【问题标题】:docker-compose Permissions Denied when accessing secrets with authelia使用 authelia 访问机密时,docker-compose 权限被拒绝
【发布时间】:2022-08-22 22:26:36
【问题描述】:

我开始在一个新系统上部署一个带有 swag 和 authelia 的简单 docker-compose。以前我只是将我的“秘密”包含在 .env 文件中或直接包含在 authelia 配置文件中,但我试图在这里采用一些最佳实践并使用 docker 秘密正确隐藏秘密。但是,在启动我的容器时,authelia 抱怨尝试访问时权限被拒绝。

在我查看过的不同指南中,除了秘密目录/文件之外的任何内容都没有提到权限,这些权限是 root 拥有的和 600 个权限。

我的 docker 目录在 ~/docker 中,秘密在 ~/docker/secrets 中。 secrets 目录是 root 拥有的,拥有 600 个权限。我的 docker 目录归 uid 1100:1100 所有,在我的 docker compose 中,我有以下 docker-compose(针对公众稍作编辑):

version: \"3.9\"

secrets:

  authelia_duo_api_secret_key:
    file: $DOCKERSECRETS/authelia_duo_api_secret_key
  authelia_jwt_secret:
    file: $DOCKERSECRETS/authelia_jwt_secret
  authelia_notifier_smtp_password:
    file: $DOCKERSECRETS/authelia_notifier_smtp_password
  authelia_session_secret:
    file: $DOCKERSECRETS/authelia_session_secret
  authelia_storage_encryption_key:
    file: $DOCKERSECRETS/authelia_storage_encryption_key

x-environment: &default-env
  TZ: $TZ
  PUID: $PUID
  PGID: $PGID

services:

  swag:
    image: ghcr.io/linuxserver/swag
    container_name: swag
    cap_add:
      - NET_ADMIN
    environment:
      <<: *default-env
      URL: $DOMAINNAME
      SUBDOMAINS: wildcard
      VALIDATION: dns
      CERTPROVIDER: zerossl #optional
      DNSPLUGIN: cloudflare #optional
      EMAIL: <edit>
      DOCKER_MODS: linuxserver/mods:swag-dashboard
    volumes:
      - $DOCKERDIR/appdata/swag:/config
    ports:
      - 443:443
    restart: unless-stopped

  authelia:
    image: ghcr.io/authelia/authelia:latest
    container_name: authelia
    restart: unless-stopped
    volumes:
      - $DOCKERDIR/appdata/authelia:/config
    user: \"1100:1100\"
    secrets:
      - authelia_jwt_secret
      - authelia_session_secret
      - authelia_notifier_smtp_password
      - authelia_duo_api_secret_key
      - authelia_storage_encryption_key
    environment:
      AUTHELIA_JWT_SECRET_FILE: /run/secrets/authelia_jwt_secret
      AUTHELIA_SESSION_SECRET_FILE: /run/secrets/authelia_session_secret
      AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE: /run/secrets/authelia_notifier_smtp_password
      AUTHELIA_DUO_API_SECRET_KEY_FILE: /run/secrets/authelia_duo_api_secret_key
      AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /run/secrets/authelia_storage_encryption_key

我在日志中遇到的错误是:

authelia  | 2022-07-28T23:45:05.872818847Z time=\"2022-07-28T21:15:05-02:30\" level=error msg=\"Configuration: secrets: error loading secret path /run/secrets/authelia_session_secret into key \'session.secret\': open /run/secrets/authelia_session_secret: permission denied\"
authelia  | 2022-07-28T23:45:05.872844527Z time=\"2022-07-28T21:15:05-02:30\" level=error msg=\"Configuration: secrets: error loading secret path /run/secrets/authelia_jwt_secret into key \'jwt_secret\': open /run/secrets/authelia_jwt_secret: permission denied\"
authelia  | 2022-07-28T23:45:05.872847757Z time=\"2022-07-28T21:15:05-02:30\" level=error msg=\"Configuration: secrets: error loading secret path /run/secrets/authelia_duo_api_secret_key into key \'duo_api.secret_key\': open /run/secrets/authelia_duo_api_secret_key: permission denied\"
authelia  | 2022-07-28T23:45:05.872850957Z time=\"2022-07-28T21:15:05-02:30\" level=error msg=\"Configuration: secrets: error loading secret path /run/secrets/authelia_storage_encryption_key into key \'storage.encryption_key\': open /run/secrets/authelia_storage_encryption_key: permission denied\"
authelia  | 2022-07-28T23:45:05.872853157Z time=\"2022-07-28T21:15:05-02:30\" level=error msg=\"Configuration: secrets: error loading secret path /run/secrets/authelia_notifier_smtp_password into key \'notifier.smtp.password\': open /run/secrets/authelia_notifier_smtp_password: permission denied\"
authelia  | 2022-07-28T23:45:05.872855307Z time=\"2022-07-28T21:15:05-02:30\" level=error msg=\"Configuration: option \'jwt_secret\' is required\"
authelia  | 2022-07-28T23:45:05.872857277Z time=\"2022-07-28T21:15:05-02:30\" level=error msg=\"Configuration: duo_api: option \'secret_key\' is required when duo is enabled but it is missing\"
authelia  | 2022-07-28T23:45:05.872859417Z time=\"2022-07-28T21:15:05-02:30\" level=error msg=\"Configuration: storage: option \'encryption_key\' is required\"
authelia  | 2022-07-28T23:45:05.872861397Z time=\"2022-07-28T21:15:05-02:30\" level=fatal msg=\"Can\'t continue due to the errors loading the configuration\"

我确定我在这里遗漏了一些简单的东西。是否所有内容都必须以 root 身份运行才能访问机密?这是否意味着将我的主文件夹中的所有 docker 目录更改为 root,只是为了隐藏凭据?我对此有点困惑,任何帮助将不胜感激。

    标签: docker docker-compose permissions


    【解决方案1】:

    我有类似的权限错误,我可以通过使用 docker 卷来摆脱这些错误。我以这个例子为导向here

    【讨论】:

      猜你喜欢
      • 2020-08-31
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2022-08-08
      • 2020-06-12
      • 2019-03-16
      • 2021-01-09
      • 1970-01-01
      相关资源
      最近更新 更多