Permissions errors with docker on Synology

Checklist
[x] I have read intro post: About the Installation Issues category
[x] I have read the tutorials, help and searched for similar issues
[x] I provide relevant information about my server (component names and versions, etc.)
[x] I provide a copy of my logs and healthcheck
[ ] I describe the steps I have taken to trouble shoot the problem
[ ] I describe the steps on how to reproduce the issue

Hello passbolt community,

I have attempting to install passbolt on my Synology NAS for the past couple of weeks without any success. I keep on getting the “Your entropy pool is low” error (as shown below) and have made a lot of attempts to resolve this issue. My last attempt was to create the PGP keys on my windows machine and see if by having them mounted to the Docker image it would bypass the requirement to generate them. Among other attempts, I also saw that it would be possible to use VMs to create an entropy pool, but since I lack the knowledge I am unaware of how to link this to the docker image of passbolt… so I am stuck. :sweat_smile:

I have used the steps from the installation tutorial for Docker, using the run command. The docker image starts up but then it just crashes.

Any help on this issue is much appreciated! Below I paste the log file and my synology details and if there is anything else please let me know. Although I have used my NAS for a long time, and have used other applications via docker, they were all on an entry level difficulty, so I am still very new to this. Thanks in advance!

Server Details
Synology DS718+ with 6GB of RAM, DSM 7

Log Output

==================================================================================
  Your entropy pool is low. This situation could lead GnuPG to not
  be able to create the gpg serverkey so the container start process will hang
  until enough entropy is obtained.
  Please consider installing rng-tools and/or virtio-rng on your host as the
  preferred method to generate random numbers using a TRNG.
  If rngd (rng-tools) does not provide enough or fast enough randomness you could
  consider installing haveged as a helper to speed up this process.
  Using haveged as a replacement for rngd is not recommended. You can read more
  about this topic here: https://lwn.net/Articles/525459/
==================================================================================
gpg: key 133947F7D2852F04 marked as ultimately trusted
gpg: revocation certificate stored as '/var/lib/passbolt/.gnupg/openpgp-revocs.d/DA43E9891C3A75A53B0C2BE2133947F7D2852F04.rev'
-bash: line 1: /etc/passbolt/gpg/serverkey_private.asc: Permission denied

Hello @tneto :wave: and welcome to passbolt community forum :people_holding_hands:

I think your issue here is not the low entropy but rights on your serverkey_private.asc file.

In our docker-compose example file, gpg keys are mounted as a docker volume gpg_volume:

    volumes:
      - gpg_volume:/etc/passbolt/gpg

The issue you encounter usually happens when users mount a local folder and are not using a docker volume.

Can you share your docker-compose.yaml file ?

Cheers,

Hello @_jc ! Thank you for the welcoming and reply! I used the below run command from docker hub and edited my details:

docker run -d --name passbolt \
-p 49000:80 \
-p 49001:443 \
-e DATASOURCES_DEFAULT_HOST=192.161.1.1 \
-e DATASOURCES_DEFAULT_PORT=3306 \
-e DATASOURCES_DEFAULT_PASSWORD=****** \
-e DATASOURCES_DEFAULT_USERNAME=****** \
-e DATASOURCES_DEFAULT_DATABASE=passbolt \
-e APP_FULL_BASE_URL=https://passbolt.my.synology.me \
-v /volume1/docker/passbolt/gpg:/etc/passbolt/gpg \ 
-v /volume1/docker/passbolt/jwt:/data \
-v /volume1/docker/passbolt/database:/var/lib/mysql \
passbolt/passbolt:latest-ce

My last attempt did in fact mount the server_private.asc key, but with a fresh install (using the command above) I get the below error:

==================================================================================
  Your entropy pool is low. This situation could lead GnuPG to not
  be able to create the gpg serverkey so the container start process will hang
  until enough entropy is obtained.
  Please consider installing rng-tools and/or virtio-rng on your host as the
  preferred method to generate random numbers using a TRNG.
  If rngd (rng-tools) does not provide enough or fast enough randomness you could
  consider installing haveged as a helper to speed up this process.
  Using haveged as a replacement for rngd is not recommended. You can read more
  about this topic here: https://lwn.net/Articles/525459/
==================================================================================
gpg: keybox '/var/lib/passbolt/.gnupg/pubring.kbx' created
gpg: /var/lib/passbolt/.gnupg/trustdb.gpg: trustdb created
gpg: key 5F2826FAD2A09626 marked as ultimately trusted
gpg: directory '/var/lib/passbolt/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/var/lib/passbolt/.gnupg/openpgp-revocs.d/3A283F824BA5956CC8E7155C5F2826FAD2A09626.rev'
-bash: line 1: /etc/passbolt/gpg/serverkey_private.asc: Permission denied

Any light on this would be great!

Hi,

You are using an existing folder to mount passbolt gpg server keys:

Can you check owner and rights with this command:

la -alh /volume1/docker/passbolt/gpg

It should return something like:

-rw-r--r-- 1 www-data www-data 1.8K Feb  1 09:06 serverkey.asc
-rw------- 1 www-data www-data 3.5K Feb  1 09:06 serverkey_private.asc

On your NAS, there is chances you don’t have any www-data user, so the owner and group must be set to 33, as it is the id of the www-data user in the container.

To fix rights, execute these commands:

chown 33:33 /volume1/docker/passbolt/gpg/serverkey_private.asc
chown 33:33 /volume1/docker/passbolt/gpg/serverkey.asc

It should fix your issue.

Another though regarding the jwt volume:

-v /volume1/docker/passbolt/jwt:/data \

JWT keys are stored in the container on /etc/passbolt/jwt so the correct mount is

-v /volume1/docker/passbolt/jwt:/etc/passbolt/jwt \

And again, on your NAS, /volume1/docker/passbolt/jwt folder must be owned by user and group with id 33.

Best,

One more thing, you shouldn’t use latest tag, as you have no indication in the tag name about the passbolt version.

Here is the list of all ce tags and the last one is 3.5.0-ce.

I got a customer some weeks ago who told me: “I’m running the latest version of passbolt” and in fact, it was the “latest” tag, pulled one year ago. He was thinking he was running the 3.5.0 and it was in fact a 2.12.0 :confused:

Cheers,

Thank you @_jc ! You were spot on.

I set the owner for both “pgp” and “jwt” folders and was able to proceed with the installation and configuration of passbolt. I also fixed the “jwt” folder path to the correct one, unfortunate copy/paste error. I also used the 3.5.0-ce tag for the image. I did see in the documentation that we should do this, but since it was my first install, I figured it was not necessary.

The reason I took a while to reply is because I am now searching for the resolution of the next issue which I hoped to have resolved prior to replying to you:

From the docker container, I receive the following message:

The JWT private key could not be written.

I tried to assign 33 as owner again by:

chown 33:33 /volume1/docker/passbolt/jwt

but then I receive this message:

chown: missing operand after '33:33\302\240/volume1/docker/passbolt/jwt'
Try 'chown --help' for more information.

I then tried:

chown -R 33:33 /volume1/docker/passbolt/jwt

But I receive the same error message.

I was able to change the “pgp” folder, so I really do not understand why the “jwt” did not do the same.

I am still digging through the forum to find a solution, but I also did not want to leave you without a reply as it looks like this will take a while, so this is the situation so far. :sweat_smile:

Any guidance is much appreciated!

Good news :slight_smile:

Maybe you cannot change the owner of /volume1/docker/passbolt/jwt because it is currently used and mounted by docker ?

The \302\240 pattern is weird here :confused: Did you copy paste or typed character per character the chown command ? Can you retry without copy/pasting the command ?

Cheers,

Hello @_jc !

I also thought that maybe the folder was locked and made sure the container was not running when requesting the owner change, but that did nothing, and I still had the issues.

I also have no idea where the “\302\240” came from. I think maybe part of the synology coding when compiling the error log? I did copy-paste initially, but as you recommended later I typed in character per character and came to the same error message.

So I did a lot of searching and tried a lot of things like “openssl_pkey_new” and generating the jwt keys manually (I deleted and created the passbolt container about 7 times already) but in the end it was just as simple as adding the “sudo” to the “chown” command. After that it made the correct changes.

So I was able to finally have passbolt running smoothly on my system and mobile without any problems.

Thank you so much @_jc for you guidance here. As you can see I know nothing of docker and such could not pinpoint the error.

PS: Considering that the issue was not the entry pool, but permissions, should I change the topic of this thread? :thinking:

Cool :sunglasses:

I edited the main title of this thread and by the way, we have a documentation about how to generate JWT keys manually: Passbolt Help | How to generate JWT key pair manually

Don’t hesitate to post here if you have further questions about other topics :slight_smile:

Best,

1 Like