I'm starting on a fresh system to deploy a simple docker-compose with swag and authelia. Previously I've just included my "secrets" in the .env file or directly in authelia configuration file, but I'm trying to employee some best practices here and properly hide the secrets using docker secrets. However, when starting up my containers, authelia is complaining about permission denied when trying to access.
In the different guides I've looked at, none of them mention permissions on anything other than the secrets directory/files to be root owned and 600 permissions.
My docker directory is in ~/docker with the secrets in ~/docker/secrets. The secrets directory is root owned with 600 permissions. My docker directories is owned by uid 1100:1100, and in my docker compose, I have the following docker-compose (slightly edited for public):
version: "3.9"
secrets:
authelia_duo_api_secret_key:
file: $DOCKERSECRETS/authelia_duo_api_secret_key
authelia_jwt_secret:
file: $DOCKERSECRETS/authelia_jwt_secret
authelia_notifier_smtp_password:
file: $DOCKERSECRETS/authelia_notifier_smtp_password
authelia_session_secret:
file: $DOCKERSECRETS/authelia_session_secret
authelia_storage_encryption_key:
file: $DOCKERSECRETS/authelia_storage_encryption_key
x-environment: &default-env
TZ: $TZ
PUID: $PUID
PGID: $PGID
services:
swag:
image: ghcr.io/linuxserver/swag
container_name: swag
cap_add:
- NET_ADMIN
environment:
<<: *default-env
URL: $DOMAINNAME
SUBDOMAINS: wildcard
VALIDATION: dns
CERTPROVIDER: zerossl #optional
DNSPLUGIN: cloudflare #optional
EMAIL: <edit>
DOCKER_MODS: linuxserver/mods:swag-dashboard
volumes:
- $DOCKERDIR/appdata/swag:/config
ports:
- 443:443
restart: unless-stopped
authelia:
image: ghcr.io/authelia/authelia:latest
container_name: authelia
restart: unless-stopped
volumes:
- $DOCKERDIR/appdata/authelia:/config
user: "1100:1100"
secrets:
- authelia_jwt_secret
- authelia_session_secret
- authelia_notifier_smtp_password
- authelia_duo_api_secret_key
- authelia_storage_encryption_key
environment:
AUTHELIA_JWT_SECRET_FILE: /run/secrets/authelia_jwt_secret
AUTHELIA_SESSION_SECRET_FILE: /run/secrets/authelia_session_secret
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE: /run/secrets/authelia_notifier_smtp_password
AUTHELIA_DUO_API_SECRET_KEY_FILE: /run/secrets/authelia_duo_api_secret_key
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /run/secrets/authelia_storage_encryption_key
And the errors I'm getting in my log are:
authelia | 2022-07-28T23:45:05.872818847Z time="2022-07-28T21:15:05-02:30" level=error msg="Configuration: secrets: error loading secret path /run/secrets/authelia_session_secret into key 'session.secret': open /run/secrets/authelia_session_secret: permission denied"
authelia | 2022-07-28T23:45:05.872844527Z time="2022-07-28T21:15:05-02:30" level=error msg="Configuration: secrets: error loading secret path /run/secrets/authelia_jwt_secret into key 'jwt_secret': open /run/secrets/authelia_jwt_secret: permission denied"
authelia | 2022-07-28T23:45:05.872847757Z time="2022-07-28T21:15:05-02:30" level=error msg="Configuration: secrets: error loading secret path /run/secrets/authelia_duo_api_secret_key into key 'duo_api.secret_key': open /run/secrets/authelia_duo_api_secret_key: permission denied"
authelia | 2022-07-28T23:45:05.872850957Z time="2022-07-28T21:15:05-02:30" level=error msg="Configuration: secrets: error loading secret path /run/secrets/authelia_storage_encryption_key into key 'storage.encryption_key': open /run/secrets/authelia_storage_encryption_key: permission denied"
authelia | 2022-07-28T23:45:05.872853157Z time="2022-07-28T21:15:05-02:30" level=error msg="Configuration: secrets: error loading secret path /run/secrets/authelia_notifier_smtp_password into key 'notifier.smtp.password': open /run/secrets/authelia_notifier_smtp_password: permission denied"
authelia | 2022-07-28T23:45:05.872855307Z time="2022-07-28T21:15:05-02:30" level=error msg="Configuration: option 'jwt_secret' is required"
authelia | 2022-07-28T23:45:05.872857277Z time="2022-07-28T21:15:05-02:30" level=error msg="Configuration: duo_api: option 'secret_key' is required when duo is enabled but it is missing"
authelia | 2022-07-28T23:45:05.872859417Z time="2022-07-28T21:15:05-02:30" level=error msg="Configuration: storage: option 'encryption_key' is required"
authelia | 2022-07-28T23:45:05.872861397Z time="2022-07-28T21:15:05-02:30" level=fatal msg="Can't continue due to the errors loading the configuration"
I'm sure I'm missing something simple here. Does everything have to be run as root in order to access the secrets? Does that mean changing all my docker directory in my home folder to root, just to hide credentials? I'm a little confused by this, any help would be greatly appreciated.
I had similar permissions errors which i could get rid of by using docker volumes. I oriented myself on this example here.
Related
I have my file docker-compose.yml :
otel-collector:
image: otel/opentelemetry-collector
command: ["--config=/etc/otel-collector-config.yaml"]
volumes:
- ./otel-collector-config.yaml:/etc/otel-collector-config.yaml
ports:
- "1888:1888" # pprof extension
- "8888:8888" # Prometheus metrics exposed by the collector
- "8889:8889" # Prometheus exporter metrics
- "13133:13133" # health_check extension
- "4317:4317" # OTLP gRPC receiver
- "4318:4318" # OTLP http receiver
- "55679:55679" # zpages extension
I see this error after execution of docker compose up:
otel-collector | Error: failed to get config: cannot resolve the
configuration: cannot retrieve the configuration: unable to read the
file file:/etc/otel-collector-config.yaml: open
/etc/otel-collector-config.yaml: permission denied otel-collector |
2022/01/09 11:15:47 collector server run finished with error: failed
to get config: cannot resolve the configuration: cannot retrieve the
configuration: unable to read the file
file:/etc/otel-collector-config.yaml: open
/etc/otel-collector-config.yaml: permission denied
How can I solve it?
We are using Minio for local testing of S3 AND we have created docker-compose file with Minio and our app dependency is as follows:
Docker-Compose File:
version: "2.1"
services:
minio:
image: minio/minio
container_name: minio
ports:
- 9001:9001
volumes:
- minio_storage:/data
environment:
MINIO_ACCESS_KEY: minio
MINIO_SECRET_KEY: minio123
MINIO_REGION: us-east-1
command: server /data --console-address ":9001"
mem_limit: 512m
populate-minio-data:
container_name: "minio-data"
image: minio/mc
volumes:
- ./hello.txt:/tmp/hello.txt
entrypoint: >
/bin/sh -c "
/usr/bin/mc config host rm local;
/usr/bin/mc config host add --quiet --api s3v4 local http://minio:9001 minio minio123;
/usr/bin/mc mb --quiet local/somebucketname1/;
/usr/bin/mc policy set public local/somebucketname1;
/usr/bin/mc cp /tmp/hello.txt local/somebucketname1/hello.txt;
"
depends_on:
- minio
archive-api-app:
image: openjdk:11
container_name: "archive-api-app"
ports:
- 8091:6001
volumes:
- /home/apcuser/dev/projects/ea-archive-service-v2/projects/application/archive-api:/app
command: [ 'java', '-jar', '/app/build/libs/archive-api-1.0.0.jar' ]
env_file:
- ./vars/default.env
volumes:
minio_storage:
And In java code, I have configured MINIO URL as S3 Endpoint as follows:
#Bean
public AmazonS3 getS3Client() {
return AmazonS3ClientBuilder.standard()
.withClientConfiguration(new ClientConfiguration().withMaxConnections(maxConnections)
.withConnectionTimeout(connectionTimeout).withMaxErrorRetry(maxRetry))
.withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration("http://minio:9001", "us-east-1"))
.build();
}
Once, I run docker-compose file,I am able to see minio-ui in my local Linux machine as follows:
But I am not seeing any data in Minio, instead, I am seeing the below error while uploading data in minio:
Attaching to minio-data
minio-data | Removed `local` successfully.
minio-data | Added `local` successfully.
minio-data | mc: <ERROR> Unable to make bucket `local/somebucketname1/`. S3 API Requests must be made to API port.
minio-data | mc: <ERROR> Unable to set policy `public` for `local/somebucketname1`. S3 API Requests must be made to API port.
minio-data | `/tmp/hello.txt` -> `local/somebucketname1/hello.txt`
minio-data | mc: <ERROR> Failed to copy `/tmp/hello.txt`. S3 API Requests must be made to API port.
minio-data | Total: 0 B, Transferred: 0 B, Speed: 0 B/s
Even same error I am seeing When I am trying to list MINIO data from my local linux host machine:
export AWS_ACCESS_KEY_ID=minio
export AWS_SECRET_ACCESS_KEY=minio123
export AWS_REGION=us-east-1
aws --endpoint-url http://127.0.0.1:9001 s3 ls
**An error occurred (InvalidArgument) when calling the ListBuckets operation: S3 API Requests must be made to API port.**
Can anyone help here, please?
The error message indicates that you need to use the API port instead of console port while using mc.
/usr/bin/mc config host add --quiet --api s3v4 local http://minio:9001 minio minio123;
You need to use port 9000 instead of 9001.
My docker-compose.yml file for fabric-orderer deployment:
fabric-orderer:
image: hyperledger/fabric-orderer
container_name: fabric-orderer1
environment:
- ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
- ORDERER_GENERAL_BOOTSTRAPMETHOD=file
- ORDERER_GENERAL_BOOTSTRAPFILE=/mnt/b/Desktop/HFForMastersWork/genesis-blocks/genesis1.block
- ORDERER_GENERAL_LOCALMSPDIR=/mnt/b/Desktop/HFForMastersWork/organizations/ordererOrgs/orderer1/msp
- ORDERER_GENERAL_LOCALMSPID=orderer1MSP
command: orderer
ports:
- 7050:7050
volumes:
- ./genesis.block:/mnt/b/Desktop/HFForMastersWork/genesis-blocks/genesis1.block
I always receive next error:
fabric-orderer1 | 2021-07-02 10:38:03.671 UTC [orderer.common.server] loadLocalMSP -> PANI 003 Failed to get local msp config: could not load a valid signer certificate from directory /mnt/b/Desktop/HFForMastersWork/organizations/ordererOrgs/orderer1/msp/signcerts: stat /mnt/b/Desktop/HFForMastersWork/organizations/ordererOrgs/orderer1/msp/signcerts: no such file or directory
fabric-orderer1 | panic: Failed to get local msp config: could not load a valid signer certificate from directory /mnt/b/Desktop/HFForMastersWork/organizations/ordererOrgs/orderer1/msp/signcerts: stat /mnt/b/Desktop/HFForMastersWork/organizations/ordererOrgs/orderer1/msp/signcerts: no such file or directory
But I checked all paths and all of them correct. Help me, please. Where is my error?
I tried to install Authelia as oAuth Server with Docker-Compose. But everytime when I start the container, the logs are saying this
time="2020-05-23T16:51:09+02:00" level=error msg="Provide a JWT secret using \"jwt_secret\" key"
time="2020-05-23T16:51:09+02:00" level=error msg="Please provide `ldap` or `file` object in `authentication_backend`"
time="2020-05-23T16:51:09+02:00" level=error msg="Set domain of the session object"
time="2020-05-23T16:51:09+02:00" level=error msg="A storage configuration must be provided. It could be 'local', 'mysql' or 'postgres'"
time="2020-05-23T16:51:09+02:00" level=error msg="A notifier configuration must be provided"
panic: Some errors have been reported
goroutine 1 [running]:
main.startServer()
github.com/authelia/authelia/cmd/authelia/main.go:41 +0xc80
main.main.func1(0xc00009c000, 0xc0001e6100, 0x0, 0x2)
github.com/authelia/authelia/cmd/authelia/main.go:126 +0x20
github.com/spf13/cobra.(*Command).execute(0xc00009c000, 0xc000020190, 0x2, 0x2, 0xc00009c000, 0xc000020190)
github.com/spf13/cobra#v0.0.7/command.go:842 +0x29d
github.com/spf13/cobra.(*Command).ExecuteC(0xc00009c000, 0xc0007cdf58, 0x4, 0x4)
github.com/spf13/cobra#v0.0.7/command.go:943 +0x317
github.com/spf13/cobra.(*Command).Execute(...)
github.com/spf13/cobra#v0.0.7/command.go:883
main.main()
github.com/authelia/authelia/cmd/authelia/main.go:143 +0x166
and the container is restarting.
I don't realy understand why and where this behavior comes from. I've used named volumes just like binded volumes but it is still the same error. Maybe someone can tell me where I'm doing a (probably stupid) mistake, becuase I don't see it.
My compose.yml file:
version: '3.7'
services:
authelia:
image: "authelia/authelia:latest"
container_name: authelia
restart: "unless-stopped"
# security_opt:
# - no-new-privileges:true
networks:
- "web"
- "intern"
volumes:
- ./authelia:/var/lib/authelia
- ./configuration.yml:/etc/authelia/configuration.yml:ro
- ./users_database.yml:/etc/authelia/users_database.yml
# Had to bind this volumen, without it, docker creates an own volumen with empty configuration.yml and
# users_database.yml
- ./data:/etc/authelia
environment:
- TZ=$TZ
labels:
- "traefik.enable=true"
# HTTP Routers
- "traefik.http.routers.authelia-rtr.entrypoints=https"
- "traefik.http.routers.authelia-rtr.rule=Host(`secure.$DOMAINNAME`)"
- "traefik.http.routers.authelia-rtr.tls=true"
- "traefik.http.routers.authelia-rtr.tls.certresolver=le"
# Middlewares
- "traefik.http.routers.authelia-rtr.middlewares=chain-no-auth#file"
# HTTP Service
- "traefik.http.routers.authelia-rtr.service=authelia-svc"
- "traefik.http.services.auhtelia-svc.loadbalancer.server.port=9091"
networks:
web:
external: true
intern:
external: true
The files and folders under the volumes section are existing and configuration.yml is not empty. I use an admin (non-root) user with sudo permissions.
Can anybody tell me what I'm doing wrong and why authelia isn't able to find or read the configuration.yml?
Verify your configuration.yml file. These errors show up when your yml syntax is incorrect. In particular:
double-check indentation,
put your domain names in quotation marks (this was my problem when I encountered that).
See also discussion here.
in Centos7, I'm trying to start 2 containers by docker-compose when I get this error:
error: container_linux.go:235: starting container process caused keycloak/keycloak-gatekeeper
# ls
docker-compose.yml Dockerfile gatekeeper-be.conf gatekeeper-fe.conf nginx-conf.d README.MD
=================
# cat docker-compose
version: '3.2'
networks:
network-bo-network:
driver: "bridge"
ipam:
config:
- subnet: "173.200.1.0/24"
gatekeeper-fe:
image: keycloak/keycloak-gatekeeper:latest
command: /keycloak-proxy --config /opt/keycloak-gatekeeper/gatekeeper.conf
volumes:
- ./gatekeeper-fe.conf:/opt/keycloak-gatekeeper/gatekeeper.conf
networks:
network-bo-network:
ipv4_address: "173.200.1.3"
network-bo-nginx:
image: nginx:1.17
ports:
- "83:80"
volumes:
- ./nginx-conf.d:/etc/nginx/conf.d
networks:
network-bo-network:
ipv4_address: "173.200.1.5"
===========================================
cat gatekeeper-fe.conf
ClientID is the client id
client-id: client-bo-app
## ClientSecret is the secret for AS
client-secret: xxxxxxxxxxxxxxxxxxx
## DiscoveryURL is the url for the keycloak server
discovery-url: https://xxxxxxxxxxxxxxxxxxxx
## SkipOpenIDProviderTLSVerify skips the tls verification for openid provider communication
skip-openid-provider-tls-verify: true
## EnableDefaultDeny indicates we should deny by default all requests
enable-default-deny: true
## EnableRefreshTokens indicate's you wish to ignore using refresh tokens and re-auth on expiration of access token
enable-refresh-tokens: true
## EncryptionKey is the encryption key used to encrypt the refresh token
encryption-key: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
## Listen is the binding interface
listen: :8081
## Upstream is the upstream endpoint i.e whom were proxying to
upstream-url: http://173.200.1.1:8082
## EnableLogging indicates if we should log all the requests
enable-logging: true
## EnableJSONLogging is the logging format
enable-json-logging: true
## PreserveHost preserves the host header of the proxied request in the upstream request
preserve-host: true
## NoRedirects informs we should hand back a 401 not a redirect
no-redirects: true
## AddClaims is a series of claims that should be added to the auth headers
add-claims:
- email
- given_name
- family_name
- name
## Resources configuration
resources:
- uri: /api/v1/metadata
methods:
- GET
white-listed: true
==================================================
# docker-compose up
WARNING: Found orphan containers (network-bo-dev_network-bo-postgres_1) for this project. If you removed or renamed this service in your compose file, you can run this command with the --remove-orphans flag to clean it up.
network-bo-dev_network-bo-nginx_1 is up-to-date
Creating network-bo-dev_gatekeeper-fe_1 ... error
ERROR: for network-bo-dev_gatekeeper-fe_1 Cannot start service gatekeeper-fe: oci runtime error: container_linux.go:235: starting container process caused "container init exited prematurely"
ERROR: for gatekeeper-fe Cannot start service gatekeeper-fe: oci runtime error: container_linux.go:235: starting container process caused "container init exited prematurely"
ERROR: Encountered errors while bringing up the project.
You should provide https://stackoverflow.com/help/minimal-reproducible-example - provided docker-compose doesn't have correct syntax.
A few obvious errors:
gatekeeper binary in the image has /opt/keycloak-gatekeeper
location, not /keycloak-proxy, but see next point
used images uses entrypoint=/opt/keycloak-gatekeeper=> command just needs that part after binary, e.g.: --config /opt/keycloak-gatekeeper/gatekeeper.conf
first line in gatekeeper-fe.conf should be comment