padhi-homelab / docker_tang Goto Github PK

…defines a volume for both the cache dir and the keys DB. IMHO that is not a good way, because usually temp files should only be stored temporarily (in a tmpfs) and actually also do not need to be exposed.
IMHO, it would be good to keep this "temp stuff" one anyway would not want to modify inside the container and not expose it. Also one should not run tang-update from outside of this container IMHO as one does not know what the state inside the container is (it should work from the outside – even if you upgrade it and paths are changed etc.)

Suggested solution

At least two volumes for temp/cache files and one for the keys DB. And the temp/cache volume should be stored on a tmpfs, also for security reasons, so to not spread the key material and save it to different places.
See latchset/tang#24 and latchset/tang#23

Or just don't expose the cache dir at al. 😉

In your README it says to bind "/path/to/data:/data" to persist storage, but in the Dockerfile itself the volume is defined as "/db", so the binding should be "/path/to/data:/db"

It seems you only generate the cache files once at startup:

This means if the key files are changed on disk at runtime, this change is not reflected in the cache and thus tang will still use the old keys. If you bind that keys DB volume as an external dir, as #2 e.g. suggests, you end up having both dirs exposed at runtime, but one is managed inside of the container. (see also #3)
AFAIK upstream tang solves this with a systemd unit, which is of course not possible here.

See latchset/tang#24 and latchset/tang#23. So as this cache thing is anyway not a good idea, I think you should IMHO encapsulate that cache thing.
Or you do not expose the cache dir (#3) and then maybe add a note in the Readme that one needs to restart the container if the keys are regenerated/changed.
(Or add some command to regenerate/rotate keys or whatever)

Using the tang image published on dockerhub (image ID 017a42d3b036) I could not get tang to a succesful startup.

Maybe it's due to using podman instead of docker?
In case you, @SaswatPadhi, are successfully using podman, too, the issue might be caused by something different.

podman run -it --rm padhihomelab/tang

returns:

[2020-11-20 21:17:38] /usr/local/bin/docker-entrypoint: No files found in /etc/docker-entrypoint.d, skipping configuration.
[2020-11-20 21:17:38] /usr/local/bin/docker-entrypoint: Creating new user 'user' with UID = 12345 in group user (23456) ...
[2020-11-20 21:17:38] /usr/local/bin/docker-entrypoint: User 'user' created successfully.
[2020-11-20 21:17:38] /usr/local/bin/docker-entrypoint: Ready for start up.
mkdir: can't create directory 'db/tang': Permission denied

Hello,

I'm attempting to get this Tang Docker Container up and running but I've hit a snag:

root@tang:~# docker run -it --rm -p 8080:8080 --volume "/root/docker/tang/":"/db" padhihomelab/tang -e DOCKER_UID=$(id -u)
2022-01-28 18:29:19 docker-entrypoint (INFO) Creating new group 'user' with GID = 23456 ...
2022-01-28 18:29:19 docker-entrypoint (DBUG)   + Group created successfully.
2022-01-28 18:29:19 docker-entrypoint (INFO) Creating new user 'user' with UID = 12345 in group 'user' ...
2022-01-28 18:29:19 docker-entrypoint (DBUG)   + User created successfully.
2022-01-28 18:29:19 docker-entrypoint (INFO) /etc/docker-entrypoint.d is not empty, attempting to perform configuration.
2022-01-28 18:29:19 docker-entrypoint (DBUG) Looking for shell scripts in /etc/docker-entrypoint.d ...
2022-01-28 18:29:19 docker-entrypoint (DBUG)   + Launching /etc/docker-entrypoint.d/setup-volume.sh ...
2022-01-28 18:29:19 docker-entrypoint (INFO) Configuration complete.
2022-01-28 18:29:19 docker-entrypoint (INFO) Ready for start up!
su-exec: -e: No such file or directory
root@tang:~# 

Docker version 20.10.12, build e91ed57

root@tang:~# lsb_release -a
No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 11 (bullseye)
Release:	11
Codename:	bullseye
root@tang:~#

Any help would be greatly appreciated.