docker secrets with non root user











up vote
0
down vote

favorite












I have a docker container run with a non root user for better security, but it seems it can't access the secrets I'm sharing with it:



Importing account from "/run/secrets/authority.priv.json" failed: Permission denied (os error 13)


I tried different solutions in my docker compose:
1. Setting the uid and gid to 1000 (uid/gid if the user inside the container)
2. Settting the mode to 0444 and even 0777



But none of these have worked, only using root allows me to use these secrets.



Any idea?



Bonus question: will it be the same issue within kubernetes?



The dockerfile:



FROM parity/parity:v2.2.1
LABEL maintainer="vincent@serpoul.com"

# SAD but It seems impossible to read the secrets otherwise
USER root

VOLUME ["/home/parity/.local/share/io.parity.ethereum"]

ADD ./configPoANode.toml /home/parity/configPoANode.toml
ADD ./PoA.json /home/parity/PoA.json
ADD ./entrypoint.sh /home/parity/entrypoint.sh

ENTRYPOINT ["/home/parity/entrypoint.sh"]


appendix: repository (with user ROOT in the dockerfile):










share|improve this question




























    up vote
    0
    down vote

    favorite












    I have a docker container run with a non root user for better security, but it seems it can't access the secrets I'm sharing with it:



    Importing account from "/run/secrets/authority.priv.json" failed: Permission denied (os error 13)


    I tried different solutions in my docker compose:
    1. Setting the uid and gid to 1000 (uid/gid if the user inside the container)
    2. Settting the mode to 0444 and even 0777



    But none of these have worked, only using root allows me to use these secrets.



    Any idea?



    Bonus question: will it be the same issue within kubernetes?



    The dockerfile:



    FROM parity/parity:v2.2.1
    LABEL maintainer="vincent@serpoul.com"

    # SAD but It seems impossible to read the secrets otherwise
    USER root

    VOLUME ["/home/parity/.local/share/io.parity.ethereum"]

    ADD ./configPoANode.toml /home/parity/configPoANode.toml
    ADD ./PoA.json /home/parity/PoA.json
    ADD ./entrypoint.sh /home/parity/entrypoint.sh

    ENTRYPOINT ["/home/parity/entrypoint.sh"]


    appendix: repository (with user ROOT in the dockerfile):










    share|improve this question


























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I have a docker container run with a non root user for better security, but it seems it can't access the secrets I'm sharing with it:



      Importing account from "/run/secrets/authority.priv.json" failed: Permission denied (os error 13)


      I tried different solutions in my docker compose:
      1. Setting the uid and gid to 1000 (uid/gid if the user inside the container)
      2. Settting the mode to 0444 and even 0777



      But none of these have worked, only using root allows me to use these secrets.



      Any idea?



      Bonus question: will it be the same issue within kubernetes?



      The dockerfile:



      FROM parity/parity:v2.2.1
      LABEL maintainer="vincent@serpoul.com"

      # SAD but It seems impossible to read the secrets otherwise
      USER root

      VOLUME ["/home/parity/.local/share/io.parity.ethereum"]

      ADD ./configPoANode.toml /home/parity/configPoANode.toml
      ADD ./PoA.json /home/parity/PoA.json
      ADD ./entrypoint.sh /home/parity/entrypoint.sh

      ENTRYPOINT ["/home/parity/entrypoint.sh"]


      appendix: repository (with user ROOT in the dockerfile):










      share|improve this question















      I have a docker container run with a non root user for better security, but it seems it can't access the secrets I'm sharing with it:



      Importing account from "/run/secrets/authority.priv.json" failed: Permission denied (os error 13)


      I tried different solutions in my docker compose:
      1. Setting the uid and gid to 1000 (uid/gid if the user inside the container)
      2. Settting the mode to 0444 and even 0777



      But none of these have worked, only using root allows me to use these secrets.



      Any idea?



      Bonus question: will it be the same issue within kubernetes?



      The dockerfile:



      FROM parity/parity:v2.2.1
      LABEL maintainer="vincent@serpoul.com"

      # SAD but It seems impossible to read the secrets otherwise
      USER root

      VOLUME ["/home/parity/.local/share/io.parity.ethereum"]

      ADD ./configPoANode.toml /home/parity/configPoANode.toml
      ADD ./PoA.json /home/parity/PoA.json
      ADD ./entrypoint.sh /home/parity/entrypoint.sh

      ENTRYPOINT ["/home/parity/entrypoint.sh"]


      appendix: repository (with user ROOT in the dockerfile):







      docker security docker-secrets






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 20 at 8:57

























      asked Nov 20 at 3:47









      VincentSerpoul

      155214




      155214
























          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote













          This is because you are setting root user in the docker container and root owns all the monted volumes and files, not the parity user which I am not sure even exists.

          I would dothe following:



          Remove USER root from the dockerfile. It is root by default.



          Check if parity user even exists in the container.



          If not create it with the /home/parity directory.



          Mount the volume and files as you did.



          RUN chown -R parity:parity /home/parity gives the ownership of the newly created user.



          Then tell the container to use the newly created user by default with USER parity



          Add the entrypoint you might need to RUN chmod ug+x /home/parity/entrypoint.sh Which makes it executable for sure.



          You are good to go (hopefully), you don't need to set any user when running the container, with the line USER parity it will use the parity user by default.






          share|improve this answer





















          • The user is actually parity by default (from the parent image). I wanted to keep it but this is my issue, it doesnt work, which is why i added the user root. User parity already exists and owns the home/parity folder and the entrypoint is already executable. Now the issue with all that is that the secret doesnt seem to be accessible by the user parity
            – VincentSerpoul
            Nov 20 at 7:50










          • Did you try to chown the added files?
            – lependu
            Nov 20 at 7:54












          • Also note that in this case i think COPY is more appropiate than ADD.
            – lependu
            Nov 20 at 7:58












          • Thanks for the COPY, it's a good advice indeed. The issue doesnt come from the COPIED files but comes from the secrets that are mounted later on (mounted on /run/secrets).
            – VincentSerpoul
            Nov 20 at 8:59











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53385930%2fdocker-secrets-with-non-root-user%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          0
          down vote













          This is because you are setting root user in the docker container and root owns all the monted volumes and files, not the parity user which I am not sure even exists.

          I would dothe following:



          Remove USER root from the dockerfile. It is root by default.



          Check if parity user even exists in the container.



          If not create it with the /home/parity directory.



          Mount the volume and files as you did.



          RUN chown -R parity:parity /home/parity gives the ownership of the newly created user.



          Then tell the container to use the newly created user by default with USER parity



          Add the entrypoint you might need to RUN chmod ug+x /home/parity/entrypoint.sh Which makes it executable for sure.



          You are good to go (hopefully), you don't need to set any user when running the container, with the line USER parity it will use the parity user by default.






          share|improve this answer





















          • The user is actually parity by default (from the parent image). I wanted to keep it but this is my issue, it doesnt work, which is why i added the user root. User parity already exists and owns the home/parity folder and the entrypoint is already executable. Now the issue with all that is that the secret doesnt seem to be accessible by the user parity
            – VincentSerpoul
            Nov 20 at 7:50










          • Did you try to chown the added files?
            – lependu
            Nov 20 at 7:54












          • Also note that in this case i think COPY is more appropiate than ADD.
            – lependu
            Nov 20 at 7:58












          • Thanks for the COPY, it's a good advice indeed. The issue doesnt come from the COPIED files but comes from the secrets that are mounted later on (mounted on /run/secrets).
            – VincentSerpoul
            Nov 20 at 8:59















          up vote
          0
          down vote













          This is because you are setting root user in the docker container and root owns all the monted volumes and files, not the parity user which I am not sure even exists.

          I would dothe following:



          Remove USER root from the dockerfile. It is root by default.



          Check if parity user even exists in the container.



          If not create it with the /home/parity directory.



          Mount the volume and files as you did.



          RUN chown -R parity:parity /home/parity gives the ownership of the newly created user.



          Then tell the container to use the newly created user by default with USER parity



          Add the entrypoint you might need to RUN chmod ug+x /home/parity/entrypoint.sh Which makes it executable for sure.



          You are good to go (hopefully), you don't need to set any user when running the container, with the line USER parity it will use the parity user by default.






          share|improve this answer





















          • The user is actually parity by default (from the parent image). I wanted to keep it but this is my issue, it doesnt work, which is why i added the user root. User parity already exists and owns the home/parity folder and the entrypoint is already executable. Now the issue with all that is that the secret doesnt seem to be accessible by the user parity
            – VincentSerpoul
            Nov 20 at 7:50










          • Did you try to chown the added files?
            – lependu
            Nov 20 at 7:54












          • Also note that in this case i think COPY is more appropiate than ADD.
            – lependu
            Nov 20 at 7:58












          • Thanks for the COPY, it's a good advice indeed. The issue doesnt come from the COPIED files but comes from the secrets that are mounted later on (mounted on /run/secrets).
            – VincentSerpoul
            Nov 20 at 8:59













          up vote
          0
          down vote










          up vote
          0
          down vote









          This is because you are setting root user in the docker container and root owns all the monted volumes and files, not the parity user which I am not sure even exists.

          I would dothe following:



          Remove USER root from the dockerfile. It is root by default.



          Check if parity user even exists in the container.



          If not create it with the /home/parity directory.



          Mount the volume and files as you did.



          RUN chown -R parity:parity /home/parity gives the ownership of the newly created user.



          Then tell the container to use the newly created user by default with USER parity



          Add the entrypoint you might need to RUN chmod ug+x /home/parity/entrypoint.sh Which makes it executable for sure.



          You are good to go (hopefully), you don't need to set any user when running the container, with the line USER parity it will use the parity user by default.






          share|improve this answer












          This is because you are setting root user in the docker container and root owns all the monted volumes and files, not the parity user which I am not sure even exists.

          I would dothe following:



          Remove USER root from the dockerfile. It is root by default.



          Check if parity user even exists in the container.



          If not create it with the /home/parity directory.



          Mount the volume and files as you did.



          RUN chown -R parity:parity /home/parity gives the ownership of the newly created user.



          Then tell the container to use the newly created user by default with USER parity



          Add the entrypoint you might need to RUN chmod ug+x /home/parity/entrypoint.sh Which makes it executable for sure.



          You are good to go (hopefully), you don't need to set any user when running the container, with the line USER parity it will use the parity user by default.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 20 at 7:13









          lependu

          669314




          669314












          • The user is actually parity by default (from the parent image). I wanted to keep it but this is my issue, it doesnt work, which is why i added the user root. User parity already exists and owns the home/parity folder and the entrypoint is already executable. Now the issue with all that is that the secret doesnt seem to be accessible by the user parity
            – VincentSerpoul
            Nov 20 at 7:50










          • Did you try to chown the added files?
            – lependu
            Nov 20 at 7:54












          • Also note that in this case i think COPY is more appropiate than ADD.
            – lependu
            Nov 20 at 7:58












          • Thanks for the COPY, it's a good advice indeed. The issue doesnt come from the COPIED files but comes from the secrets that are mounted later on (mounted on /run/secrets).
            – VincentSerpoul
            Nov 20 at 8:59


















          • The user is actually parity by default (from the parent image). I wanted to keep it but this is my issue, it doesnt work, which is why i added the user root. User parity already exists and owns the home/parity folder and the entrypoint is already executable. Now the issue with all that is that the secret doesnt seem to be accessible by the user parity
            – VincentSerpoul
            Nov 20 at 7:50










          • Did you try to chown the added files?
            – lependu
            Nov 20 at 7:54












          • Also note that in this case i think COPY is more appropiate than ADD.
            – lependu
            Nov 20 at 7:58












          • Thanks for the COPY, it's a good advice indeed. The issue doesnt come from the COPIED files but comes from the secrets that are mounted later on (mounted on /run/secrets).
            – VincentSerpoul
            Nov 20 at 8:59
















          The user is actually parity by default (from the parent image). I wanted to keep it but this is my issue, it doesnt work, which is why i added the user root. User parity already exists and owns the home/parity folder and the entrypoint is already executable. Now the issue with all that is that the secret doesnt seem to be accessible by the user parity
          – VincentSerpoul
          Nov 20 at 7:50




          The user is actually parity by default (from the parent image). I wanted to keep it but this is my issue, it doesnt work, which is why i added the user root. User parity already exists and owns the home/parity folder and the entrypoint is already executable. Now the issue with all that is that the secret doesnt seem to be accessible by the user parity
          – VincentSerpoul
          Nov 20 at 7:50












          Did you try to chown the added files?
          – lependu
          Nov 20 at 7:54






          Did you try to chown the added files?
          – lependu
          Nov 20 at 7:54














          Also note that in this case i think COPY is more appropiate than ADD.
          – lependu
          Nov 20 at 7:58






          Also note that in this case i think COPY is more appropiate than ADD.
          – lependu
          Nov 20 at 7:58














          Thanks for the COPY, it's a good advice indeed. The issue doesnt come from the COPIED files but comes from the secrets that are mounted later on (mounted on /run/secrets).
          – VincentSerpoul
          Nov 20 at 8:59




          Thanks for the COPY, it's a good advice indeed. The issue doesnt come from the COPIED files but comes from the secrets that are mounted later on (mounted on /run/secrets).
          – VincentSerpoul
          Nov 20 at 8:59


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53385930%2fdocker-secrets-with-non-root-user%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          404 Error Contact Form 7 ajax form submitting

          How to know if a Active Directory user can login interactively

          TypeError: fit_transform() missing 1 required positional argument: 'X'