-bash: line 1: /etc/passbolt/gpg/serverkey_private.asc: Permission denied

[emon5122]

Using Environment:

Kubernetes

Logs below:

wait-for.sh: waiting for mariadb:3306 without a timeout
wait-for.sh: mariadb:3306 is available after 0 seconds
==================================================================================
  Your entropy pool is low. This situation could lead GnuPG to not
  be able to create the gpg serverkey so the container start process will hang
  until enough entropy is obtained.
  Please consider installing rng-tools and/or virtio-rng on your host as the
  preferred method to generate random numbers using a TRNG.
  If rngd (rng-tools) does not provide enough or fast enough randomness you could
  consider installing haveged as a helper to speed up this process.
  Using haveged as a replacement for rngd is not recommended. You can read more
  about this topic here: https://lwn.net/Articles/525459/
==================================================================================
gpg: keybox '/var/lib/passbolt/.gnupg/pubring.kbx' created
gpg: /var/lib/passbolt/.gnupg/trustdb.gpg: trustdb created
gpg: key 68236480A2A41FA2 marked as ultimately trusted
gpg: directory '/var/lib/passbolt/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/var/lib/passbolt/.gnupg/openpgp-revocs.d/1A7A0E98BCA018B7B872E15C68236480A2A41FA2.rev'
-bash: line 1: /etc/passbolt/gpg/serverkey_private.asc: Permission denied

Not sure what is it asking for. Any help is appreciated.

[dlen]

Hi,

The entropy pool message is just a warning for old kernel before 5.15, it is a message to point users to documentation to understand why the automatic generation of the gpg server-key might be slow.

The error you face means you don't have permission to write the serverkey_private.asc apparently. Without more information on your deployment, we can't assess if this qualifies as a bug. How are you deploying to Kubernetes?

[emon5122]

Manifest below @dlen

apiVersion: apps/v1
kind: Deployment
metadata:
  generation: 1
  labels:
    app: passbolt
    app.kubernetes.io/instance: passbolt
  name: passbolt
  namespace: passbolt
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: passbolt
      tier: frontend
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: passbolt
        tier: frontend
    spec:
      containers:
        - command:
            - /usr/bin/wait-for.sh
            - '-t'
            - '0'
            - 'mariadb:3306'
            - '--'
            - /docker-entrypoint.sh
          env:
            - name: APP_FULL_BASE_URL
              valueFrom:
                configMapKeyRef:
                  key: APP_FULL_BASE_URL
                  name: passbolt-configmap
                  optional: false
            - name: DATASOURCES_DEFAULT_USERNAME
              valueFrom:
                secretKeyRef:
                  key: MYSQL_USER
                  name: passbolt-secret
                  optional: false
            - name: DATASOURCES_DEFAULT_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: MYSQL_PASSWORD
                  name: passbolt-secret
                  optional: false
            - name: DATASOURCES_DEFAULT_DATABASE
              valueFrom:
                configMapKeyRef:
                  key: DB_NAME
                  name: passbolt-configmap
                  optional: false
            - name: DATASOURCES_DEFAULT_HOST
              valueFrom:
                configMapKeyRef:
                  key: DB_HOST
                  name: passbolt-configmap
                  optional: false
            - name: EMAIL_TRANSPORT_DEFAULT_HOST
              valueFrom:
                secretKeyRef:
                  key: EMAIL_TRANSPORT_DEFAULT_HOST
                  name: passbolt-secret
                  optional: false
            - name: EMAIL_TRANSPORT_DEFAULT_PORT
              valueFrom:
                secretKeyRef:
                  key: EMAIL_TRANSPORT_DEFAULT_PORT
                  name: passbolt-secret
                  optional: false
            - name: EMAIL_TRANSPORT_DEFAULT_USERNAME
              valueFrom:
                secretKeyRef:
                  key: EMAIL_TRANSPORT_DEFAULT_USERNAME
                  name: passbolt-secret
                  optional: false
            - name: EMAIL_TRANSPORT_DEFAULT_PASSWORD
              valueFrom:
                secretKeyRef:
                  key: EMAIL_TRANSPORT_DEFAULT_PASSWORD
                  name: passbolt-secret
                  optional: false
            - name: EMAIL_TRANSPORT_DEFAULT_TLS
              valueFrom:
                secretKeyRef:
                  key: EMAIL_TRANSPORT_DEFAULT_TLS
                  name: passbolt-secret
                  optional: false
            - name: EMAIL_DEFAULT_FROM
              valueFrom:
                secretKeyRef:
                  key: EMAIL_DEFAULT_FROM
                  name: passbolt-secret
                  optional: false
          image: 'passbolt/passbolt:latest-ce'
          imagePullPolicy: IfNotPresent
          name: passbolt
          ports:
            - containerPort: 80
              name: passbolt
              protocol: TCP
          resources:
            limits:
              cpu: '1'
              memory: 1Gi
            requests:
              cpu: 500m
              memory: 512Mi
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          volumeMounts:
            - mountPath: /etc/passbolt/gpg
              name: passbolt-gpg-persistent-storage
            - mountPath: /etc/passbolt/jwt
              name: passbolt-jwt-persistent-storage
      dnsPolicy: ClusterFirst
      nodeSelector:
        beta.kubernetes.io/arch: amd64
      restartPolicy: Always
      terminationGracePeriodSeconds: 30
      volumes:
        - name: passbolt-gpg-persistent-storage
          persistentVolumeClaim:
            claimName: passbolt-gpg
        - name: passbolt-jwt-persistent-storage
          persistentVolumeClaim:
            claimName: passbolt-jwt

[dlen]

Hi again!

This one is easy I think! Volumes in kubernetes are mounted as root:root so you need to provide permissions to www-data on you volume passbolt-gpg-persistent-storage.

There are many strategies to do this. You could use an init container or you could overwrite the entrypoint to make a chown before the container starts. Basically you need to chown the /etc/passbolt/gpg that is mounted as root by default. The permissions come from the volume passbolt-gpg-persistent-storage.

If you need more assistance on this I suggest you open an issue on our community forum https://community.passbolt.com

Hope it helps!

[emon5122]

Thanks, @dlen for the speedy response. Working like a charm with an init container. Sharing below if anyone ever faces the same issue.

      initContainers:
        - name: gpg-folder-permissions
          image: busybox
          command: ["sh", "-c", "chmod -R 777 /etc/passbolt/gpg"]
          volumeMounts:
            - name: passbolt-gpg-persistent-storage
              mountPath: /etc/passbolt/gpg

[garrettboone]

If this works, it is what @dlen was indicating:

command: ["sh", "-c", "chown -R www-data:www-data /etc/passbolt/gpg"]

[emon5122]

garrettboone unfortunately that didn't work for me. I was getting a crashbackloop maybe because there was no www-data user or group in that image. I knew giving 777 was not any good idea and especially for a password manager but I couldn't handle that better.

[garrettboone]

@emon5122 maybe user nginx?

[emon5122]

Yes @garrettboone, Perfect.

initContainers:
        - name: gpg-folder-permissions
          image: nginx
          command: ["bin/sh"]
          args: ["-c", "chown -R www-data:www-data /etc/passbolt/gpg"]
          volumeMounts:
            - name: passbolt-gpg-persistent-storage
              mountPath: /etc/passbolt/gpg