Hi Giles,
now I got a whole picture. The reason for the different behaviour can be found in the way the docker is executed inside the container. If now —user option is used in starting the container the entry point and cmd of the container will be executed as root inside the container. This means the mosquito process will be started with the root privileges inside the container and it will drop it’s root privileges by switching to a different user after the config file is read. This is reason, why it’s possible to specify the user to be used for the mosquitto in the config file as well. So the config file will be read with root privileges (inside the container). All other config files (password_file, ACL) will be read with the limited mosquitto user permission (inside the container).
You need to find out, why both volumes /mosquitto/config and /mosquitto/data are mounted without write permission to the docker container. As described before the mosquitto docker entry point script will recursively take ownership of both folders, but it will not change any permissions.
You should try to modify the permissions of the /volume1/mosquitto, /volume1/mosquitto/data and /volume1/mosquitto/config folder on your host to grant access to the docker containers to this folders.
Best, Norbert
Ok, it seems to be an issue with the permissioning of the data folder:
~ $ whoami mosquitto ~ $ pwd /mosquitto ~ $ ls -la total 8 drwxr-xr-x 1 mosquitt mosquitt 50 Mar 13 11:12 . drwxr-xr-x 1 root root 236 Mar 13 11:08 .. -rw------- 1 mosquitt mosquitt 128 Mar 13 11:14 .ash_history d--------- 1 mosquitt mosquitt 28 Mar 11 05:28 config d--------- 1 mosquitt mosquitt 46 Mar 11 05:52 data drwxr-xr-x 1 mosquitt mosquitt 0 Nov 17 01:20 log ~ $ cd ./data/ ash: cd: can't cd to ./data/: Permission denied
I can't understand why it's able to read the config folder though as that seems to have the same problem! Hi Giles,
took me some time trying to reproduce your problem. But everything works fine on my machine.
To continue with your system first of all some remarks on the last (unsuccessful attempts): a. You are totally right, the shown username mosquitt is a truncation of the username. b. You are right, it’s not possible to su to mosquitto as the user is marked as „nologin" in the /etc/passwd.
To get more details on the problem we are facing I would ask you to try to get some more information. 1. Start the docker container with a shell instead of starting the mosquitto by using: sudo docker run --rm -it -p 1883:1883 -v /volume1/mosquitto/config:/mosquitto/config -v /volume1/mosquitto/data:/mosquitto/data --name mosqTemp eclipse-mosquitto:latest /bin/sh 2. Install the strace utility you might need later by apk add strace 3. Inside the container modify the line of the mosquitto user by replacing it with mosquitto:x:1883:1883:mosquitto:/mosquitto:/bin/ash
Now you should be able to do an „su mosquitto“ and verify, if you are able to read the password file.
If this is successful you may try to start the mosquitto by (with the mosquitto user): /usr/sbin/mosquitto -c /mosquitto/config/mosquitto.conf
If this still fails you may use an strace to find out more details about the problem. strace is the linux system call tracer, which helped me a lot analysing any kind of weird issues in the past. To start mosquitto with the trace use (still with the mosquitto user): strace -o /tmp/strace.out -s 512 -y -vv -f /usr/sbin/mosquitto -c /mosquitto/config/mosquitto.conf (Interrupt by CTRL-C)
Now you may take a look into the /tmp/strace.out file showing all system call traces of the broker. There should be a line opening you config file. And some lines further below you should see a stat command trying to find your password file. And the result of this system call.
Hoe this helps to get more details on your problem. Best Norbert
Thanks Norbert.
Changing the permissions of the file had no effect:
/volume1/mosquitto/data$ sudo chmod 666 /volume1/mosquitto/data/mosquitto.password_file /volume1/mosquitto/data$ ls -la total 4 drwxrwxrwx+ 1 1883 1883 46 Mar 11 05:52 . drwxrwxrwx+ 1 1883 1883 76 Mar 11 05:28 .. -rw-rw-rw- 1 1883 1883 121 Mar 11 05:52 mosquitto.password_file
$ sudo docker run --rm -i -p 1883:1883 -v /volume1/mosquitto/config:/mosquitto/config -v /volume1/mosquitto/data:/mosquitto/data --name mosqTemp eclipse-mosquitto:latest 1647005856: mosquitto version 2.0.14 starting 1647005856: Config loaded from /mosquitto/config/mosquitto.conf. 1647005856: Error: Unable to open pwfile "/mosquitto/data/mosquitto.password_file". 1647005856: Error opening password file "/mosquitto/data/mosquitto.password_file".
inside the container:
/mosquitto/data # ls -la total 4 d--------- 1 mosquitt mosquitt 46 Mar 11 05:52 . drwxr-xr-x 1 mosquitt mosquitt 26 Nov 17 01:20 .. -rw-rw-rw- 1 mosquitt mosquitt 121 Mar 11 05:52 mosquitto.password_file
but I can't su as mosquitto:
/mosquitto/data # su mosquitto This account is not available /mosquitto/data # whoami root
I notice that the user in the ls output is mosquitt - not mosquitto. I assume that's just a concatenation? Hi Giles,
changing the ownership of the folder /mosquitto (and recursively all sub folders) inside the container to mosquitto:mosquitto is part of the docker-entrypoint.sh script starting the broker in the container. The intention is to avoid any kind of permission/owership problems.
But the ownership of your file inside the container still looks strange. Could you please try to change permission of the password file to 666 using: sudo chmod 666 /volume1/mosquitto/data/mosquitto.password_file (You may need to execute it with root permission as the folder/file might belong to a userid, which does not exist on the host).
Then give it a new try. This would help to see, if we have a permission problem with the file.
If this does not help please try to view the content (e.g. cat) of the file inside the container using the mosquitto user: su mosquitto less /mosquitto/data/mosquitto.password_file (Use q to quit the less).
Best, Norbert
Many thanks for that explanation. I hadn't realised that a docker image expects certain volumes, I thought you could replace any path with any path.
Anyway, I am now running with:
sudo docker run --rm -i -p 1883:1883 -v /volume1/mosquitto/config:/mosquitto/config -v /volume1/mosquitto/data:/mosquitto/data --name mosqTemp eclipse-mosquitto:latest
but unfortunately I still get:
1646993206: mosquitto version 2.0.14 starting 1646993206: Config loaded from /mosquitto/config/mosquitto.conf. 1646993206: Error: Unable to open pwfile "/mosquitto/data/mosquitto.password_file". 1646993206: Error opening password file "/mosquitto/data/mosquitto.password_file".
in the container I can now see the expected file:
/mosquitto/data # pwd /mosquitto/data /mosquitto/data # ls -la total 4 d--------- 1 mosquitt mosquitt 46 Mar 11 05:52 . drwxr-xr-x 1 mosquitt mosquitt 26 Nov 17 01:20 .. ---------- 1 mosquitt mosquitt 121 Mar 11 05:52 mosquitto.password_file
Hi Giles,
the mosquitto Docker container is expecting two different volumes to be mounted in the container (as you might be able to check using the "docker image inspect mosquitto:latest“ and check for Volumes) 1. /mosquitto/config 2. /mosquitto/data
If you simply try to mount your local /volume1/mosquitto to the internal /mosquitto still the subfolders config and data will not be visible in the container (as they are overloaded by the docker engine). This is a general pattern in docker engine: All specified volumes have to be mounted individually. You can’t simply mount the folder above.
To fix your problem you would need to mount your local data and config individually into the container: sudo docker run --rm -i -p 1883:1883 -v /volume1/mosquitto/config:/mosquitto/config -v /volume1/mosquitto/data:/mosquitto/data eclipse-mosquitto:latest
Hope this helps.
BTW: Why are there two different folder ? Because the folder contain two different types of data. Config contains seldom modified data, which contains highly sensitive data like usernames and password (hashes). The data folder store temporary data and maybe modified very often. Using two different folders allows to use different backend storages (e.g. different RAID configs).
Best, Norbert
Hi All
I am trying to get mosquitto docker to work with a password file. my run command:
sudo docker run --rm -i -p 1883:1883 -v/volume1/mosquitto:/mosquitto eclipse-mosquitto:latest
my config (/volume1/mosquitto/config/mosquitto.conf):
listener 1883 password_file /mosquitto/data/mosquitto.password_file
container file structure:
volume1/ /config /mosquitto.conf /data /mosquitto.password_file /mqtt_passwd (there are 2 copies of password at 2 different locations)
Within the running container I can see the mqtt_passwd in /mosquitto/ but the mosquitto.password_file is missing from /mosquitto/data - I have no idea how that can happen.
If I change my config to point to the password file at /mosquitto/mqtt_passwd I get the same error:
1646978185: mosquitto version 2.0.14 starting 1646978185: Config loaded from /mosquitto/config/mosquitto.conf. 1646978185: Error: Unable to open pwfile "/mosquitto/mqtt_password". 1646978185: Error opening password file "/mosquitto/mqtt_password".
I am very new to docker and pretty new to linux so I am a bit lost. Any help much appreciated.
_______________________________________________ mosquitto-dev mailing list mosquitto-dev@xxxxxxxxxxx To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev
-- Senior Developer | Cedalo GmbH
Tel: +49 173 936 43 63
Cedalo GmbH The company behind Eclipse Mosquitto and Eclipse Streamsheets Geschäftsführer: Philipp Struss, Philip Ackermann, Dr. Stefan Lölkes
Registergericht: Amtsgericht Freiburg, HRB 725414
---------------------------------------------------------------------------------------------
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.
_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev
_______________________________________________ mosquitto-dev mailing list mosquitto-dev@xxxxxxxxxxxTo unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev
-- Senior Developer | Cedalo GmbH
Tel: +49 173 936 43 63
Cedalo GmbH The company behind Eclipse Mosquitto and Eclipse Streamsheets Geschäftsführer: Philipp Struss, Philip Ackermann, Dr. Stefan Lölkes Registergericht: Amtsgericht Freiburg, HRB 725414
---------------------------------------------------------------------------------------------
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.
_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev
_______________________________________________ mosquitto-dev mailing list mosquitto-dev@xxxxxxxxxxxTo unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev
-- Senior Developer | Cedalo GmbH
Tel: +49 173 936 43 63
Cedalo GmbH The company behind Eclipse Mosquitto and Eclipse Streamsheets Geschäftsführer: Philipp Struss, Philip Ackermann, Dr. Stefan Lölkes Registergericht: Amtsgericht Freiburg, HRB 725414
---------------------------------------------------------------------------------------------
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.
_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev
_______________________________________________ mosquitto-dev mailing list mosquitto-dev@xxxxxxxxxxxTo unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev
-- Senior Developer | Cedalo GmbH
Tel: +49 173 936 43 63
Cedalo GmbH The company behind Eclipse Mosquitto and Eclipse Streamsheets Geschäftsführer: Philipp Struss, Philip Ackermann, Dr. Stefan Lölkes Registergericht: Amtsgericht Freiburg, HRB 725414
---------------------------------------------------------------------------------------------
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.
|