support running the agent in a non root container

portainer / agent

The Portainer agent

https://www.portainer.io

zlib License

310 stars 68 forks source link

support running the agent in a non root container #123

Open allentc opened 4 years ago

allentc commented 4 years ago

Attempting to run the agent with the docker run --user option causes the (non-edge mode) agent to fail with the following error:

[ERROR] [main,tls] [message: Unable to generate self-signed certificates] [error: open cert.pem: permission denied]

The error happens because the /app directory is not writable by an unprivileged user and the agent program attempts to generate a self-signed certificate and key into the /app directory.

The intent is to run the portainer/agent container with least privileges. The --user flag is supplied with an unprivileged UID and the docker group GID (for docker.sock, etc.) The --user flag actually works in the case of portainer/portainer because files are persisted in the /data volume where permission to write as some unprivileged user can be arranged.

Perhaps the agent should follow the same pattern and write files to a /data volume as well.

deviantony commented 4 years ago

The agent has always been designed to be stateless (up to the recent arrival of Edge features).

I believe we can default to /data for certs even though we're not exposing any volume, this would keep the existing behavior and allow any user to persist the volume or provide a specific folder to work with.

la7eralus commented 3 months ago

I also hit the error in FCOS today. This is the compose part:

  portaineragent:
    #user: 1001:1001
    container_name: portaineragent
    image: portainer/agent:latest
    restart: always
    environment:
      - DOCKER_HOST=tcp://socketproxy:2375
    ports:
      - 9001:9001

It only works when the user option is commented out.

This is the initial error:

/main.go:314 > unable to generate self-signed certificates | error="open cert.pem: permission denied"

Real-Gecko commented 1 month ago

This is the initial error:

Same issue

Real-Gecko commented 1 month ago

/main.go:314 > unable to generate self-signed certificates | error="open cert.pem: permission denied"

OK, some update, if you're using userns-remap working dir for docker will be something like /var/lib/docker/165536.165536, you need to chown this dir recursively to belong to remapped user like chown -R 165536:165536 /var/lib/docker/165536.165536

Real-Gecko commented 1 month ago

Overall permissions after clean install with userns-remap look like this:

root@node-2:/var/lib/docker# ls -la
total 12
drwx--x---  3 root 165536 4096 Jul 27 20:29 .
drwxr-xr-x 46 root root   4096 Jul 27 18:07 ..
drwx--x--- 12 root 165536 4096 Jul 27 20:29 165536.165536
root@node-2:/var/lib/docker# cd 165536.165536/
root@node-2:/var/lib/docker/165536.165536# ls -la
total 52
drwx--x--- 12 root 165536 4096 Jul 27 20:29 .
drwx--x---  3 root 165536 4096 Jul 27 20:29 ..
drwx--x--x  4 root root   4096 Jul 27 20:29 buildkit
drwx--x---  2 root 165536 4096 Jul 27 20:29 containers
-rw-------  1 root root     36 Jul 27 20:29 engine-id
drwx------  3 root root   4096 Jul 27 20:29 image
drwxr-x---  3 root root   4096 Jul 27 20:29 network
drwx--x---  3 root 165536 4096 Jul 27 20:29 overlay2
drwx------  4 root root   4096 Jul 27 20:29 plugins
drwx------  2 root root   4096 Jul 27 20:29 runtimes
drwx------  2 root root   4096 Jul 27 20:29 swarm
drwx------  2 root root   4096 Jul 27 20:29 tmp
drwx-----x  2 root root   4096 Jul 27 20:29 volumes