Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docker could not read CA certificate ca.pem permission denied #3083

Closed
brylor opened this Issue Aug 17, 2018 · 5 comments

Comments

Projects
None yet
4 participants
@brylor
Copy link

brylor commented Aug 17, 2018

docker could not read CA certificate ca.pem permission denied

Is this a BUG REPORT or FEATURE REQUEST? (choose one):
BUG

What happened:

I'm on ubuntu (sid) and using minikube v0.28.2, docker 17.06.2-ce (from snap)
I can start minikube with the kvm2 driver, I run eval $(minikube docker-env), but when I docker ps. I get:

could not read CA certificate "/home/hero/.minikube/certs/ca.pem": open /home/hero/.minikube/certs/ca.pem: permission denied. 

The perms look ok all the way down:

hero@hv1:~$ ls -lhad .minikube/
drwxrwxr-x 10 hero hero 4.0K Aug 17 14:46 .minikube/

hero@hv1:~$ ls -lhad .minikube/certs/
drwxrwxr-x 2 hero hero 4.0K Aug 17 14:44 .minikube/certs/

hero@hv1:~$ ls -lha .minikube/certs/ca.pem
-rw-rw-r-- 1 hero hero 1.1K Aug 17 14:44 .minikube/certs/ca.pem

What you expected to happen:

docker to connect to the minikube instance of docker

How to reproduce it (as minimally and precisely as possible):

  1. Install ubuntu
  2. install minikube via curl -Lo minikube https://storage.googleapis.com/minikube/releases/v0.28.2/minikube-linux-amd64 && chmod +x minikube && sudo mv minikube /usr/local/bin/
  3. install kvm2 driver via: curl -Lo docker-machine-driver-kvm2 https://storage.googleapis.com/minikube/releases/latest/docker-machine-driver-kvm2
  4. minikube start --vm-driver kvm2
  5. eval $(minikube docker-env)
  6. docker ps
    could not read CA certificate "/home/hero/.minikube/certs/ca.pem": open /home/hero/.minikube/certs/ca.pem: permission denied.
@tvansteenburgh

This comment has been minimized.

Copy link

tvansteenburgh commented Aug 17, 2018

I believe the problem here is that the docker snap is strictly confined, which means it can't read arbitrary locations on the file system. It can read the home directory, but only non-hidden files, which excludes dot-files, such as the .minikube directory in your example.

@brylor

This comment has been minimized.

Copy link
Author

brylor commented Aug 19, 2018

Hi @tvansteenburgh. Yes you are right, snap is being blocked by AppArmor.

I was able to resolve this by adding:

owner @{HOME}/.minikube/certs/* to: /var/lib/snapd/apparmor/profiles/snap.docker.docker, and then run: apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.docker.docker

docker ps is now happy:

hero@hv1:~$ docker ps
CONTAINER ID        IMAGE                                      COMMAND                  CREATED             STATUS              PORTS               NAMES
39b186b346f5        k8s.gcr.io/k8s-dns-sidecar-amd64           "/sidecar --v=2 --..."   44 minutes ago      Up 44 minutes                           k8s_sidecar_kube-dns-86f4d74b45-q74tw_kube-system_c708749e-a3da-11e8-a19f-e452b0928c7b_0
30280d9c5deb        k8s.gcr.io/k8s-dns-dnsmasq-nanny-amd64     "/dnsmasq-nanny -v..."   44 minutes ago      Up 44 minutes                           k8s_dnsmasq_kube-dns-86f4d74b45-q74tw_kube-system_c708749e-a3da-11e8-a19f-e452b0928c7b_0
10be502d9c0c        gcr.io/k8s-minikube/storage-provisioner    "/storage-provisioner"   44 minutes ago      Up 44 minutes                           k8s_storage-provisioner_storage-provisioner_kube-system_c8863e32-a3da-11e8-a19f-e452b0928c7b_0
09bb155312a5        k8s.gcr.io/kubernetes-dashboard-amd64      "/dashboard --inse..."   44 minutes ago      Up 44 minutes                           k8s_kubernetes-dashboard_kubernetes-dashboard-5498ccf677-w5vcb_kube-system_c868c565-a3da-11e8-a19f-e452b0928c7b_0
...

If I did this to best practice though is to be determined, I will try to funnel this to some Ubuntu/Snap folks. For now I will close this.

Thanks.

@brylor brylor closed this Aug 19, 2018

@dlbradford

This comment has been minimized.

Copy link

dlbradford commented Sep 25, 2018

Hi @brylor,

I tried to apply your fix above, and now Apparmor complains to me:
'AppArmor parser error for /var/lib/snapd/apparmor/profiles/snap.docker.docker in /var/lib/snapd/apparmor/profiles/snap.docker.docker at line 291: syntax error, unexpected TOK_END_OF_RULE, expecting TOK_MODE'

Maybe it is where I placed it? or some formatting I am not entering? I am new to this and any insight you could provide would be appreciated.

file snippet for context below:

Miscellaneous accesses

/dev/{,u}random w,
/etc/machine-id r,
/etc/mime.types r,
@{PROC}/ r,
@{PROC}/version r,
@{PROC}/version_signature r,
/etc/{,writable/}hostname r,
/etc/{,writable/}localtime r,
/etc/{,writable/}mailname r,
/etc/{,writable/}timezone r,
owner @{PROC}/@{pid}/cgroup r,
@{PROC}/@{pid}/io r,
owner @{PROC}/@{pid}/limits r,
owner @{HOME}/.minikube/certs/*,
owner @{PROC}/@{pid}/loginuid r,
@{PROC}/@{pid}/smaps r,
@{PROC}/@{pid}/stat r,
@{PROC}/@{pid}/statm r,
@{PROC}/@{pid}/status r,
@{PROC}/@{pid}/task/ r,

@dlbradford

This comment has been minimized.

Copy link

dlbradford commented Sep 25, 2018

Hi @brylor,

Disregard report above please. I don't really know why, but removing the line and restoring the file to the original state seems to have moved past this issue.

Sorry for the report.

@eric-burel

This comment has been minimized.

Copy link

eric-burel commented Nov 15, 2018

For absolute beginners / googlers like me the line to add is precisely:

owner @{HOME}/your-folder-that-fails r,

Eg in my case:

owner @{HOME}/.docker/machine/machines/** r,

** means any subfolder, * means any file. I met this issue after trying Docker Machine for the first time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.