Running as the nonroot user in docker breaks support for volumes

[darthShadow]

Currently, docker mounts volumes as root which restricts non-root users from accessing them. Ref: moby/moby#2259

There are 2 possible solutions:

• Remove the non-root user line from the Dockerfile
• Create the mount point beforehand and chown the directory with the required user & group permissions which will workaround the access issue but may break scenarios where users are using different mount points in their setup.

[chenlei-2468]

docker volume create name
/var/lib/docker/volumes update other user?

[mw866]

• Create the mount point beforehand and chown the directory with the required user & group permissions which will workaround the access issue but may break scenarios where users are using different mount points in their setup.

Here is the command that works for me.

sudo chown 65532:65532 cert.pem 

The UID and GID of the user nonroot are defined in the base image distroless. See GoogleContainerTools/distroless#443

[abelinkinbio]

It appears this issue has been answered by the community. If you have any further questions please feel free to reach out and we will get back to you.

[leojonathanoh]

I was tripped up by this one, and permissions problems showed up as errors such as Tunnel credentials file '/root/.cloudflared/c5dc64e5-9b1d-4948-a4f1-6260dbc68954.json' doesn't exist or is not a file . But spining up an alpine container in place showed the file existed. So the application showed a wrong error message that was confusing.

In general, many docker images are not built with USER because of potential hiccups it would cause for a new user of the image who expect a simple docker run command to work out of the box. It would be better if the base image was one which did not lockthe USER to nonroot by default.

[domharrington]

I was getting this error message:

cloudflared    | 2021-09-13T17:17:30Z ERR Cannot check if origin cert exists at path /etc/cloudflared/cert.pem error="open /etc/cloudflared/cert.pem: permission denied" originCertPath=/etc/cloudflared/cert.pem

I managed to fix it (via ansible) using the following:

- name: Create ~/.cloudflared
  become: true
  ansible.builtin.file:
    path: "/home/{{ lookup('env', 'USER') }}/.cloudflared"
    state: directory
    mode: '0755'
    owner: '65532'
    group: '65532'
  register: cloudflared_dir

- name: Move over cloudflared certificate
  become: true
  ansible.builtin.copy:
    src: "/Users/{{ lookup('env', 'USER') }}/.cloudflared/cert.pem"
    dest: "{{ cloudflared_dir.path }}"
    mode: preserve
    # Set owner/group of the cert file so it's accessible via cloudflared
    # This is the equivalent of:
    # sudo chown 65532:65532 cert.pem
    #
    # https://github.com/cloudflare/cloudflared/issues/163#issuecomment-815893547
    # https://github.com/GoogleContainerTools/distroless/issues/443
    owner: '65532'
    group: '65532'

Hope that helps someone.

[haneef95]

• Create the mount point beforehand and chown the directory with the required user & group permissions which will workaround the access issue but may break scenarios where users are using different mount points in their setup.

sudo chown 65532:65532 cert.pem 

Thanks.

But, not accessible from the host itself

[AntonyLeons]

this is a better solution.

sudo chmod -R 755 .cloudflared

User can read, write, and execute; other users can read and execute, but cannot write.

[wb14123]

I'd say sudo chmod -R 755 .cloudflared is a more dangerous option. If the cert is leaked the connection is not safe anymore.

[sam-6174]

If you're using docker-compose, this is a handy little fix to this problem:

---
version: '3.4'

services:
  cloudflared_chown:
    # https://github.com/cloudflare/cloudflared/issues/163
    image: privatebin/chown:1.34.1-musl-1.2.2-r3
    read_only: true
    command:
      - 65532:65532
      - /mnt
    volumes:
      - cloudflared_certs:/mnt
  cloudflared:
    image: cloudflare/cloudflared:$CLOUDFLARED_TAG
    restart: unless-stopped
    depends_on:
      - cloudflared_chown
    command: tunnel --no-autoupdate run
    volumes:
      - cloudflared_certs:/home/nonroot/.cloudflared/
    networks:
      - cloudflared
volumes:
  cloudflared_certs:
    driver: local

Then commands like docker-compose run --rm cloudflared tunnel login will "just work."