-bash: line 1: /etc/passbolt/gpg/serverkey_private.asc: Permission denied
Closed this issue · 8 comments
Using Environment:
Kubernetes
Logs below:
wait-for.sh: waiting for mariadb:3306 without a timeout
wait-for.sh: mariadb:3306 is available after 0 seconds
==================================================================================
Your entropy pool is low. This situation could lead GnuPG to not
be able to create the gpg serverkey so the container start process will hang
until enough entropy is obtained.
Please consider installing rng-tools and/or virtio-rng on your host as the
preferred method to generate random numbers using a TRNG.
If rngd (rng-tools) does not provide enough or fast enough randomness you could
consider installing haveged as a helper to speed up this process.
Using haveged as a replacement for rngd is not recommended. You can read more
about this topic here: https://lwn.net/Articles/525459/
==================================================================================
gpg: keybox '/var/lib/passbolt/.gnupg/pubring.kbx' created
gpg: /var/lib/passbolt/.gnupg/trustdb.gpg: trustdb created
gpg: key 68236480A2A41FA2 marked as ultimately trusted
gpg: directory '/var/lib/passbolt/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/var/lib/passbolt/.gnupg/openpgp-revocs.d/1A7A0E98BCA018B7B872E15C68236480A2A41FA2.rev'
-bash: line 1: /etc/passbolt/gpg/serverkey_private.asc: Permission denied
Not sure what is it asking for. Any help is appreciated.
Hi,
The entropy pool message is just a warning for old kernel before 5.15, it is a message to point users to documentation to understand why the automatic generation of the gpg server-key might be slow.
The error you face means you don't have permission to write the serverkey_private.asc apparently.
Without more information on your deployment, we can't assess if this qualifies as a bug.
How are you deploying to Kubernetes?
Manifest below @dlen
apiVersion: apps/v1
kind: Deployment
metadata:
generation: 1
labels:
app: passbolt
app.kubernetes.io/instance: passbolt
name: passbolt
namespace: passbolt
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: passbolt
tier: frontend
strategy:
type: Recreate
template:
metadata:
labels:
app: passbolt
tier: frontend
spec:
containers:
- command:
- /usr/bin/wait-for.sh
- '-t'
- '0'
- 'mariadb:3306'
- '--'
- /docker-entrypoint.sh
env:
- name: APP_FULL_BASE_URL
valueFrom:
configMapKeyRef:
key: APP_FULL_BASE_URL
name: passbolt-configmap
optional: false
- name: DATASOURCES_DEFAULT_USERNAME
valueFrom:
secretKeyRef:
key: MYSQL_USER
name: passbolt-secret
optional: false
- name: DATASOURCES_DEFAULT_PASSWORD
valueFrom:
secretKeyRef:
key: MYSQL_PASSWORD
name: passbolt-secret
optional: false
- name: DATASOURCES_DEFAULT_DATABASE
valueFrom:
configMapKeyRef:
key: DB_NAME
name: passbolt-configmap
optional: false
- name: DATASOURCES_DEFAULT_HOST
valueFrom:
configMapKeyRef:
key: DB_HOST
name: passbolt-configmap
optional: false
- name: EMAIL_TRANSPORT_DEFAULT_HOST
valueFrom:
secretKeyRef:
key: EMAIL_TRANSPORT_DEFAULT_HOST
name: passbolt-secret
optional: false
- name: EMAIL_TRANSPORT_DEFAULT_PORT
valueFrom:
secretKeyRef:
key: EMAIL_TRANSPORT_DEFAULT_PORT
name: passbolt-secret
optional: false
- name: EMAIL_TRANSPORT_DEFAULT_USERNAME
valueFrom:
secretKeyRef:
key: EMAIL_TRANSPORT_DEFAULT_USERNAME
name: passbolt-secret
optional: false
- name: EMAIL_TRANSPORT_DEFAULT_PASSWORD
valueFrom:
secretKeyRef:
key: EMAIL_TRANSPORT_DEFAULT_PASSWORD
name: passbolt-secret
optional: false
- name: EMAIL_TRANSPORT_DEFAULT_TLS
valueFrom:
secretKeyRef:
key: EMAIL_TRANSPORT_DEFAULT_TLS
name: passbolt-secret
optional: false
- name: EMAIL_DEFAULT_FROM
valueFrom:
secretKeyRef:
key: EMAIL_DEFAULT_FROM
name: passbolt-secret
optional: false
image: 'passbolt/passbolt:latest-ce'
imagePullPolicy: IfNotPresent
name: passbolt
ports:
- containerPort: 80
name: passbolt
protocol: TCP
resources:
limits:
cpu: '1'
memory: 1Gi
requests:
cpu: 500m
memory: 512Mi
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /etc/passbolt/gpg
name: passbolt-gpg-persistent-storage
- mountPath: /etc/passbolt/jwt
name: passbolt-jwt-persistent-storage
dnsPolicy: ClusterFirst
nodeSelector:
beta.kubernetes.io/arch: amd64
restartPolicy: Always
terminationGracePeriodSeconds: 30
volumes:
- name: passbolt-gpg-persistent-storage
persistentVolumeClaim:
claimName: passbolt-gpg
- name: passbolt-jwt-persistent-storage
persistentVolumeClaim:
claimName: passbolt-jwt
Hi again!
This one is easy I think! Volumes in kubernetes are mounted as root:root so you need to provide permissions to www-data on you volume passbolt-gpg-persistent-storage.
There are many strategies to do this. You could use an init container or you could overwrite the entrypoint to make a chown before the container starts. Basically you need to chown the /etc/passbolt/gpg that is mounted as root by default. The permissions come from the volume passbolt-gpg-persistent-storage.
If you need more assistance on this I suggest you open an issue on our community forum https://community.passbolt.com
Hope it helps!
Thanks, @dlen for the speedy response. Working like a charm with an init container. Sharing below if anyone ever faces the same issue.
initContainers:
- name: gpg-folder-permissions
image: busybox
command: ["sh", "-c", "chmod -R 777 /etc/passbolt/gpg"]
volumeMounts:
- name: passbolt-gpg-persistent-storage
mountPath: /etc/passbolt/gpg
If this works, it is what @dlen was indicating:
command: ["sh", "-c", "chown -R www-data:www-data /etc/passbolt/gpg"]
garrettboone unfortunately that didn't work for me. I was getting a crashbackloop maybe because there was no www-data user or group in that image. I knew giving 777 was not any good idea and especially for a password manager but I couldn't handle that better.
@emon5122 maybe user nginx?
Yes @garrettboone, Perfect.
initContainers:
- name: gpg-folder-permissions
image: nginx
command: ["bin/sh"]
args: ["-c", "chown -R www-data:www-data /etc/passbolt/gpg"]
volumeMounts:
- name: passbolt-gpg-persistent-storage
mountPath: /etc/passbolt/gpg