Adding SSL Certs via mounted volume causing permissions issue - postgresql

In my docker-compose.yml, I'm using the following to mount SSL certs into my container:
- ./certs:/var/lib/postgresql/certs
The ./certs folder and everything within it is owned by root locally.
However, upon starting the container, I receive:
2022-08-26 20:04:40.623 UTC [1] FATAL: could not load server certificate file "/var/lib/postgresql/certs/db.crt": Permission denied
Updating the permissions locally to anything else (777,755, etc..) results in a separate error:
FATAL: private key file "/var/lib/postgresql/certs/postgresdb.key" has group or world access
I realize I can copy the certs via my Dockerfile, but I'd rather not have to build a new image each time I want to change certificates. What is the best way to go about handling this?

Change the ownership of the certs to the user that's used inside the container, before you start the container.
You need to double-check the id of the user, since you didn't show what image you run. Below is an example.
sudo chmod -R 400 ./certs
sudo chown -R 5432:5432 ./certs
Alternatively, you can run the container with your local user ID. I only recommend this for development purpose.
docker run --user "$(id -u)" postgres
In that case, also make sure your local user has permissions on the certs dir.

Related

Error: EACCES: permission denied, only in VSCode using Remote SSH

I can find plenty of references to this error, but they all point to permission issues, however my permissions appear to be fine as I can modify this folder using nano and SSH.
I'm trying to use RemoteSSH with a custom user account, user
The server is running Debian 11 and nginx
I have key based auth and I connect to the server. When I try to create or remove a file in the web folder (/var/www/html) I get this error message Error: EACCES: permission denied, <what I was trying to do, i.e. rename a file, or delete a file>
I can do all of these things using a standard SSH connection (openSSH built in to Windows 10)
The owner of /var/www/ is set to www-data (recursively)
user is a member of the group www-data
Do I need to do anything in VSCode to update permissions? Am I missing something else?
Here are the exact commands I used:
sudo adduser user www-data
sudo chown -R www-data:www-data /var/www
sudo chmod -R 0775 /var/www
OK I did a bit more Googling right after posting this, and I was able to fix this by deleting the .vscode-server folder in the home directory.
https://github.com/microsoft/vscode-remote-release/issues/3399#issuecomment-922935448
I'm not sure if there is an easier way to fix this without doing so, or having to do that every time permissions are changed.

docker-compose pull gives either a gpg error or a permissions error when I attempt to use it with or without sudo

everyone.
I hope that someone can help to answer my question.
I am joining a project in which I have to use various docker containers. I was told that I just needed to use docker-compose to pull down all the necessary containers. I tried this, and got two different errors, based on whether I used sudo or not. My machine is Ubuntu bionic beaver 18.04.4LTS
I have docker-engine installed according to the installation instructions for Bionic on the github page, and docker-compose is likewise installed according to its instructions. I did not create a "docker" group since I have sudo access.
We have two repos that I have to log in to before I can do anything. In order to prevent my passwords from being stored unencrypted in config.json, I followed this guide to set up a secure credential store:
https://www.techrepublic.com/article/how-to-setup-secure-credential-storage-for-docker/
However, rather than asking me for the password and/or passphrase mentioned in this article, the login process makes me enter the actual passwords to the repos. So, the secure credential store may not be working, which might be causing the problem.
At any rate, once I log in and the two commands show login succeeded, I then try to do a
docker-compose pull
on the repos. When I do
sudo docker-compose pull
I get this final error:
docker.errors.DockerException: Credentials store error: StoreError('Credentials store docker-credential-pass exited with "exit status 2: gpg: WARNING: unsafe ownership on homedir '/home/myuser/.gnupg'\ngpg: decryption failed: No secret key".')
an ls of the .gnupg directory is
myuser#myhost$ ls -lA ~ | grep gnupg
drwx------ 4 myuser myuser 226 Feb 9 13:35 .gnupg
gpg --list-secret-keys shows my keypair when I run it as myuser.
I am assuming that what is happening is that because I am running as sudo the user trying to access this directory is root, not myuser, and so it is failing. However, if I leave off the sudo
docker-compose pull
docker.errors.DockerException: Error while fetching server API version: ('Connection aborted.', PermissionError(13, 'Permission denied'))
I am guessing that this is because my normal user doesn't have the ability to connect to the docker daemon's Unix socket.
So, how do I make these play together? Is the answer to add a docker group so that the command still runs as myuser and not as root? or is there another way to do this?
Also, why is my credential store not asking me for the password set by docker-credential-pass or the GPG passphrase? I suspect these two are related. Perhaps the pull is trying to send my authentication tokens over again and can't because it doesn't have access to the secure credentials store.
All of the above are guesses. Does anyone know what is going on here?
Thanking you in advance,
Brad
I just wanted to follow up with a solution to this question that worked for me.
Firstly, you need to add your user to the docker group that was created during docker-engine's installation.
sudo usermod --append --groups docker your_user_name
Because I had already used sudo to try this, there were a few files that ended up being created by root.
So, you have to chown a few things.
sudo chown your_user_name:your_group_name ~/.docker/config.json
Note that for the group name I used
docker
but I'm not sure if that's necessary.
Then, there were files inside the ~/.password-store directory that needed to be changed.
sudo chown -R your_user_name:your_group_name ~/.password-store
Most of these files are already owned by you, but the recorded credentials are not.
Then, the magic that fixed it all. From
https://ask.csdn.net/questions/5153956
you have to do this.
export GPG_TTY=$(tty)
and it is this last that makes gpg work.
Then, you can log in to your repos if you have to without using sudo
docker login -u repo_user_name your_repo_host
and then log in with your repo password.
Note that I don't know why you have to use the repo password instead of using the stored credentials.
Once you log in, you should be able to do a
docker-compose pull
without sudo
from the directory where you want the containers to be placed.
Note that you will probably have to provide your GPG passphrase at first. I'm not sure about this because I had already unlocked the key by following the steps in the above link to check to see if docker-credential-pass had the right credential store password stored.
and that should do it.

Postgres docker container external access issue when using a bind mounted data directory with pre-existing database

I am trying to use the data directory from a preexisting database & bring up a new postgres docker container (same version 9.5) with its '/var/lib/postgresql/data' bind mounted to the data directory.
I find that even though i am able to bring up the container & use psql within the container to connect to it, external connections fail with invalid password. This despite me setting the POSTGRES_USER, POSTGRES_DB & POSTGRES_PASSWORD environment variables.
Is there a way to make this work? I also tried this method but ran into permission error,
"sh: 1: /usr/local/bin/init.sh: Permission denied"
Thanks
This happends when your user/group id does not match the file owner. You should run your docker with --user
please have a look to Arbitrary --user Notes of https://hub.docker.com/_/postgres
Hope that will help you to fix your problem.
For composer look at https://docs.docker.com/compose/reference/run/
OK i figured out the way to do this & it turns out to be very simple. All i did was,
Add a script & copy it into docker-entrypoint-initdb.d in my Dockerfile
In the script i had a loop that was waiting for the db to be up & running before resetting the superuser password & privileges.
Thanks

how to mount secret in openshift with uid:gid set correctly

I'm using this Dockerfile to deploy it on openshift. - https://github.com/sclorg/postgresql-container/tree/master/9.5
It works fine, until I enabled ssl=on and injected the server.crt and server.key file into the postgres pod via volume mount option.
Secret is created like
$ oc secret new postgres-secrets \
server.key=postgres/server.key \
server.crt=postgres/server.crt \
root-ca.crt=ca-cert
The volume is created as bellow and attached to the given BuidlConfig of postgres.
$ oc volume dc/postgres \
--add --type=secret \
--secret-name=postgres-secrets \
--default-mode=0600 \
-m /var/lib/pgdata/data/secrets/secrets/
Problem is the mounted files of secret.crt and secret.key files is owned by root user, but postgres expect it should be owned by the postgres user. Because of that the postgres server won't come up and says this error.
waiting for server to start....FATAL: could not load server
certificate file "/var/lib/pgdata/data/secrets/secrets/server.crt":
Permission denied stopped waiting pg_ctl: could not start server
How we can insert a volume and update the uid:guid of the files in it ?
It looks like this is not trivial, as it requires to set Volume Security Context so all the containers in the pod are run as a certain user https://docs.openshift.com/enterprise/3.1/install_config/persistent_storage/pod_security_context.html
In the Kubernetes projects, this is something that is still under discussion https://github.com/kubernetes/kubernetes/issues/2630, but seems that you may have to use Security Contexts and PodSecurityPolicies in order to make it work.
I think the easiest option (without using the above) would be to use a container entrypoint that, before actually executing PostgreSQL, it chowns the files to the proper user (postgres in this case).

MailKit dotnet core on Ubuntu 16.04

Running a Kestrel server managed by systemd using www-data user. When trying to send an email using MailKit with TLS enabled I get the following error message:
System.UnauthorizedAccessException: Access to the path '/var/www/.dotnet/corefx/cryptography/crls' is denied. ---> System.IO.IOException: Permission denied
One solution possibly is to set a home directory for www-data, but that seems counter intuitive.
The call stack indicates that the code (MailKit or one of its dependencies) is trying to build and access a certificate cache.
You can manually create the directory and grant the necessary permissions.
Don't modify /var top directory as that's crazy.
First, you need to recursively create the directory:
mkdir -p /var/www/.dotnet/corefx/cryptography/crls
and give rights to www-data group
(if this is the group that runs your service)
sudo chgrp www-data /var/www/.dotnet/corefx/cryptography/crls