KeyDB icon indicating copy to clipboard operation
KeyDB copied to clipboard
verified publisher icon Snapchat

[BUG] Docker container fails to write users.acl

Open einar-hjortdal opened this issue 3 years ago • 0 comments

On RHEL 9 host

mkdir -p keydb/data
touch keydb/{keydb.conf,users.acl}
chcon -Rt container_file_t keydb

# Create a temporary container instance
podman run \
  --detach \
  --name=keydb \
  --tz=local \
  --publish=6379:6379 \
  --rm \
  eqalpha/keydb

# Copy the default configuration file into the new configuration file
podman exec keydb bash -c "cat /etc/keydb/keydb.conf" >> keydb/keydb.conf

# uncomment the following line in the configuration file
aclfile /etc/keydb/users.acl

# Run the final container instance
podman run \
  --detach \
  --name=keydb \
  --tz=local \
  --mount=type=bind,src=/root/keydb/data,dst=/data \
  --mount=type=bind,src=/root/keydb/keydb.conf,dst=/etc/keydb/keydb.conf \
  --mount=type=bind,src=/root/keydb/users.acl,dst=/etc/keydb/users.acl \
  --publish=6379:6379 \
  --rm \
  eqalpha/keydb

With an empty users.acl file the server starts. Now we access the shell with podman exec -it keydb /usr/local/bin/keydb-cli

127.0.0.1:6379> acl list
1) "user default on nopass ~* &* +@all"
127.0.0.1:6379> acl save
(error) ERR There was an error trying to save the ACLs. Please check the server logs for more information

Checking the logs, # Opening temp ACL file for ACL SAVE: Permission denied

I believe the problem is that the directory /etc/keydb/ which is owned by root does not allow the user keydb to write anything in there. Possible solutions:

  1. The default acl file in the default configuration should not be /etc/keydb/users.acl
  2. The directory /etc/keydb should be owned by the user keydb

In case of option 1 being selected, the uid of the keydb user should be crystalized and/or made flexible:

You should consider allowing users to set the keydb user uid to a specific uid using the --user option in podman run (or docker run). This way it would be possible to set the owner directory uid on the container host, at the moment the uid given to the keydb user is inflexible and may collide with the host unix users.

Crystalizing without flexibility is not an optimal solution. However, if there is a simple way to bind a directory and set keydb as the owner of said directory every time a container instance is started, I am not aware of it, please inform me.

einar-hjortdal avatar Oct 22 '22 15:10 einar-hjortdal