Open ryanlovett opened 9 years ago
Immediately hit this exact problem. Guessing the fix is to make a derivative image where the permissions are fixed?
Hi @ryanlovett / @gngdb,
I am facing the same issue. Were you able to resolve this issue? If you did, any guidance is appreciated.
Yeah, I ended up forking at https://github.com/ryanlovett/keymaster.
Thanks for the message. I will use your fork. You should probably send a pull request.
On Nov 17, 2015, at 1:35 PM, Ryan Lovett notifications@github.com wrote:
Yeah, I ended up forking at https://github.com/ryanlovett/keymaster https://github.com/ryanlovett/keymaster.
— Reply to this email directly or view it on GitHub https://github.com/cloudpipe/keymaster/issues/8#issuecomment-157463332.
If you want to roll with a PR @ryanlovett, I'd be happy to add you as a maintainer on github.com/cloudpipe/keymaster as well as give you access to the Docker Hub image.
Our reasoning on using a particular non-root user was before we had real Linux namespaces (as will be in coming releases of Docker). I'm comfortable with your changes @ryanlovett.
Thanks for reviewing the changes. Before anything gets pushed to cloudpipe, I think I need to check with @jhamrick to make sure my changes don't mess things up for her. I think this comment will ping her?
Looks fine to me! I don't think it will cause any problems on my end.
@ramdhanyk
The instructions below should work, but let me know if there is a a problem. Make sure to start with a clean git clone.
git clone https://github.com/ryanlovett/keymaster cd keymaster/ docker build -t somename . mkdir certificates KEYMASTER="docker run --rm -v $(pwd)/certificates/:/certificates/ somename" ${KEYMASTER} mkpassword ${KEYMASTER} ca ${KEYMASTER} signed-keypair -n service1 -h service1.host.com ...
Ryan
Ryan,
Thanks for the message. I was able to get it to work. Thanks a lot for your help.
With the caveat that I'm very new to docker...
Inside the container, /certificates is owned by the uid of the user who created $(pwd)/certificates on the host. When the container runs with the "ca" parameter, uid=1000 (hagrid) expects to be able to have access to /certificates/password. Since the file's owner on the host is not uid 1000, "${KEYMASTER} ca" fails:
host$ $ docker -v Docker version 1.6.0, build 4749651 host$ ${KEYMASTER} ca cat: /certificates/password: Permission denied host$ docker run -it --rm -v $(pwd)/certificates/:/certificates/ cloudpipe/keymaster /bin/bash hagrid@string:~$ ls -l /certificates/password -rw------- 1 2354 2354 175 May 7 00:08 password hagrid@string:~$ id uid=1000(hagrid) gid=1000(hagrid) groups=1000(hagrid)