-
Notifications
You must be signed in to change notification settings - Fork 77
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rootless HTTPs not working due to missing /data and /config permissions #287
Comments
Hey @tianon I hope you don't mind the ping, could you give us some pointers here? I'm not sure what the correct way to handle volumes that need write access as non-root, for official images. I didn't see any guidance about that in the https://github.com/docker-library/official-images README other than a mention of |
I had the same issue, but found a workaround. Earlier I saw #104 and decided to give it a go at rootless container user. My understanding is that the Dockerfile calls Lines 9 to 13 in bee0fa4
I use ansible to configure caddy and my workaround was to create all the folders that caddy uses beforehand with the user permissions that I wanted. (I had to roles/caddy/tasks/main.yml
NOTE: one interesting thing is that the logs folder isn't created in that for reference, this is the Dockerfile that I use roles/caddy/files/Dockerfile
|
Sorry for the delay 🙇 In other images, we've done something like root-owned 1777 ( In some other images, we've taken the approach that if a user wants to run as a non-default user, then it's their responsibility to ensure that their volume has appropriate permissions (although that's a somewhat less usable solution because it requires something like a k8s "init container" to accomplish in a generic way -- I really wish k8s and Docker would allow specifying ownership/permissions directly when creating/configuring volumes 🙊). |
A bit late, but I hope this helps. @tianon Content, ownership and permissions can be defined in volumes using Dockerfile only before they are created. You can use things like COPY and/with chmod/chown and the image that creates the volume will populate it with its definitions. @codeInTheShell For arbitrary accounts in existing volumes, you can try setting it first to root like 0:0, then exec into the container to do any chown that you need, and then switch to the new IDs. A temp root bastion container could be handy for that. Or an entrypoint script that calls a separate startup script and/or does not start the service if the user is root, but keeps the container running. Just to avoid root creating more files by running a complex service. In rootless mode, the daemon maps container user IDs to different host user IDs. The container root is the user running the daemon on the host. The user still has CHOWN capabilities though. So you can still fix permissions. |
This situation is a little unfortunate. I blame docker for not allowing specifying ownership for volumes. 😒 While still not ideal, the most simple workaround seems to be to add one more layer and pass in the
|
A documentation type deployment of caddy which runs as root with docker-compose (https://hub.docker.com/_/caddy) works with auto-ssl flawlessly.
If a docker deployment has the flag user set to 1000:1000 and a named volume is used instead of a local path the user permissions stay root. If a deployment has just user set to 1000:1000 but still uses local paths, the created directories will still have root permissions.
The only solution is to manually chown -R 1000:1000 either the docker volume _data/ directory or the local path.
Sample docker-compose.yaml
Unfortunately the below Dockerfile didn't help either.
The result is the same either way unless i manually chown -R it with the respective user and group id:
The text was updated successfully, but these errors were encountered: