【发布时间】:2022-08-22 22:26:36
【问题描述】:
我开始在一个新系统上部署一个带有 swag 和 authelia 的简单 docker-compose。以前我只是将我的“秘密”包含在 .env 文件中或直接包含在 authelia 配置文件中,但我试图在这里采用一些最佳实践并使用 docker 秘密正确隐藏秘密。但是,在启动我的容器时,authelia 抱怨尝试访问时权限被拒绝。
在我查看过的不同指南中,除了秘密目录/文件之外的任何内容都没有提到权限,这些权限是 root 拥有的和 600 个权限。
我的 docker 目录在 ~/docker 中,秘密在 ~/docker/secrets 中。 secrets 目录是 root 拥有的,拥有 600 个权限。我的 docker 目录归 uid 1100:1100 所有,在我的 docker compose 中,我有以下 docker-compose(针对公众稍作编辑):
version: \"3.9\"
secrets:
authelia_duo_api_secret_key:
file: $DOCKERSECRETS/authelia_duo_api_secret_key
authelia_jwt_secret:
file: $DOCKERSECRETS/authelia_jwt_secret
authelia_notifier_smtp_password:
file: $DOCKERSECRETS/authelia_notifier_smtp_password
authelia_session_secret:
file: $DOCKERSECRETS/authelia_session_secret
authelia_storage_encryption_key:
file: $DOCKERSECRETS/authelia_storage_encryption_key
x-environment: &default-env
TZ: $TZ
PUID: $PUID
PGID: $PGID
services:
swag:
image: ghcr.io/linuxserver/swag
container_name: swag
cap_add:
- NET_ADMIN
environment:
<<: *default-env
URL: $DOMAINNAME
SUBDOMAINS: wildcard
VALIDATION: dns
CERTPROVIDER: zerossl #optional
DNSPLUGIN: cloudflare #optional
EMAIL: <edit>
DOCKER_MODS: linuxserver/mods:swag-dashboard
volumes:
- $DOCKERDIR/appdata/swag:/config
ports:
- 443:443
restart: unless-stopped
authelia:
image: ghcr.io/authelia/authelia:latest
container_name: authelia
restart: unless-stopped
volumes:
- $DOCKERDIR/appdata/authelia:/config
user: \"1100:1100\"
secrets:
- authelia_jwt_secret
- authelia_session_secret
- authelia_notifier_smtp_password
- authelia_duo_api_secret_key
- authelia_storage_encryption_key
environment:
AUTHELIA_JWT_SECRET_FILE: /run/secrets/authelia_jwt_secret
AUTHELIA_SESSION_SECRET_FILE: /run/secrets/authelia_session_secret
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE: /run/secrets/authelia_notifier_smtp_password
AUTHELIA_DUO_API_SECRET_KEY_FILE: /run/secrets/authelia_duo_api_secret_key
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /run/secrets/authelia_storage_encryption_key
我在日志中遇到的错误是:
authelia | 2022-07-28T23:45:05.872818847Z time=\"2022-07-28T21:15:05-02:30\" level=error msg=\"Configuration: secrets: error loading secret path /run/secrets/authelia_session_secret into key \'session.secret\': open /run/secrets/authelia_session_secret: permission denied\"
authelia | 2022-07-28T23:45:05.872844527Z time=\"2022-07-28T21:15:05-02:30\" level=error msg=\"Configuration: secrets: error loading secret path /run/secrets/authelia_jwt_secret into key \'jwt_secret\': open /run/secrets/authelia_jwt_secret: permission denied\"
authelia | 2022-07-28T23:45:05.872847757Z time=\"2022-07-28T21:15:05-02:30\" level=error msg=\"Configuration: secrets: error loading secret path /run/secrets/authelia_duo_api_secret_key into key \'duo_api.secret_key\': open /run/secrets/authelia_duo_api_secret_key: permission denied\"
authelia | 2022-07-28T23:45:05.872850957Z time=\"2022-07-28T21:15:05-02:30\" level=error msg=\"Configuration: secrets: error loading secret path /run/secrets/authelia_storage_encryption_key into key \'storage.encryption_key\': open /run/secrets/authelia_storage_encryption_key: permission denied\"
authelia | 2022-07-28T23:45:05.872853157Z time=\"2022-07-28T21:15:05-02:30\" level=error msg=\"Configuration: secrets: error loading secret path /run/secrets/authelia_notifier_smtp_password into key \'notifier.smtp.password\': open /run/secrets/authelia_notifier_smtp_password: permission denied\"
authelia | 2022-07-28T23:45:05.872855307Z time=\"2022-07-28T21:15:05-02:30\" level=error msg=\"Configuration: option \'jwt_secret\' is required\"
authelia | 2022-07-28T23:45:05.872857277Z time=\"2022-07-28T21:15:05-02:30\" level=error msg=\"Configuration: duo_api: option \'secret_key\' is required when duo is enabled but it is missing\"
authelia | 2022-07-28T23:45:05.872859417Z time=\"2022-07-28T21:15:05-02:30\" level=error msg=\"Configuration: storage: option \'encryption_key\' is required\"
authelia | 2022-07-28T23:45:05.872861397Z time=\"2022-07-28T21:15:05-02:30\" level=fatal msg=\"Can\'t continue due to the errors loading the configuration\"
我确定我在这里遗漏了一些简单的东西。是否所有内容都必须以 root 身份运行才能访问机密?这是否意味着将我的主文件夹中的所有 docker 目录更改为 root,只是为了隐藏凭据?我对此有点困惑,任何帮助将不胜感激。
标签: docker docker-compose permissions