After dump of certificates is there anyway to have script change either owner (chown) and/or mode (chmod)?
kevdogg opened this issue · 4 comments
Perhaps this is more of a request rather than a bug, however it would be great to have option to set owner:group and/or mode.
My usage case is running Collabora docker that inserts the certificates however the certs either need to be owned by the lool:lool user or have 644 permission (both the cert and key).
Thanks for considering this.
Maybe adding a flag to change permissions of the cert and key ?
One for key and one for certs would be optimal.
Currently it wirtes with static permissions at least for v2. Didin't look further into it.
traefik-certs-dumper/dumper/v2/dumper.go
Line 58 in 1e5c66d
traefik-certs-dumper/dumper/v2/dumper.go
Line 76 in 1e5c66d
traefik-certs-dumper/dumper/v2/dumper.go
Line 88 in 1e5c66d
I was able to change the permissions via the "--post-hook" option:
traefik-certs-dumper file --watch --version v2 --source /data/acme.json --dest /shared/certs --post-hook "chown -R $PUID:$PGID /shared/certs"
is it possible to go even further and execute a script with --post-hook? every time I try to execute a bash script it stops parsing when it encounters a firs space in the command. For example my script file (named posthook.sh) is:
chown -R $PUID:$PGID /shared/certs && scp /shared/certs/* root@192.168.0.1:/mnt/data/
it always fails at scp. Also I did add scp to the container by modifying entrypoint: from apk add jq to apk add jq openssh-client.
edit: the scp command by itself works flawlessly when executed inside the container (I have known_hosts and keys mapped inside the container)
If someone comes across this and doesn't want --watch
, but still wants to chown
things before they get out, I used this workaround:
tmpfile=$(mktemp)
cat <<EOF >$tmpfile
chown -R $UID:$(id -g) /shared/certs
kill 1
EOF
docker run --rm \
-v $tmpfile:/tmp/chownme \
ldez/traefik-certs-dumper file \
--source /data/acme.json \
--dest /shared/certs \
--watch --post-hook "sh /tmp/chownme"
rm $tmpfile
(Of course, you'd need additional -v
s to mount the data you are working with for your own cases)
The reason for the heredoc'd script is that passing in --post-hook "sh -c 'chown -R $UID:$(id -g) /shared/certs && kill 1'"
appears to drop the final '
, not allowing the command to run, and it also seems like you can't run multiple commands outside of a sh
.
The kill 1
is to kill the root process (the cert dumper) after --watch
successfully triggers the --post-hook
, since watch mode is required for the --post-hook
to run. That means that this container runs, and exits after it does its thing!
I'd also love an option to set the ownership of files generated after running this--but until then, I hope this workaround is useful to someone else~