Openid-connect-provider:2.2-konnect broken - can not be starte - permission denied

siegmarb · February 5, 2021, 1:31pm

Hi,

after update to openid-connect-provider:2.2-konnect-0.33.11 via UCS web-interface, the container can not be started anymore.
Latest UCS 4.4-7 with kopano meet.

root@kopano:~# docker start -a ef52e10c7a9f
+ DOCKERIZE_TIMEOUT=360s
+ '[' 0 -gt 0 ]
+ '[' true '=' true ]
+ signing_private_key=/etc/kopano/konnectd-signing-private-key.pem
+ validation_keys_path=/etc/kopano/konnectkeys
+ true
+ '[' -f /etc/kopano/konnectd-signing-private-key.pem ]
+ '[' '!' -s /etc/kopano/konnectd-signing-private-key.pem ]
+ encryption_secret_key=/etc/kopano/konnectd-encryption-secret.key
/usr/local/bin/wrapper.sh: line 38: can't create /etc/kopano/konnectd-encryption-secret.key: Permission denied
+ true
+ dockerize -wait file:///etc/kopano/konnectd-encryption-secret.key -timeout 360s
2021/02/05 13:30:12 Waiting for: file:///etc/kopano/konnectd-encryption-secret.key
2021/02/05 13:30:13 File file:///etc/kopano/konnectd-encryption-secret.key had been generated
+ '[' -f /etc/kopano/konnectd-encryption-secret.key ]
+ '[' '!' -s /etc/kopano/konnectd-encryption-secret.key ]
+ CONFIG_JSON=/tmp/konnectd-identifier-registration.yaml
+ '['  '=' yes ]
+ '['  '=' yes ]
+ '[' -e /etc/kopano/konnectd.cfg ]
+ . /etc/kopano/konnectd.cfg
/usr/local/bin/wrapper.sh: .: line 121: can't open '/etc/kopano/konnectd.cfg': Permission denied

any help is greatly appreciated.

Thank you.

siegmarb · February 5, 2021, 1:45pm

After changing permissions on

/etc/kopano/konnectd.cfg
/etc/kopano/konnectd-encryption-secret.key

It looks a bit better, but still fails to read machine secret:

+ '[' -n /var/run/secrets/konnectd.machine.secret ]
+ cat /var/run/secrets/konnectd.machine.secret
cat: can't open '/var/run/secrets/konnectd.machine.secret': Permission denied

Another run and chmod …

ln -s /etc/kopano/konnectd.machine.secret /var/run/secrets/konnectd.machine.secret

still fails with

time="2021-02-05T13:40:24Z" level=debug msg="parsing identifier registration conf from /etc/kopano/konnectd-identifier-registration.yaml"
Error: failed to create client registry: open /etc/kopano/konnectd-identifier-registration.yaml: permission denied

After also adjusting this permissions - it finally started.

@fbartels - no offense, but did anyone ever tested this?

fbartels · February 5, 2021, 2:06pm

The app is neither maintained by Kopano nor me, but instead by Univention directly.

I did however end of with the same problem on a single machine of mine (all others updated succesfully). I uninstalled the app and removed these files one by one until the installation succeeded again.

This is all auto generated configuration so the worst that can happen is that existing login sessions get invalidated (well except of course if these files have been manually edited).