[Bug]: Docker step ca init "open /home/step/secrets/intermediate_ca_key: permission denied"

[spyesx]

Steps to Reproduce

Testing the Docker image, I've created this simple docker-compose.yml

version: "3.5"

volumes:
  step:

services:

  step-ca:
    image: smallstep/step-ca
    container_name: step-ca
    restart: always
    volumes:
      - "step:/home/step"
      - "./password:/home/step/secrets/password"
    environment:
        DOCKER_STEPCA_INIT_NAME: "ca.local"
        DOCKER_STEPCA_INIT_DNS_NAMES: "localhost,ca.local,step-ca"
    ports:
      - "443:9000"

Your Environment

• OS - Docker on Rasberry Pi OS 64 bits

# lsb_release -a
No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 11 (bullseye)
Release:	11
Codename:	bullseye

# uname -a
Linux talloca 5.15.32-v8+ #1538 SMP PREEMPT Thu Mar 31 19:40:39 BST 2022 aarch64 GNU/Linux

• step-ca Version - Docker image:smallstep/step-ca:latest (DIGEST:sha256: 48c19bdd6cf8c179b04805b897ee4c591df479f919cece6cb13285053cfb8c12 )

Expected Behavior

I expect the CA to start properly.

Actual Behavior

The CA doesn't start. It fails during init with a permission error.

$ docker-compose up
Creating volume "step-ca_step" with default driver
Pulling step-ca (smallstep/step-ca:)...
latest: Pulling from smallstep/step-ca
b3c136eddcbf: Pull complete
3ec4389e237d: Pull complete
a1e5a30d2645: Pull complete
4f4fb700ef54: Pull complete
a9471723f12d: Pull complete
8612715930f6: Pull complete
07c9f79436f9: Pull complete
45a6246097cd: Pull complete
c10367b913fb: Pull complete
Digest: sha256:48c19bdd6cf8c179b04805b897ee4c591df479f919cece6cb13285053cfb8c12
Status: Downloaded newer image for smallstep/step-ca:latest
Creating step-ca ... done
Attaching to step-ca
step-ca    |
step-ca    | Generating root certificate... done!
step-ca    | Generating intermediate certificate... done!
step-ca    | open /home/step/secrets/intermediate_ca_key: permission denied

# ls -al /var/lib/docker/volumes/step-ca_step/_data/
total 28
drwxr-sr-x 6 tallo tallo 4096 Jul 15 08:01 .
drwx-----x 3 root  root 4096 Jul 15 08:01 ..
drwx--S--- 2 tallo tallo 4096 Jul 15 08:01 certs
drwx--S--- 2 tallo tallo 4096 Jul 15 08:01 config
-rw-r--r-- 1 tallo tallo   41 Jul 15 08:34 password
drwxr-sr-x 2 root  tallo 4096 Jul 15 08:01 secrets
drwx--S--- 2 tallo tallo 4096 Jul 15 08:01 templates

# ls -al /var/lib/docker/volumes/step-ca_step/_data/secrets/
total 8
drwxr-sr-x 2 root  tallo 4096 Jul 15 08:46 .
drwxr-sr-x 6 tallo tallo 4096 Jul 15 08:46 ..
-rwxr-xr-x 1 root  tallo 0    Jul 15 08:46 password

Additional Context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[tashian]

Hi @spyesx, I was able to reproduce this as well.
I think this is docker/compose#3270 in the wild.
Because of the volume mount, you may need to add a layer to the Dockerfile for step-ca to get this working.
What I still don't understand is why docker run -d -v step:/home/step ... works, but this doesn't work.

[maraino]

@tashian Is there anything that we can do here? Should we close this?

[tashian]

Yes, I think we can close this for now and revisit if/when the Compose bug is fixed.

[JesseShawCodes]

I know this issue has been long since closed, but I've been trying to figure this bug out myself for some time and just found a solution. Hopefully this may help someone else in the future.

Because you are exposing home/step/secrets/password to a password folder in your project directory, you may need to make sure that the password folder is given the correct permissions in your server.

I was using linux myself, and I had run a sudo chmod to the folder i was exposing. After doing that, I was no longer seeing the permission denied message from step-ca, and the container is now running as expected.