Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extra groups with docker #2920

Open
wz2b opened this issue Oct 12, 2023 · 0 comments
Open

Extra groups with docker #2920

wz2b opened this issue Oct 12, 2023 · 0 comments

Comments

@wz2b
Copy link

wz2b commented Oct 12, 2023

I use multi-group membership to grant access to SSL certificates and keys so I don't have to have multiple copies of these files floating throughout the system. In mosquitto, I use the user configuration option to make this work. My password file includes

mosquitto:x:115:120::/var/lib/mosquitto:/usr/sbin/nologin

the primary group being 120 which is here:

mosquitto:x:120:mosquitto
ssl-cert:x:122:influxdb,mosquitto,postgres

Note that there is a second group named ssl-cert and mosquitto (and some other stuff) has access to that. The reason for that is to grant them access to the private key to unlock the certificate.

This works great, I think because of this code:

mosquitto/src/mosquitto.c

Line 114 in 15292b2

if(initgroups(config->user, pwd->pw_gid) == -1){

This breaks when I run mosquitto from docker and I'm not quite sure why. When I run mosquitto I make sure the container has the same password and group file by mapping them to the host:

docker run \                                                                                                                                                                                                                                     
        -d \                                                                                                                                                                                                                                     
        --name mosquitto \                                                                                                                                                                                                                       
        --restart unless-stopped \                                                                                                                                                                                                               
        --user $(id -u mosquitto):122 \
        --volume /etc/mosquitto/mosquitto.conf:/mosquitto/config/mosquitto.conf \
        --volume /etc/mosquitto:/etc/mosquitto \
        --volume /etc/passwd:/etc/passwd,ro \
        --volume /etc/group:/etc/group,ro \
        --volume /etc/ssl:/etc/ssl,ro \
        --volume /var/log/mosquitto:/var/log/mosquitto \
        --publish target=8883,published=8883 \
        eclipse-mosquitto

When the server runs, the primary group is correct. An easy way to confirm that is to delete the log file and let it recreate it. It does so, with the correct user and group id. But mosquitto running inside the container gets permission denied trying to access /etc/ssl/private/whatever.key even though that directory and that file have g+x and g+r permission respectively.

Maybe this is more of a docker question than a mosquitto question but this technique I have outlined seems to work fine for influxdb, grafana, and postgres - but not mosquitto. Does anybody have any thoughts as to why?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@wz2b