CHP Docker - permission denied on ssl cert key with properly configured permissions

[ap-tfs]

Bug description

CHP run from Docker image cannot read certificate key with proper permissions.

Expected behaviour

The certificate key is properly read and proxy runs.

Actual behaviour

The proxy startup fails with permission denied on the cert key.

How to reproduce

Have ssl cert keys saved in /etc/ssl/private with proper permissions
/etc/ssl:ro is passed into the CHP container
Full path to a certificate key located in /etc/ssl/private is passed via --ssl-key
The key and containing dir have properly set permissions to 600
Try to run CHP as standalone container
Observe permission error in logs

Cert key is read fine when CHP is run as part of Jupyterhub in one container.

Your personal set up

• OS:
  Ubuntu 20.04
• Version(s):
  CHP Docker image jupyterhub/configurable-http-proxy:4
  Jupyterhub Docker image jupyterhub/jupyterhub:3.0.0

Full environment

# paste output of `pip freeze` or `conda list` here

Configuration

docker-compose snippet

image: jupyterhub/configurable-http-proxy:4
volumes:
      - /etc/ssl/:/etc/ssl:ro
command: >
      configurable-http-proxy --port 443 --redirect-port 80 --api-port 8001 --metrics-port 9500
      --default-target jhub
      --ssl-cert /etc/ssl/certs/jhub-domain-cert.pem
      --ssl-key /etc/ssl/private/jhub-domain-cert.key

Logs

  jhub_proxy          | node:internal/fs/utils:347
  jhub_proxy          |     throw err;
  jhub_proxy          |     ^
  jhub_proxy          |
  jhub_proxy          | Error: EACCES: permission denied, open '/etc/ssl/private/jhub-domain-cert.key'
  jhub_proxy          |     at Object.openSync (node:fs:594:3)
  jhub_proxy          |     at Object.readFileSync (node:fs:462:35)
  jhub_proxy          |     at Object.<anonymous> (/srv/configurable-http-proxy/bin/configurable-http-proxy:188:26)
  jhub_proxy          |     at Module._compile (node:internal/modules/cjs/loader:1126:14)
  jhub_proxy          |     at Object.Module._extensions..js (node:internal/modules/cjs/loader:1180:10)
  jhub_proxy          |     at Module.load (node:internal/modules/cjs/loader:1004:32)
  jhub_proxy          |     at Function.Module._load (node:internal/modules/cjs/loader:839:12)
  jhub_proxy          |     at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:81:12)
  jhub_proxy          |     at node:internal/main/run_main_module:17:47 {
  jhub_proxy          |   errno: -13,
  jhub_proxy          |   syscall: 'open',
  jhub_proxy          |   code: 'EACCES',
  jhub_proxy          |   path: '/etc/ssl/private/jhub-domain-cert.key'
  jhub_proxy          | }

[welcome]

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! 🤗

If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively.

You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! 👋

Welcome to the Jupyter community! 🎉

[minrk]

The CHP container doesn't run as root by default, it runs as nobody. So mounting something 600 means the CHP process probably can't read it by default. You can set the uid of the process with standard docker methods (docker run --user ...) to the user you want it to be so that it can read your files. The UID and fs permissions you choose to achieve this are up to you.