User and group owner variables are being ignored?

[rfgamaral]

I've tried to set both the environment variable CERTS_USER_OWNER and CERTS_GROUP_OWNER to docker:users but it didn't do anything, the archive and live folders, along with the cert files inside them were still created with root:root.

I've also tried the corresponding docker and users IDs instead of the strings but it also didn't work...

drwxrwxrwx+ 1 root  root  72 Jan 19 23:20 accounts/
drwxr-x---  1 root  root  28 Jan 19 23:22 archive/
drwxrwxrwx+ 1 root  root  40 Jan 19 23:20 csr/
drwxrwxrwx+ 1 root  root  40 Jan 19 23:20 keys/
drwxr-x---  1 root  root  40 Jan 19 23:22 live/
drwxrwxrwx+ 1 root  root  38 Jan 19 23:22 renewal/
drwxrwxrwx+ 1 root  root  26 Jan 19 23:20 renewal-hooks/
-rwxrwxrwx+ 1 admin users 32 Jan 19 12:54 domains.conf*
-rwxrwxrwx+ 1 admin users 90 Jan 19 13:01 lexicon_cloudflare.yml*

Am I doing something wrong?

[adferrand]

Did you set CERTS_USER_OWNER=docker:users or CERTS_USER_OWNER=docker and CERTS_GROUP_OWNER=users ?

Because in the first case, yes it will fail to set the permissions appropriately. The second case is working from what I see in my tests.

If it is not what you observe while using the second case, could you provide me the container log when it starts ?

[rfgamaral]

The second one...

Here's how I've created my container:

docker run \
    --name letsencrypt-dns \
    --volume /volume1/docker/applications/letsencrypt/domains.conf:/etc/letsencrypt/domains.conf \
    --volume /volume1/docker/applications/letsencrypt:/etc/letsencrypt \
    --env 'LETSENCRYPT_USER_MAIL=REDACTED' \
    --env 'LETSENCRYPT_STAGING=true' \
    --env 'LEXICON_PROVIDER=cloudflare' \
    --env 'LEXICON_CLOUDFLARE_USERNAME=REDACTED' \
    --env 'LEXICON_CLOUDFLARE_TOKEN=REDACTED' \
    --env 'CERTS_USER_OWNER=docker' \
    --env 'CERTS_GROUP_OWNER=users' \
    adferrand/letsencrypt-dns

I get this in the log at startup:

chown: unknown user/group docker:users

Certificates are then successfully generated and placed both in archive and live, but with root:root:

total 4.0K
drwxrwxrwx+ 1 admin users 116 Jan 21 11:34 ./
drwxrwxrwx+ 1 admin users 108 Jan 21 11:28 ../
drwxrwxrwx+ 1 root  root   72 Jan 21 11:33 accounts/
drwxr-x---  1 root  root   28 Jan 21 11:34 archive/
drwxrwxrwx+ 1 root  root   40 Jan 21 11:33 csr/
drwxrwxrwx+ 1 root  root   40 Jan 21 11:33 keys/
drwxr-x---  1 root  root   40 Jan 21 11:34 live/
drwxrwxrwx+ 1 root  root   38 Jan 21 11:34 renewal/
drwxrwxrwx+ 1 root  root   26 Jan 21 11:33 renewal-hooks/
-rwxrwxrwx+ 1 admin users  32 Jan 21 11:28 domains.conf*

If relevant, I'm running this inside a Synology NAS using:

docker --version
Docker version 17.05.0-ce, build 9f07f0e-synology

[adferrand]

Indeed, docker and users are not known from the container. You will need to get their uid and gid from the host, and put uid in CERTS_USER_OWNER, and gid in CERTS_GROUP_OWNER.

Can you do that with the config you posted, and give me back the result and logs?

[rfgamaral]

Now it works... I swear I tested the UID and GID before (because I have many other containers that require that too) and it didn't work, but now it's all good. Sorry about the confusion and thanks for the help.

[adferrand]

No problem. I will stay vigilent about this story about files permissions, as we could not find if there was a real flaw in the container or not.

Even if it is only about a misuse from you side, it adds arguments on my side to consider that I really need to refactor the container configuration to make it better readable.

And your welcome!