1

So I'm trying to run my FastAPI python app in a Docker container. I choose python:3.9 as a base image and everything seemed to work until I decided to integrate my SSL Cert-Files into the container.

Dockerfile:

FROM python:3.9

WORKDIR /app

COPY requirements.txt requirements.txt

RUN pip3 install -r requirements.txt

RUN mkdir -p /app/SSL

VOLUME /etc/letsencrypt/live/soulforger.net/:/app/SSL/

COPY . .

CMD [ "uvicorn", "core:app", "--host", "0.0.0.0", "--port", "8000", "--ssl-keyfile", "/app/SSL/privkey.pem", "--ssl-certfile", "/app/SSL/cert.pem" ]

EXPOSE 8000

Docker run command:sudo docker run -p 33665:8000 -v /etc/letsencrypt/live/soulforger.net/:/app/SSL --name soulforger_api -d 24aea28ce756

Now the problem is that the directory im mapping is only accessible as a root user. When I exec into the Container, the files are there but I can't cat /app/SSL/cert.pem. Due to the fact that I can cat everything else without problem I assume its some sort of permissions problem when mapping the dir into the container. Does anybody have an idea of what can cause this issue?

Solution: After a lot of digging I found out what the problem is, for anyone that happens upon this post and also uses Let's Encrypt, the files within /etc/letsencrypt/live/some.domain/ are only links to files in another directory. If you want to mount the SSL certificates of your server to your containers, you have to mount the entire /etc/letsencrypt/ dir in order to have access to the files referenced by the links. All props go to this answer.

PandSkin
  • 17
  • 6
  • is it an option to make a COPY instead of the volume ? – vinalti Mar 30 '22 at 11:09
  • That's the problem, this is what I did initially until I realized that my Cert-Files change every so often automatically (I'm using Let's Encrypt) and since I don't want to force downtime every few months when my Cert-Files change I have to reference them directly so that changes are tracked automatically. – PandSkin Mar 30 '22 at 11:12
  • Is your container running as root? Is docker configured to run as rootless? – BMitch Mar 30 '22 at 11:34
  • I attempted using `USER root` in the docker file as per the suggestion of @hazalciplak . Sadly the exact same thing happens. And when it comes to docker configuration I haven't changed anything, the config for docker itself is the default config. – PandSkin Mar 30 '22 at 11:47
  • Are you perchance on a native-Linux host with SELinux enabled? [Why does docker container prompt "Permission denied"?](https://stackoverflow.com/questions/35617912/why-does-docker-container-prompt-permission-denied) describes this corner case (if that's it, try adding a `:z` to the end of the `docker run -v` option). – David Maze Mar 30 '22 at 12:20
  • I updated the run command as follows `sudo docker run -p 33665:8000 -v /etc/letsencrypt/live/soulforger.net/:/app/SSL:z --name soulforger_api -d 768653addae4 sleep 120` thn exec-ed into the container and tried `cat SSL/cert.pem` the output was: `cat: SSL/cert.pem: No such file or directory` so no that wasn't it either- :( – PandSkin Mar 30 '22 at 12:30

1 Answers1

1

You can change the user in the Dockerfile. Try to add USER root in your dockerfile. Hopefully it will be helpful.

FROM python:3.9

USER root

WORKDIR /app

COPY requirements.txt requirements.txt

RUN pip3 install -r requirements.txt

RUN mkdir -p /app/SSL

VOLUME /etc/letsencrypt/live/soulforger.net/:/app/SSL/

COPY . .

CMD [ "uvicorn", "core:app", "--host", "0.0.0.0", "--port", "8000", "--ssl-keyfile", "/app/SSL/privkey.pem", "--ssl-certfile", "/app/SSL/cert.pem" ]

EXPOSE 8000
hazalciplak
  • 476
  • 1
  • 5
  • 10
  • I'll give it a shot, though whenever I exec into the container the bash always starts with `#` so I assume, the default user for Docker Containers is root. I'll try it anyways it might be the magic bullet. – PandSkin Mar 30 '22 at 11:38
  • Sadly it still crashes due to the fact that files "don't exist". The files are there as they were before that but cant be read from within the container. – PandSkin Mar 30 '22 at 11:45