Certificate permissions with Docker

jeffcook · May 17, 2019, 11:02pm

What am I missing with permissions for the certificate when using Docker?

The issue is " FATAL Error: EACCES: permission denied, open ‘/usr/share/kibana/config/server.pem’"

Because Kibana runs as user 1000 in the container I can’t just a volume mount/binding for the certificate files, without either giving all users read access to the key or creating a matching uid with root access on the host.

I looked at using Docker secrets, but without a swarm I can’t change the mode of the file.

I could build the cert files into the image, but that doesn’t seem very 12 factor.

Thanks

jeffcook · May 18, 2019, 12:39am

For clarification, I’m trying to use the host cert/key stored in /etc/pki/tls/…

This is a site requirement that I have the host cert for all applications.

I see that both elasticsearch and kibana are running as user ID 1000.
uid=1000(elasticsearch) gid=1000(elasticsearch) groups=1000(elasticsearch),0(root)
uid=1000(kibana) gid=1000(kibana) groups=1000(kibana)

I thought 0:1000 mode 0640 would work. As it keeps root on the host with access, and gives the Docker apps read access.

Kibana works, but elasticsearch says it can’t read it.

Topic		Replies	Views
Kibana cannot reach elasticsearch Security	2	679	February 25, 2021
SSL Woes with OpenDistro on Docker Security	6	1008	May 31, 2021
Kibana startup failure after configuring SSL/TLS Security	2	2265	July 4, 2020
Unable to configure Kibana Security	2	1988	February 18, 2021
Securityadmin.sh fails to update cluster config when using kirk certificates Security	3	5970	October 17, 2019

Certificate permissions with Docker

Related Topics