity already exists and owns the home/parity folder and the entrypoint is already executable. Now the issue with all that is that the secret doesnt seem to be accessible by the user parity
– VincentSerpoul
Nov 20 at 7:50
Did you try tochownthe added files?
– lependu
Nov 20 at 7:54
Also note that in this case i thinkCOPYis more appropiate thanADD.
– lependu
Nov 20 at 7:58
Thanks for the COPY, it's a good advice indeed. The issue doesnt come from the COPIED files but comes from the secrets that are mounted later on (mounted on /run/secrets).
– VincentSerpoul
Nov 20 at 8:59
add a comment |
The user is actually parity by default (from the parent image). I wanted to keep it but this is my issue, it doesnt work, which is why i added the user root. User parity already exists and owns the home/parity folder and the entrypoint is already executable. Now the issue with all that is that the secret doesnt seem to be accessible by the user parity
– VincentSerpoul
Nov 20 at 7:50
Did you try tochownthe added files?
– lependu
Nov 20 at 7:54
Also note that in this case i thinkCOPYis more appropiate thanADD.
– lependu
Nov 20 at 7:58
Thanks for the COPY, it's a good advice indeed. The issue doesnt come from the COPIED files but comes from the secrets that are mounted later on (mounted on /run/secrets).
– VincentSerpoul
Nov 20 at 8:59
The user is actually parity by default (from the parent image). I wanted to keep it but this is my issue, it doesnt work, which is why i added the user root. User parity already exists and owns the home/parity folder and the entrypoint is already executable. Now the issue with all that is that the secret doesnt seem to be accessible by the user parity
– VincentSerpoul
Nov 20 at 7:50
The user is actually parity by default (from the parent image). I wanted to keep it but this is my issue, it doesnt work, which is why i added the user root. User parity already exists and owns the home/parity folder and the entrypoint is already executable. Now the issue with all that is that the secret doesnt seem to be accessible by the user parity
– VincentSerpoul
Nov 20 at 7:50
Did you try to
chown the added files?– lependu
Nov 20 at 7:54
Did you try to
chown the added files?– lependu
Nov 20 at 7:54
Also note that in this case i think
COPY is more appropiate than ADD.– lependu
Nov 20 at 7:58
Also note that in this case i think
COPY is more appropiate than ADD.– lependu
Nov 20 at 7:58
Thanks for the COPY, it's a good advice indeed. The issue doesnt come from the COPIED files but comes from the secrets that are mounted later on (mounted on /run/secrets).
– VincentSerpoul
Nov 20 at 8:59
Thanks for the COPY, it's a good advice indeed. The issue doesnt come from the COPIED files but comes from the secrets that are mounted later on (mounted on /run/secrets).
– VincentSerpoul
Nov 20 at 8:59
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53385930%2fdocker-secrets-with-non-root-user%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
