Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

User and group owner variables are being ignored? #40

Closed
rfgamaral opened this issue Jan 19, 2019 · 5 comments

Comments

@rfgamaral
Copy link

commented Jan 19, 2019

I've tried to set both the environment variable CERTS_USER_OWNER and CERTS_GROUP_OWNER to docker:users but it didn't do anything, the archive and live folders, along with the cert files inside them were still created with root:root.

I've also tried the corresponding docker and users IDs instead of the strings but it also didn't work...

drwxrwxrwx+ 1 root  root  72 Jan 19 23:20 accounts/
drwxr-x---  1 root  root  28 Jan 19 23:22 archive/
drwxrwxrwx+ 1 root  root  40 Jan 19 23:20 csr/
drwxrwxrwx+ 1 root  root  40 Jan 19 23:20 keys/
drwxr-x---  1 root  root  40 Jan 19 23:22 live/
drwxrwxrwx+ 1 root  root  38 Jan 19 23:22 renewal/
drwxrwxrwx+ 1 root  root  26 Jan 19 23:20 renewal-hooks/
-rwxrwxrwx+ 1 admin users 32 Jan 19 12:54 domains.conf*
-rwxrwxrwx+ 1 admin users 90 Jan 19 13:01 lexicon_cloudflare.yml*

Am I doing something wrong?

@adferrand

This comment has been minimized.

Copy link
Owner

commented Jan 20, 2019

Did you set CERTS_USER_OWNER=docker:users or CERTS_USER_OWNER=docker and CERTS_GROUP_OWNER=users ?

Because in the first case, yes it will fail to set the permissions appropriately. The second case is working from what I see in my tests.

If it is not what you observe while using the second case, could you provide me the container log when it starts ?

@rfgamaral

This comment has been minimized.

Copy link
Author

commented Jan 21, 2019

The second one...

Here's how I've created my container:

docker run \
    --name letsencrypt-dns \
    --volume /volume1/docker/applications/letsencrypt/domains.conf:/etc/letsencrypt/domains.conf \
    --volume /volume1/docker/applications/letsencrypt:/etc/letsencrypt \
    --env 'LETSENCRYPT_USER_MAIL=REDACTED' \
    --env 'LETSENCRYPT_STAGING=true' \
    --env 'LEXICON_PROVIDER=cloudflare' \
    --env 'LEXICON_CLOUDFLARE_USERNAME=REDACTED' \
    --env 'LEXICON_CLOUDFLARE_TOKEN=REDACTED' \
    --env 'CERTS_USER_OWNER=docker' \
    --env 'CERTS_GROUP_OWNER=users' \
    adferrand/letsencrypt-dns

I get this in the log at startup:

chown: unknown user/group docker:users

Certificates are then successfully generated and placed both in archive and live, but with root:root:

total 4.0K
drwxrwxrwx+ 1 admin users 116 Jan 21 11:34 ./
drwxrwxrwx+ 1 admin users 108 Jan 21 11:28 ../
drwxrwxrwx+ 1 root  root   72 Jan 21 11:33 accounts/
drwxr-x---  1 root  root   28 Jan 21 11:34 archive/
drwxrwxrwx+ 1 root  root   40 Jan 21 11:33 csr/
drwxrwxrwx+ 1 root  root   40 Jan 21 11:33 keys/
drwxr-x---  1 root  root   40 Jan 21 11:34 live/
drwxrwxrwx+ 1 root  root   38 Jan 21 11:34 renewal/
drwxrwxrwx+ 1 root  root   26 Jan 21 11:33 renewal-hooks/
-rwxrwxrwx+ 1 admin users  32 Jan 21 11:28 domains.conf*

If relevant, I'm running this inside a Synology NAS using:

docker --version
Docker version 17.05.0-ce, build 9f07f0e-synology
@adferrand

This comment has been minimized.

Copy link
Owner

commented Jan 21, 2019

Indeed, docker and users are not known from the container. You will need to get their uid and gid from the host, and put uid in CERTS_USER_OWNER, and gid in CERTS_GROUP_OWNER.

Can you do that with the config you posted, and give me back the result and logs?

@rfgamaral

This comment has been minimized.

Copy link
Author

commented Jan 21, 2019

Now it works... I swear I tested the UID and GID before (because I have many other containers that require that too) and it didn't work, but now it's all good. Sorry about the confusion and thanks for the help.

@rfgamaral rfgamaral closed this Jan 21, 2019

@adferrand

This comment has been minimized.

Copy link
Owner

commented Jan 21, 2019

No problem. I will stay vigilent about this story about files permissions, as we could not find if there was a real flaw in the container or not.

Even if it is only about a misuse from you side, it adds arguments on my side to consider that I really need to refactor the container configuration to make it better readable.

And your welcome!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.