Permission denied on sqlite database when use TLS #114
Comments
|
Hi, |
github-actions
bot
added
needs/triage
Hey 👋🏻 I dont think it has anything to do with TLS. By default the database is owned by helm-charts/charts/crowdsec/values.yaml Lines 145 to 159 in 6bd1d20 So an example lapi:
# -- replicas for local API
replicas: 1
# -- environment variables from crowdsecurity/crowdsec docker image
env:
- name: GID
value: "2000"
# by default disable the agent because it only needs the local API.
#- name: DISABLE_AGENT
# value: "true"
# Allows you to load environment variables from kubernetes secret or config map
envFrom: []
# - secretRef:
# name: env-secret |
|
@LaurenceJJones Thank you for your interest in my request. I defined in the lapi environment a GID property of 2000 but I get this error : Indeed, we can see that variable is already defined in the template |
|
Can you share your full values.yaml please? |
|
Because if you using the official metabase image, it should use the same MGID |
|
my values.yaml : container_runtime: containerd
tls:
enabled: true
bouncer:
reflector:
namespaces: ["traefik"]
agent:
# Specify each pod whose logs we want to process
acquisition:
# The namespace where the pod is located
- namespace: traefik
# The pod name
podName: traefik-*
# as in crowdsec configuration, we need to specify the program name to find a matching parser
program: traefik
# Those are ENV variables
env:
- name: PARSERS
value: "crowdsecurity/cri-logs"
- name: COLLECTIONS
value: "crowdsecurity/traefik"
- name: DISABLE_PARSERS
value: "crowdsecurity/whitelists"
persistentVolume:
config:
enabled: false
lapi:
dashboard:
enabled: true
ingress:
host: dashboard.local
enabled: false
persistentVolume:
config:
enabled: false
env:
# If it's a test, we don't want to share signals with CrowdSec so disable the Online API.
- name: DISABLE_ONLINE_API
value: "true"
- name: GID
value: "2000" |
You can remove the GID stuff didnt know we set it for both containers. Once the LAPI is started if you exec in the container you dont see these permissions? |
|
Okay managed to replicate that enabling TLS does infact negate the permissions from updating which is really odd as there nothing depending, it must be a race condition the database is not there whilst the Running a Let me see if there a way round it. |
|
No, the permissions are : and sorry to insist but the problem does not occur when tls is not enabled. new install with same values.yaml except tls.enabled: false : |
Okay we tracked down the issue, so its not a race condition. When using TLS we dont need to add the machines to the database since when they authenticate with mTLS it will automatically create the database entry. Since we dont interact with the database, there is no database whilst the chown command runs. (Deleting the pod works as that files still exists and it works). So for now we will update crowdsec to run So your were right about the TLS stuff, it was just a mess to find where the exact problem was. We will merge and fix this for |
Hi,
I have noticed a issue with the dashboard when tls.enabled is set to true.
Environment
Helm chart : crowdsec
Helm chart version : 0.9.9
crowdsec-values.yaml:
Issue
In dashboard > Browse data > Cdrodsec > Alerts
[SQLITE_CANTOPEN] Unable to open the database file (unable to open database file)
Investigation
In Admin Settings > Databases > Crowdsec > Save changes
/metabase-data/crowdsec.db (Permission denied)
The dashboard is launched with the metabase user who does not have rights to the database file.
Change group ownership of the database file fixes the issue
The text was updated successfully, but these errors were encountered: