hashicorp
Failed writing file permission denied
When trying to parse a consul template within a docker container I am getting the following error. I searched through the backlog of issues and couldn't find a solution. I assume it is trying to write a temp file - hence the 865492878
I'm passing the following in as template
--template /config/config.ctmpl:/config/config.json
And getting the following error
2018/05/04 16:15:26.143342 [ERR] (cli) error rendering "/config/config.ctmpl" => "/config/config.json": failed writing file: open /config/865492878: permission denied
Any help would be greatly appreciated
I'm also getting this in production. Did you solved it? In my machine everything works fine.
I tried running docker-compose as root, nothing happened.
I'm running C-T specifically per service-account which needs token renewal. So for instance when i use Nginx on one VM, I have Ansible deploying Nginx with a service-account named Nginx and have C-T install with the same user. After that i make a sudoer file with the service reload or restart command to let the service account at least do that. If correctly done (YMMV) you should have the same perms as the app with the .json file.
Nevermind as you describe using Docker. My example was based on using a normal VM with multiple useraccounts serving different apps. For each app I have a seperate C-T process which runs under the same useraccount as that app. This gives me the advantage of not having to run stuff as root and to chmod 777 everything. The Consul-Template process inherits all the permissions that my app already has.
Hey @ericcancil, thanks for using consul-template and taking the time to report this issue.
That is definitely a temp file, it is used to make the write atomic by writing completely to the temp file first then swapping it out with the live file. Doing this should make it impossible for an error part way through writing to leave a half-written destination file.
The temp file is written to the same directory as the target file, so in general the consul-template process should have write permissions to that directory as they are needed to write the destination file itself. The temp file needs to be written to the same directory to make help sure it is on the same filesystem as the rename used to overwrite the old config file is generally only atomic if they are on the same filesystem.
TLDR; the consul-template process needs write permission to the directory containing the destination file.
I'm going to mark this as a documentation issue as I don't see this mentioned anywhere in the docs. Thanks.
Would it be possible to change the temp file directory to something else? I have a setup where only certain files are writeable (by design) and I'd rather have temp files be written to /tmp (or some other temporary directory) instead of where the destination is.
For the consul-template maintainers, is that something ya'll would take a PR for?
Digging into it, it looks like this is the problem.
The code essentially creates the parent folder of the destination if necessary, and then creates a temp file there. The first of those is fine to perform IMO - if you're on a restrictive FS, you can at least ensure the destination parent directories exist - but I think we should somehow provide the option of specifying a different path for temporary files.
I do understand the reasoning behind placing the file in the same folder to ensure the write is atomic, but thats not even a guarantee for this project - the docblock points out that atomic writes on Windows don't work.
I got the same error and fixed it like this.
First of all I am using ubuntu 24.04 LTS and Docker 24.0.5
I thought this problem would happen because I installed docker desktop, so I deleted docker desktop and installed only docker engine and my problem was fixed.
- Remove docker-desktop
- Install only docker engine
For anyone coming up against this issue, my workaround was to write the file to stdout and then redirect the output to files where I have write permission. No temporary files necessary in that case.