L
LLDAP•12mo ago
STYT

STYT - Hi all, after upgrading to latest image ...

Hi all, after upgrading to latest image today I cannot read Docker Secrets any longer. It worked prior since I started using lldap.
No description
27 Replies
nitnelave
nitnelave•12mo ago
@xaverius666 is latest by any chance a -rootless image, accidentally? @STYT can you check the contents of the /docker-entrypoint.sh file in the container? Does it contain gosu or not?
nitnelave
nitnelave•12mo ago
(is it this file: https://github.com/lldap/lldap/blob/main/docker-entrypoint.sh or that file: https://github.com/lldap/lldap/blob/main/docker-entrypoint-rootless.sh )
GitHub
lldap/docker-entrypoint.sh at main · lldap/lldap
Light LDAP implementation. Contribute to lldap/lldap development by creating an account on GitHub.
GitHub
lldap/docker-entrypoint-rootless.sh at main · lldap/lldap
Light LDAP implementation. Contribute to lldap/lldap development by creating an account on GitHub.
Unknown User
Unknown User•12mo ago
Message Not Public
Sign In & Join Server To View
STYT
STYTOP•12mo ago
I believe latest is rootless as this was what I had when upgrading. I changed to latest-alpine and then it works But I am up to running rootless so I am a bit clueless what I am missing to get that to work Checking at docker hub latest tag seems to same as rootless tag
nitnelave
nitnelave•12mo ago
to confirm, can you check that the docker-entrypoint.sh is the -rootless one from the repository? (see my links above)
STYT
STYTOP•12mo ago
Sure. Let me rebuild image again
nitnelave
nitnelave•12mo ago
you shouldn't have to rebuild I think you can docker exec <your_container> "cat /docker-entrypoint.sh"
STYT
STYTOP•12mo ago
Got it but I went back to a working build a bit too quick maybe when not able to resolv the error
STYT
STYTOP•12mo ago
Meanwhile looked at docker hub
No description
Unknown User
Unknown User•12mo ago
Message Not Public
Sign In & Join Server To View
STYT
STYTOP•12mo ago
I believe so yes
nitnelave
nitnelave•12mo ago
yeah, I can confirm that latest is rootless @xaverius666 can you have a look? 🙂 @STYT if you want to switch to rootless, I think you just need a user: ${UID}:${GID} in your docker-compose service
Unknown User
Unknown User•12mo ago
Message Not Public
Sign In & Join Server To View
STYT
STYTOP•12mo ago
I had that actually but didn't work
Unknown User
Unknown User•12mo ago
Message Not Public
Sign In & Join Server To View
STYT
STYTOP•12mo ago
There is no latest-rootless tag as in the announcment from @nitnelave
Unknown User
Unknown User•12mo ago
Message Not Public
Sign In & Join Server To View
nitnelave
nitnelave•12mo ago
I think that's the issue: we didn't push a latest-rootless but instead pushed latest twice
STYT
STYTOP•12mo ago
My bad....I have only variables for UID and GID since earlier. Maybe missing something here
nitnelave
nitnelave•12mo ago
Just checking, did you put the UID and GID that you already have in the env variables, or did you just paste the ${UID}:${GID}? Maybe you need to copy/paste the values
STYT
STYTOP•12mo ago
I believe I might need to read-up a bit on docker rootless...I thought I could move container by container but seems to be the whole daemon, right? Currently running lldap on a Synology nas docker so not a native Debian machine atm.
nitnelave
nitnelave•12mo ago
No, it's not the whole daemon: root/rootless refers to the user inside the container, so I think you can have root inside the container even if your daemon is not root and vice-versa, of course, if your daemon is root you can have non-root in the container so far, you were starting the lldap container with the root user (inside the container), it was only downgrading to the provided user after starting with rootless, it directly starts as the provided user
STYT
STYTOP•12mo ago
OK sounds more what I was aiming for. Start with removing root from containers where possible. OK, explains why it stops immediatly with rootless, not able to fecth the secrets and just ends up in a loop. Do you know if secrets should be possible? or are they locked to root when daemon is running as root?
nitnelave
nitnelave•12mo ago
https://stackoverflow.com/questions/53385930/docker-secrets-with-non-root-user
Stack Overflow
docker secrets with non root user
I have a docker container run with a non root user for better security, but it seems it can't access the secrets I'm sharing with it: Importing account from "/run/secrets/authority.priv.json" fail...
nitnelave
nitnelave•12mo ago
Ah, here's a more detailed example with the full secrets API: https://forums.docker.com/t/unable-set-docker-secret-file-ownership-permissions/31336/2
Docker Community Forums
Unable set docker secret file ownership, permissions
This needs to be done during service deployment or in the stack file. See the long syntax of docker compose secret reference: https://docs.docker.com/compose/compose-file/#long-syntax-1 version: "3.1" services: redis: image: redis:latest deploy: replicas: 1 secrets: - source: my_secret target: redis_secret ...
Unknown User
Unknown User•12mo ago
Message Not Public
Sign In & Join Server To View
STYT
STYTOP•12mo ago
Thank You for the links and help. I will try this out later to see if I can move to rootless.
Want results from more Discord servers?
Add your server