Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

User cannot read password file #8

Open
ryanlovett opened this issue May 7, 2015 · 10 comments
Open

User cannot read password file #8

ryanlovett opened this issue May 7, 2015 · 10 comments

Comments

@ryanlovett
Copy link
Collaborator

With the caveat that I'm very new to docker...

Inside the container, /certificates is owned by the uid of the user who created $(pwd)/certificates on the host. When the container runs with the "ca" parameter, uid=1000 (hagrid) expects to be able to have access to /certificates/password. Since the file's owner on the host is not uid 1000, "${KEYMASTER} ca" fails:

host$ $ docker -v
Docker version 1.6.0, build 4749651
host$ ${KEYMASTER} ca
cat: /certificates/password: Permission denied
host$ docker run -it --rm -v $(pwd)/certificates/:/certificates/ cloudpipe/keymaster /bin/bash
hagrid@string:$ ls -l /certificates/password
-rw------- 1 2354 2354 175 May 7 00:08 password
hagrid@string:
$ id
uid=1000(hagrid) gid=1000(hagrid) groups=1000(hagrid)

@gngdb
Copy link

gngdb commented Aug 6, 2015

Immediately hit this exact problem. Guessing the fix is to make a derivative image where the permissions are fixed?

@ramdhanyk
Copy link

Hi @ryanlovett / @gngdb,

I am facing the same issue. Were you able to resolve this issue? If you did, any guidance is appreciated.

@ryanlovett
Copy link
Collaborator Author

Yeah, I ended up forking at https://github.com/ryanlovett/keymaster.

@ramdhanyk
Copy link

Thanks for the message. I will use your fork. You should probably send a pull request.

On Nov 17, 2015, at 1:35 PM, Ryan Lovett [email protected] wrote:

Yeah, I ended up forking at https://github.com/ryanlovett/keymaster https://github.com/ryanlovett/keymaster.


Reply to this email directly or view it on GitHub #8 (comment).

@rgbkrk
Copy link
Member

rgbkrk commented Nov 17, 2015

If you want to roll with a PR @ryanlovett, I'd be happy to add you as a maintainer on github.com/cloudpipe/keymaster as well as give you access to the Docker Hub image.

@rgbkrk
Copy link
Member

rgbkrk commented Nov 17, 2015

Our reasoning on using a particular non-root user was before we had real Linux namespaces (as will be in coming releases of Docker). I'm comfortable with your changes @ryanlovett.

@ryanlovett
Copy link
Collaborator Author

Thanks for reviewing the changes. Before anything gets pushed to cloudpipe, I think I need to check with @jhamrick to make sure my changes don't mess things up for her. I think this comment will ping her?

@jhamrick
Copy link
Collaborator

Looks fine to me! I don't think it will cause any problems on my end.

@ryanlovett
Copy link
Collaborator Author

@ramdhanyk

The instructions below should work, but let me know if there is a a
problem. Make sure to start with a clean git clone.

git clone https://github.com/ryanlovett/keymaster
cd keymaster/
docker build -t somename .
mkdir certificates
KEYMASTER="docker run --rm -v $(pwd)/certificates/:/certificates/ somename"
${KEYMASTER} mkpassword
${KEYMASTER} ca
${KEYMASTER} signed-keypair -n service1 -h service1.host.com
...

Ryan

@ramdhanyk
Copy link

Ryan,

Thanks for the message. I was able to get it to work. Thanks a lot for your help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants