Develop Reference

Mounting volume on docker-compose, but nginx container sees empty directory

I want to run nginx with docker-compose.
docker-compose.yml:
version: "3.9"
services:
custom-nginx:
image: custom-nginx:latest
network_mode: host
volumes:
- /etc/letsencrypt:/etc/letsencrypt:ro
ports:
- 80:80
- 443:443
restart: always
nginx:
depends_on:
- custom-nginx
image: nginx:alpine
volumes:
- /etc/letsencrypt:/etc/letsencrypt:ro
restart: always
The folder gets mounted but when I look into it from the nginx container it's empty:
/ # ls -al /etc/letsencrypt/
total 4
drwxr-xr-x 2 root root 40 Nov 21 18:00 .
drwxr-xr-x 1 root root 4096 Nov 21 20:07 ..
The custom-nginx Dockerfile is just
FROM nginx:alpine
COPY nginx.conf /etc/nginx/nginx.conf
I assume it has to do with my permissions maybe?
ls -l /etc | grep lets
drwxr-x--- 9 root docker 4096 Nov 21 17:43 letsencrypt
The docker group has rx on the folder recursively. The docker user on the host can see all those folders, and the docker user is running docker in rootless mode.
I was assuming that the root user of the container should see all files the same way as the docker user on the host machine?
What am I missing here?
EDIT: This is the content of /etc/letsencrypt on the host
ls -l /etc/letsencrypt/
total 32
drwx------ 3 root root 4096 Nov 21 17:32 accounts
drwxr-x--- 3 root docker 4096 Nov 21 17:43 archive
-rwx------ 1 root root 207 Nov 12 2021 cli.ini
drwx------ 2 root root 4096 Nov 21 17:43 csr
drwx------ 2 root root 4096 Nov 21 17:43 keys
drwxr-x--- 3 root docker 4096 Nov 21 17:43 live
drwx------ 2 root root 4096 Nov 21 17:43 renewal
drwx------ 5 root root 4096 Nov 21 17:32 renewal-hooks
The container, inside its nginx.conf, only references /etc/letsencrypt/live/<domain_name>fullchain.pem which actually is a link:
/etc/letsencrypt/live/<domain_name>/fullchain.pem -> ../../archive/<domain_name>/fullchain1.pem
But both live and archive folders seem to have the necessary permissions in my opinion...

Docker volume lost files rights in container?

Here is my docker-compose.yml :
version: '2'
services:
backgestionpersonne_TEST_CBS:
image: my-registry.compagny.com/my_repo/TEST_CBS:${TAG_VERSION}
container_name: TEST_CBS
restart: always
ports:
- 5555:80
networks:
- traefik
volumes:
- '/etc/pki/ca-trust/source/anchors/cert_Subordinate_CA.pem:/usr/local/share/ca-certificates/cert_Subordinate_CA.pem'
- '/etc/pki/ca-trust/source/anchors/cert_Root_CA.pem:/usr/local/share/ca-certificates/cert_Root_CA.pem'
- '/etc/pki/ca-trust/source/anchors/cert.pem:/usr/local/share/ca-certificates/cert.pem'
networks:
traefik:
external:
name: traefik
When I am in the container, I've got this missing rights with ?????????? :
root#2ce5b349fc30:/app# ls -ail /usr/local/share/ca-certificates/
ls: cannot access '/usr/local/share/ca-certificates/cert_Subordinate_CA.pem': Permission denied
ls: cannot access '/usr/local/share/ca-certificates/cert_Root_CA.pem': Permission denied
ls: cannot access '/usr/local/share/ca-certificates/cert.pem': Permission denied
total 0
18302330 drwxr-xr-x. 1 root root 105 Aug 1 14:24 .
890135 drwxr-xr-x. 1 root root 29 Jul 12 13:53 ..
? -?????????? ? ? ? ? ? cert_Subordinate_CA.pem
? -?????????? ? ? ? ? ? cert_Root_CA.pem
? -?????????? ? ? ? ? ? cert.pem
Do you know why this docker volume lost rights when I am inside the container ?
(I have the exact same docker-compose.yml file on another server, and the volume doesn't lose rights in it.)
When I use this volume, it works :
- '/tmp/tmp/cert_Subordinate_CA.pem:/usr/local/share/ca-certificates/cert_Subordinate_CA.pem'
- '/tmp/tmp/cert_Root_CA.pem:/usr/local/share/ca-certificates/cert_Root_CA.pem'
- '/tmp/tmp/cert.pem:/usr/local/share/ca-certificates/cert.pem'
Here is rights on both directories :
[root#svprd1148 ~]# ls -ail /tmp/tmp/
total 12
17379249 drwxr-xr-x. 2 root root 89 Jul 20 20:29 .
16777288 drwxrwxrwt. 9 root root 138 Aug 4 04:05 ..
18033843 -rw-r--r--. 1 root root 1578 Jun 17 11:41 cert_Root_CA.pem
18033827 -rw-r--r--. 1 root root 1125 Jun 17 10:20 cert_Subordinate_CA.pemm
18033836 -rw-r--r--. 1 root root 1588 Jun 17 10:19 cert.pem
and
[root#svprd1148 ~]# ls -ail /etc/pki/ca-trust/source/anchors/
total 32
45589 drwxr-xr-x. 2 root root 188 Aug 1 16:21 .
50341743 drwxr-xr-x. 4 root root 80 Jul 20 20:23 ..
51155 -rw-r--r--. 1 root root 1125 Jun 17 10:20 cert_Subordinate_CA.pem
51156 -rw-r--r--. 1 root root 1578 Jun 17 11:41 cert_Root_CA.pem
4691079 -rw-r--r--. 1 root root 1588 Jun 17 10:19 cert.pem
And I've got "permission denied" when I try to make a "chmod 777 -R /usr/local/share/ca-certificates/" inside the container

I found the solution here :
Permission denied on accessing host directory in Docker
It's necessary to add :Z at the end of each volume.
volumes:
- '/etc/pki/ca-trust/source/anchors/cert_Subordinate_CA.pem:/usr/local/share/ca-certificates/cert_Subordinate_CA.pem:Z'
- '/etc/pki/ca-trust/source/anchors/cert_Root_CA.pem:/usr/local/share/ca-certificates/cert_Root_CA.pem:Z'
- '/etc/pki/ca-trust/source/anchors/cert.pem:/usr/local/share/ca-certificates/cert.pem:Z'
works !

How to read the secret in rancher?

I'm using rancher and I set a secret using the rancher's GUI. I'm trying to make my application read this secret. Let's say the secret is called pass and I want to read it. Being known with docker, I wrote the following code:
readDockerSecret: function(secretName) {
return fs.readFileSync(`/run/secrets/${secretName}`, 'utf8');
}
// code
// read secret
try {
var secretName = "pass";
var pass = utils.readDockerSecret(pass);
} catch (err) {
if (err.code !== 'ENOENT') {
logger.error(`An error occurred while trying to read the secret: ${secretName}. Err: ${err}`);
} else {
logger.debug(`Could not find the secret: ${secretName}. Err: ${err}`);
}
}
But when I use it in rancher, it never finds the secret. In the rancher shell in the GUI I can see that I have the following herechy:
ls -la /run/secrets
total 0
drwxr-xr-x 1 root root 27 Aug 10 11:02 .
drwxr-xr-x 1 root root 21 Aug 10 10:53 ..
drwxr-xr-x 2 root root 40 Aug 10 11:02 credentials.d
drwxr-xr-x 3 root root 28 Aug 10 11:02 kubernetes.io
credentials.d is empty. But kubernetes.io contains:
/run/secrets/kubernetes.io
total 0
drwxr-xr-x 3 root root 28 Aug 10 11:02 .
drwxr-xr-x 1 root root 27 Aug 10 11:02 ..
drwxrwxrwt 3 root root 140 Aug 10 11:02 serviceaccount
ls -la /run/secrets/kubernetes.io/serviceaccount/
total 0
drwxrwxrwt 3 root root 140 Aug 10 11:02 .
drwxr-xr-x 3 root root 28 Aug 10 11:02 ..
drwxr-xr-x 2 root root 100 Aug 10 11:02 ..2020_08_10_11_02_18.157580662
lrwxrwxrwx 1 root root 31 Aug 10 11:02 ..data -> ..2020_08_10_11_02_18.157580662
lrwxrwxrwx 1 root root 13 Aug 10 11:02 ca.crt -> ..data/ca.crt
lrwxrwxrwx 1 root root 16 Aug 10 11:02 namespace -> ..data/namespace
lrwxrwxrwx 1 root root 12 Aug 10 11:02 token -> ..data/token
No sign for pass anywhere. Tried also to grep but without any luck. How should I read the secret in rancher?
EDIT: The screenshot:
In the yaml we have:
spec:
containers:
- envFrom:
- prefix: pass
secretRef:
name: pass
optional: false
image: <image-url>
imagePullPolicy: Always
name: <app-name>
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities: {}
privileged: false
readOnlyRootFilesystem: false
runAsNonRoot: false
stdin: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
tty: true
dnsPolicy: ClusterFirst
imagePullSecrets:
- name: pass
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
status:

To be able to use a secret from inside a pod, you first need to "mount" that secret into the pod, either as an environment variable or a file. The secrets docs describe in detail how to do that.

How to change the umask when mounting volumes in kubernetes pods

Update
Using fsGroup in a SecurityContext allows the "group" permissions on the final mounting point to be set. So referring to the example below (/mydata/storage/sample/one) the perms for "one" will allow the fsGroup ID write access. However, none of the parent folders: "mydata", "storage", "sample" will have any permissions for that fsGroup. The are owned by root:root and have 755 as their permissions.
This is a huge problem if the running processes (runAsUser and runAsGroup) try to create files/folders in any of the parent paths
Original Post
When mounting volumes inside pods to containers, the mountpath does not need to exist. And it will be created. However this directories in this path get created with certain umask (i believe it's 0022).
I have set the umask in Dockerfile but it has not made any difference.
Is there a way to change that in the deployment yaml file?
Example (copied from Kubernetes docs)
$ cat pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: redis
namespace: play
spec:
containers:
- name: redis
image: redis
volumeMounts:
- name: redis-storage
mountPath: /mydata/storage/sample/one
volumes:
- name: redis-storage
emptyDir: {}
$ kubectl apply -f pod.yaml
pod/redis created
$ kubectl get pods -n play --watch
NAME READY STATUS RESTARTS AGE
redis 1/1 Running 0 67s
$ kubectl exec -it redis -n play bash
root#redis:/data# ls -l /
total 72
drwxr-xr-x 2 root root 4096 Aug 12 00:00 bin
drwxr-xr-x 2 root root 4096 May 13 20:25 boot
drwxr-xr-x 2 redis redis 4096 Aug 14 14:11 data
drwxr-xr-x 5 root root 360 Aug 20 04:25 dev
drwxr-xr-x 1 root root 4096 Aug 20 04:25 etc
drwxr-xr-x 2 root root 4096 May 13 20:25 home
drwxr-xr-x 1 root root 4096 Aug 14 14:11 lib
drwxr-xr-x 2 root root 4096 Aug 12 00:00 lib64
drwxr-xr-x 2 root root 4096 Aug 12 00:00 media
drwxr-xr-x 2 root root 4096 Aug 12 00:00 mnt
drwxr-xr-x 3 root root 4096 Aug 20 04:25 mydata
drwxr-xr-x 2 root root 4096 Aug 12 00:00 opt
dr-xr-xr-x 743 root root 0 Aug 20 04:25 proc
drwx------ 1 root root 4096 Aug 14 14:10 root
drwxr-xr-x 1 root root 4096 Aug 20 04:25 run
drwxr-xr-x 2 root root 4096 Aug 12 00:00 sbin
drwxr-xr-x 2 root root 4096 Aug 12 00:00 srv
dr-xr-xr-x 13 root root 0 Aug 19 21:55 sys
drwxrwxrwt 1 root root 4096 Aug 14 14:11 tmp
drwxr-xr-x 1 root root 4096 Aug 12 00:00 usr
drwxr-xr-x 1 root root 4096 Aug 12 00:00 var
root#redis:/data# ls -l /mydata/
total 4
drwxr-xr-x 3 root root 4096 Aug 20 04:25 storage

I think you need to setup SecurityContext in kubernetes, Example from the Docs:
Discretionary Access Control: Permission to access an object, like a
file, is based on user ID (UID) and group ID (GID).
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo
spec:
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
volumes:
- name: sec-ctx-vol
emptyDir: {}
containers:
- name: sec-ctx-demo
image: busybox
command: [ "sh", "-c", "sleep 1h" ]
volumeMounts:
- name: sec-ctx-vol
mountPath: /data/demo
securityContext:
allowPrivilegeEscalation: false
continue reading

Docker compose generates anonymous volume rather then existing named volume

In order to keep track of the volumes used, i like to use named volumes. Currently i have one named volume
docker volume ls
DRIVER VOLUME NAME
local mongodb
my docker-compose file is something like this:
version: "3"
services:
db:
image: mongo:4.0.6
container_name: mongo
ports:
- 27017:27017
environment:
MONGO_INITDB_ROOT_USERNAME: root
MONGO_INITDB_ROOT_PASSWORD: macmongoroot
volumes:
- mongodb:/data/db
volumes:
mongodb:
external:
name: mongodb
networks:
default:
external:
name: macbook
everytime i run docker-compose docker-compose up -d docker compose adds a new anonymous volume rather then using the named one :
docker volume ls
DRIVER VOLUME NAME
local a4a02fffa9bbbdd11c76359264a5bf24614943c5b1b0070b33a84e51266c58d7
local mongodb
this docker compose file works fine on my server but on my docker desktop i'm having this issue. currently using Docker Desktop version 2.0.0.3 (31259). Any help would be appreciated thanks

The anonymous volume belongs to /data/configdb which in the Dockerfile instructions
VOLUME /data/db /data/configdb
By doing docker inspect on the created container you will notice the following:
"Mounts": [
{
"Type": "volume",
"Name": "mongodb",
"Source": "/var/lib/docker/volumes/mongodb/_data",
"Destination": "/data/db",
"Driver": "local",
"Mode": "rw",
"RW": true,
"Propagation": ""
},
{
"Type": "volume",
"Name": "be86274b1f6009eb60b8acb3855f51931c4ccc7df700666555422396688b0dd6",
"Source": "/var/lib/docker/volumes/be86274b1f6009eb60b8acb3855f51931c4ccc7df700666555422396688b0dd6/_data",
"Destination": "/data/configdb",
"Driver": "local",
"Mode": "",
"RW": true,
"Propagation": ""
}
]
Which means that mongodb volume is actually being used for the data as you asked however another volume will be created for this /data/configdb. Also you can verify that the data exist by checking this source path /var/lib/docker/volumes/mongodb/_data where mongodb data will be saved
$ ls /var/lib/docker/volumes/mongodb/_data total 328
drwxr-xr-x 4 999 999 4096 Mar 8 11:02 .
drwxr-xr-x 3 root root 4096 Mar 8 10:58 ..
-rw------- 1 999 999 16384 Mar 8 11:00 collection-0--2358474299739251284.wt
-rw------- 1 999 999 36864 Mar 8 11:01 collection-2--2358474299739251284.wt
-rw------- 1 999 999 4096 Mar 8 11:00 collection-4--2358474299739251284.wt
-rw------- 1 999 999 16384 Mar 8 11:00 collection-7--2358474299739251284.wt
drwx------ 2 999 999 4096 Mar 8 11:11 diagnostic.data
-rw------- 1 999 999 16384 Mar 8 11:00 index-1--2358474299739251284.wt
-rw------- 1 999 999 36864 Mar 8 11:01 index-3--2358474299739251284.wt
-rw------- 1 999 999 4096 Mar 8 10:58 index-5--2358474299739251284.wt
-rw------- 1 999 999 4096 Mar 8 11:01 index-6--2358474299739251284.wt
-rw------- 1 999 999 16384 Mar 8 10:58 index-8--2358474299739251284.wt
-rw------- 1 999 999 16384 Mar 8 10:58 index-9--2358474299739251284.wt
drwx------ 2 999 999 4096 Mar 8 11:00 journal
-rw------- 1 999 999 16384 Mar 8 11:00 _mdb_catalog.wt
-rw------- 1 999 999 2 Mar 8 11:00 mongod.lock
-rw------- 1 999 999 36864 Mar 8 11:02 sizeStorer.wt
-rw------- 1 999 999 114 Mar 8 10:58 storage.bson
-rw------- 1 999 999 45 Mar 8 10:58 WiredTiger
-rw------- 1 999 999 4096 Mar 8 11:00 WiredTigerLAS.wt
-rw------- 1 999 999 21 Mar 8 10:58 WiredTiger.lock
-rw------- 1 999 999 1065 Mar 8 11:02 WiredTiger.turtle
-rw------- 1 999 999 69632 Mar 8 11:02 WiredTiger.wt