-
Notifications
You must be signed in to change notification settings - Fork 728
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Running as the nonroot user in docker breaks support for volumes #163
Comments
docker volume create name |
Here is the command that works for me.
The UID and GID of the user |
It appears this issue has been answered by the community. If you have any further questions please feel free to reach out and we will get back to you. |
I was tripped up by this one, and permissions problems showed up as errors such as In general, many docker images are not built with |
I was getting this error message: cloudflared | 2021-09-13T17:17:30Z ERR Cannot check if origin cert exists at path /etc/cloudflared/cert.pem error="open /etc/cloudflared/cert.pem: permission denied" originCertPath=/etc/cloudflared/cert.pem I managed to fix it (via ansible) using the following: - name: Create ~/.cloudflared
become: true
ansible.builtin.file:
path: "/home/{{ lookup('env', 'USER') }}/.cloudflared"
state: directory
mode: '0755'
owner: '65532'
group: '65532'
register: cloudflared_dir
- name: Move over cloudflared certificate
become: true
ansible.builtin.copy:
src: "/Users/{{ lookup('env', 'USER') }}/.cloudflared/cert.pem"
dest: "{{ cloudflared_dir.path }}"
mode: preserve
# Set owner/group of the cert file so it's accessible via cloudflared
# This is the equivalent of:
# sudo chown 65532:65532 cert.pem
#
# https://github.com/cloudflare/cloudflared/issues/163#issuecomment-815893547
# https://github.com/GoogleContainerTools/distroless/issues/443
owner: '65532'
group: '65532' Hope that helps someone. |
Thanks. But, not accessible from the host itself |
this is a better solution.
User can read, write, and execute; other users can read and execute, but cannot write. |
I'd say |
If you're using docker-compose, this is a handy little fix to this problem: ---
version: '3.4'
services:
cloudflared_chown:
# https://github.com/cloudflare/cloudflared/issues/163
image: privatebin/chown:1.34.1-musl-1.2.2-r3
read_only: true
command:
- 65532:65532
- /mnt
volumes:
- cloudflared_certs:/mnt
cloudflared:
image: cloudflare/cloudflared:$CLOUDFLARED_TAG
restart: unless-stopped
depends_on:
- cloudflared_chown
command: tunnel --no-autoupdate run
volumes:
- cloudflared_certs:/home/nonroot/.cloudflared/
networks:
- cloudflared
volumes:
cloudflared_certs:
driver: local Then commands like |
Currently, docker mounts volumes as root which restricts non-root users from accessing them. Ref: moby/moby#2259
There are 2 possible solutions:
chown
the directory with the required user & group permissions which will workaround the access issue but may break scenarios where users are using different mount points in their setup.The text was updated successfully, but these errors were encountered: