Unable to deploy ssh public key to root in Docker Compose

[erickvd]

Hello, I installed Docker Desktop and started the Lab installation.

Following the tutorial to deploy ssh key to every host, I encounter a problem with root. The command get a "permission denied".

I started to investigate.

I did an single connection to ubuntu-c as root. Directly I saw this:

ubuntu-c login: root
Password: 
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.10.104-linuxkit x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

-bash: /root/.bash_profile: Permission denied
root@ubuntu-c:~#

Error on .bash_profile ? Let's see the permissions:

root@ubuntu-c:~# ls -la
ls: cannot open directory '.': Permission denied
root@ubuntu-c:~#

Let's go deeper and check the permissions on /root:

root@ubuntu-c:~# ls -ld /root
drwx------ 2 nobody nogroup 4096 Jun 27 07:34 /root
root@ubuntu-c:~#

Ok, sure that's not really good but it should be easily recoverable via a chown:

root@ubuntu-c:~# chown root:root /root
chown: changing ownership of '/root': Operation not permitted
root@ubuntu-c:~#

Hmmmmm... OK. I don't know how I can solve this. Let's try to update the images:

$ docker compose pull
[+] Running 9/9
 ⠿ ubuntu2 Pulled                                                                                                                                                                                                                        2.5s
 ⠿ centos2 Pulled                                                                                                                                                                                                                        2.5s
 ⠿ centos3 Pulled                                                                                                                                                                                                                        2.4s
 ⠿ centos1 Pulled                                                                                                                                                                                                                        2.6s
 ⠿ ubuntu3 Pulled                                                                                                                                                                                                                        2.3s
 ⠿ ubuntu1 Pulled                                                                                                                                                                                                                        2.4s
 ⠿ ubuntu-c Pulled                                                                                                                                                                                                                       2.4s
 ⠿ portal Pulled                                                                                                                                                                                                                         2.6s
 ⠿ docker Pulled

Same problem. I also looked into Preferences of Docker Compose but I don't find anything which may explain my problem.

Could you please help me ?

[erickvd]

I think the problem is related to the way filesystems are generated and provided to the docker containers.

in $ANSIBLE_HOME, for each host there is a folder. Inside a host folder, I can find ansible and root. Those 2 folders are provided to docker. But, root is owned by root and permissions restricted to root. This seems quite logical in a physical env. But here, we are working as a single user starting docker or docker desktop. And this user will never have access to the root folder ( permissions: root:root 0700) and so docker is unable to provide access to the folder but the entry will well be there when running the container.

[spurin]

Hi @erickvd

Are you able look through the preferences and share screenshots to anything that is filesystem related.

[erickvd]

Do you mean preferences in Docker Desktop ? I don't have a lot of settings speaking about shares. But here they are.

.

[erickvd]

I did a quick test:

1. On the host machine:

   eric@vid-enc:~$ cd Documents/Formations/dive-into-ansible/diveintoansible-lab/ansible_home/centos1
   eric@vid-enc:~/Documents/Formations/dive-into-ansible/diveintoansible-lab/ansible_home/centos1$ sudo chown eric:eric root/
   [sudo] Mot de passe de eric :         
   eric@vid-enc:~/Documents/Formations/dive-into-ansible/diveintoansible-lab/ansible_home/centos1$ cd root/
   eric@vid-enc:~/Documents/Formations/dive-into-ansible/diveintoansible-lab/ansible_home/centos1/root$ ls -la
   total 12
   drwx------ 3 eric eric 4096 jui  4 09:50 .
   drwxr-xr-x 4 root root 4096 jun 27 09:35 ..

2. I then restarted the container centos1 and connected into it with docker exec -it centos1 /bin/login

3. First of all, no more error message about .bash_profile

4. I created a hidden test folder:

   [root@centos1 ~]# ls -la
   total 12
   drwx------ 3 root root 4096 Jul  4 07:59 .
   drwxr-xr-x 1 root root 4096 Jul  4 06:33 ..
   drwxr-xr-x 2 root root 4096 Jul  4 07:59 .test

5. I then checked back on the host:

   eric@vid-enc:~/Documents/Formations/dive-into-ansible/diveintoansible-lab/ansible_home/centos1$ ls -la root/
   total 16
   drwx------ 3 eric eric 4096 jui  4 10:00 .
   drwxr-xr-x 4 root root 4096 jun 27 09:35 ..
   -rw------- 1 eric eric   51 jui  4 10:00 .bash_history
   drwxr-xr-x 2 eric eric 4096 jui  4 09:59 .test

So, as far as I understand, there is no need to make OS[1-3]/root owned by root. docker will mount it the appropriate way.

[brpacecar]

I had the same issue but was able to figure out the cause. I'll explain in case you had the same situation.

I am running Ubuntu 22.04 on my desktop. After I cloned the repo I brought up the environment with docker-compose using Docker Engine (not Docker Desktop). Later I found that there was an issue which caused my graphical environment to crash anytime the CentOS containers started (see issue #94). Seeing the cause of the issue there, I installed Docker Desktop and continued using that using the ansible_home directories that had already been created.

The problem is that when the ansible_home directory was created with Docker Engine, the permissions for it were set to root. This is normal when running a container directly with Docker Engine and the container creates the directory. When switching to Docker Desktop, the containers can no longer read the directory. This is because the directories are mapped to the docker VM, then to the container from within the docker VM (not positive but I think that is right). The VM cannot read the directory because your user cannot read it.

The solution for me was to drop the containers, remove the repository, re-clone and start over. I have not had issues since. You might be able to fix it without re-cloning by dropping the containers (docker-compose down), fixing the ownership of the ansible_home directory and all beneath it, then bringing the containers back up.

[spurin]

Thanks all for the comments and feedback, cleaning up past issues so closing this