Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mosquitto-dev] Unable to open pwfile when using mosquitto Docker image

Hi Giles,

now I got a whole picture. The reason for the different behaviour can be found in the way the docker is executed inside the container. If now —user option is used in starting the container the entry point and cmd of the container will be executed as root inside the container. This means the mosquito process will be started with the root privileges inside the container and it will drop it’s root privileges by switching to a different user after the config file is read. This is reason, why it’s possible to specify the user to be used for the mosquitto in the config file as well. 
So the config file will be read with root privileges (inside the container). All other config files (password_file, ACL) will be read with the limited mosquitto user permission (inside the container).

You need to find out, why both volumes /mosquitto/config and /mosquitto/data are mounted without write permission to the docker container. As described before the mosquitto docker entry point script will recursively take ownership of both folders, but it will not change any permissions. 

You should try to modify the permissions of the  /volume1/mosquitto, /volume1/mosquitto/data and  /volume1/mosquitto/config folder on your host to grant access to the docker containers to this folders.

Best,
Norbert 

Am 13.03.2022 um 12:15 schrieb Giles Roadnight <giles.roadnight@xxxxxxxxx>:

Ok, it seems to be an issue with the permissioning of the data folder:

~ $ whoami
mosquitto
~ $ pwd
/mosquitto
~ $ ls -la
total 8
drwxr-xr-x    1 mosquitt mosquitt        50 Mar 13 11:12 .
drwxr-xr-x    1 root     root           236 Mar 13 11:08 ..
-rw-------    1 mosquitt mosquitt       128 Mar 13 11:14 .ash_history
d---------    1 mosquitt mosquitt        28 Mar 11 05:28 config
d---------    1 mosquitt mosquitt        46 Mar 11 05:52 data
drwxr-xr-x    1 mosquitt mosquitt         0 Nov 17 01:20 log
~ $ cd ./data/
ash: cd: can't cd to ./data/: Permission denied

I can't understand why it's able to read the config folder though as that seems to have the same problem!


On Sat, 12 Mar 2022 at 17:39, Norbert Heußer <norbert.heusser@xxxxxxxxxx> wrote:
Hi Giles,

took me some time trying to reproduce your problem. But everything works fine on my machine. 

To continue with your system first of all some remarks on the last (unsuccessful attempts):
a. You are totally right, the shown username mosquitt is a truncation of the username. 
b. You are right, it’s not possible to su to mosquitto as the user is marked as „nologin" in the /etc/passwd. 

To get more details on the problem we are facing I would ask you to try to get some more information. 
1. Start the docker container with a shell instead of starting the mosquitto by using: 
    sudo docker run --rm -it -p 1883:1883 -v /volume1/mosquitto/config:/mosquitto/config -v /volume1/mosquitto/data:/mosquitto/data --name mosqTemp eclipse-mosquitto:latest /bin/sh
2. Install the strace utility you might need later by 
    apk add strace
3. Inside the container modify the line of the mosquitto user by replacing it with 
    mosquitto:x:1883:1883:mosquitto:/mosquitto:/bin/ash

Now you should be able to do an „su mosquitto“ and verify, if you are able to read the password file. 

If this is successful you may try to start the mosquitto by (with the mosquitto user):
  /usr/sbin/mosquitto -c /mosquitto/config/mosquitto.conf

If this still fails you may use an strace to find out more details about the problem. strace is the linux system call tracer, which helped me a lot analysing any kind of weird issues in the past. To start mosquitto with the trace use (still with the mosquitto user):
  strace -o /tmp/strace.out -s 512 -y -vv -f  /usr/sbin/mosquitto -c /mosquitto/config/mosquitto.conf
(Interrupt by CTRL-C)

Now you may take a look into the /tmp/strace.out file showing all system call traces of the broker. There should be a line opening you config file. And some lines further below you should see a stat command trying to find your password file. And the result of this system call.

Hoe this helps to get more details on your problem.

Best
Norbert

Am 11.03.2022 um 14:43 schrieb Giles Roadnight <giles.roadnight@xxxxxxxxx>:

Thanks Norbert.

Changing the permissions of the file had no effect:

/volume1/mosquitto/data$ sudo chmod 666 /volume1/mosquitto/data/mosquitto.password_file
/volume1/mosquitto/data$ ls -la
total 4
drwxrwxrwx+ 1 1883 1883  46 Mar 11 05:52 .
drwxrwxrwx+ 1 1883 1883  76 Mar 11 05:28 ..
-rw-rw-rw-  1 1883 1883 121 Mar 11 05:52 mosquitto.password_file

$ sudo docker run --rm -i -p 1883:1883 -v /volume1/mosquitto/config:/mosquitto/config -v /volume1/mosquitto/data:/mosquitto/data --name mosqTemp eclipse-mosquitto:latest
1647005856: mosquitto version 2.0.14 starting
1647005856: Config loaded from /mosquitto/config/mosquitto.conf.
1647005856: Error: Unable to open pwfile "/mosquitto/data/mosquitto.password_file".
1647005856: Error opening password file "/mosquitto/data/mosquitto.password_file".

inside the container:

/mosquitto/data # ls -la
total 4
d---------    1 mosquitt mosquitt        46 Mar 11 05:52 .
drwxr-xr-x    1 mosquitt mosquitt        26 Nov 17 01:20 ..
-rw-rw-rw-    1 mosquitt mosquitt       121 Mar 11 05:52 mosquitto.password_file

but I can't su as mosquitto:

/mosquitto/data # su mosquitto
This account is not available
/mosquitto/data # whoami
root

I notice that the user in the ls output is mosquitt - not mosquitto. I assume that's just a concatenation?

On Fri, 11 Mar 2022 at 11:23, Norbert Heußer <norbert.heusser@xxxxxxxxxx> wrote:
Hi Giles,

changing the ownership of the folder /mosquitto (and recursively all sub folders) inside the container to mosquitto:mosquitto is part of the docker-entrypoint.sh script starting the broker in the container. The intention is to avoid any kind of permission/owership problems.

But the ownership of your file inside the container still looks strange. Could you please try to change permission of the password file to 666 using:
sudo chmod 666 /volume1/mosquitto/data/mosquitto.password_file
(You may need to execute it with root permission as the folder/file might belong to a userid, which does not exist on the host).

Then give it a new try. This would help to see, if we have a permission problem with the file.

If this does not help please try to view the content (e.g. cat) of the file inside the container using the mosquitto user:
su mosquitto
less /mosquitto/data/mosquitto.password_file 
(Use q to quit the less).

Best,
Norbert

Am 11.03.2022 um 11:11 schrieb Giles Roadnight <giles.roadnight@xxxxxxxxx>:

Many thanks for that explanation. I hadn't realised that a docker image expects certain volumes, I thought you could replace any path with any path.

Anyway, I am now running with:

sudo docker run --rm -i -p 1883:1883 -v /volume1/mosquitto/config:/mosquitto/config -v /volume1/mosquitto/data:/mosquitto/data --name mosqTemp eclipse-mosquitto:latest

but unfortunately I still get:

1646993206: mosquitto version 2.0.14 starting
1646993206: Config loaded from /mosquitto/config/mosquitto.conf.
1646993206: Error: Unable to open pwfile "/mosquitto/data/mosquitto.password_file".
1646993206: Error opening password file "/mosquitto/data/mosquitto.password_file".

in the container I can now see the expected file:

/mosquitto/data # pwd
/mosquitto/data
/mosquitto/data # ls -la
total 4
d---------    1 mosquitt mosquitt        46 Mar 11 05:52 .
drwxr-xr-x    1 mosquitt mosquitt        26 Nov 17 01:20 ..
----------    1 mosquitt mosquitt       121 Mar 11 05:52 mosquitto.password_file


On Fri, 11 Mar 2022 at 10:02, Norbert Heußer <norbert.heusser@xxxxxxxxxx> wrote:
Hi Giles,

the mosquitto Docker container is expecting two different volumes to be mounted in the container (as you might be able to check using the "docker image inspect mosquitto:latest“ and check for Volumes)
1. /mosquitto/config 
2. /mosquitto/data

If you simply try to mount your local /volume1/mosquitto to the internal /mosquitto still the subfolders config and data will not be visible in the container (as they are overloaded by the docker engine). This is a general pattern in docker engine: All specified volumes have to be mounted individually. You can’t simply mount the folder above.

To fix your problem you would need to mount your local data and config individually into the container:
sudo docker run --rm -i -p 1883:1883 -v /volume1/mosquitto/config:/mosquitto/config  -v /volume1/mosquitto/data:/mosquitto/data  eclipse-mosquitto:latest

Hope this helps.

BTW: Why are there two different folder ?
Because the folder contain two different types of data. Config contains seldom modified data, which contains highly sensitive data like usernames and password (hashes). The data folder store temporary data and maybe modified very often. Using two different folders allows to use different backend storages (e.g. different RAID configs).

Best,
Norbert

Am 11.03.2022 um 07:01 schrieb Giles Roadnight <giles.roadnight@xxxxxxxxx>:

Hi All

I am trying to get mosquitto docker to work with a password file.  my run command:

sudo docker run --rm -i -p 1883:1883 -v/volume1/mosquitto:/mosquitto eclipse-mosquitto:latest

my config (/volume1/mosquitto/config/mosquitto.conf):

listener 1883
password_file /mosquitto/data/mosquitto.password_file

container file structure:

volume1/
    /config
        /mosquitto.conf
    /data
        /mosquitto.password_file
    /mqtt_passwd
(there are 2 copies of password at 2 different locations)

Within the running container I can see the mqtt_passwd in /mosquitto/ but the mosquitto.password_file is missing from /mosquitto/data - I have no idea how that can happen.

If I change my config to point to the password file at /mosquitto/mqtt_passwd I get the same error:

1646978185: mosquitto version 2.0.14 starting
1646978185: Config loaded from /mosquitto/config/mosquitto.conf.
1646978185: Error: Unable to open pwfile "/mosquitto/mqtt_password".
1646978185: Error opening password file "/mosquitto/mqtt_password".

I am very new to docker and pretty new to linux so I am a bit lost. Any help much appreciated.
_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev

-- 
Norbert Heußer
Senior Developer | Cedalo GmbH
Tel: +49 173 936 43 63

Cedalo GmbH
The company behind Eclipse Mosquitto and Eclipse Streamsheets

Geschäftsführer: Philipp Struss, Philip Ackermann, Dr. Stefan Lölkes Registergericht: Amtsgericht Freiburg, HRB 725414

---------------------------------------------------------------------------------------------

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.



_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev
_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev

-- 
Norbert Heußer
Senior Developer | Cedalo GmbH
Tel: +49 173 936 43 63

Cedalo GmbH
The company behind Eclipse Mosquitto and Eclipse Streamsheets

Geschäftsführer: Philipp Struss, Philip Ackermann, Dr. Stefan Lölkes Registergericht: Amtsgericht Freiburg, HRB 725414

---------------------------------------------------------------------------------------------

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.




_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev
_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev

-- 
Norbert Heußer
Senior Developer | Cedalo GmbH
Tel: +49 173 936 43 63

Cedalo GmbH
The company behind Eclipse Mosquitto and Eclipse Streamsheets

Geschäftsführer: Philipp Struss, Philip Ackermann, Dr. Stefan Lölkes Registergericht: Amtsgericht Freiburg, HRB 725414

---------------------------------------------------------------------------------------------

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.




_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev
_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev

-- 
Norbert Heußer
Senior Developer | Cedalo GmbH
Tel: +49 173 936 43 63

Cedalo GmbH
The company behind Eclipse Mosquitto and Eclipse Streamsheets

Geschäftsführer: Philipp Struss, Philip Ackermann, Dr. Stefan Lölkes Registergericht: Amtsgericht Freiburg, HRB 725414

---------------------------------------------------------------------------------------------

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.





Back to the top