permissions with st2sensorcontainer

[johnarnold]

(stackstorm running in docker container from st2-docker)

I wrote a sensor which uses an ssl cert+key for client authentication to an HTTP service. It needs access to /etc/ssl/certs/example.pem and /etc/ssl/private/example.key

I get an error in /var/log/st2/st2sensorcontainer.log indicating that it can't read the key:

SSLError: [Errno 336265218] _ssl.c:355: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib
2017-06-28 17:39:59,804 140390371514960 ERROR icm_sensor [-] Polling ICM failed: [Errno 336265218] _ssl.c:355: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib

It looks like the st2sensorcontainer runs under the st2 account (from ps -aux) , I've verified that the cert and key allow access to the ssl-cert group, and that st2 is in the group. still doesn't work.

I know the code is good, as if I launch the sensor in a container from userspace (root account) it works just fine.

I'm at a loss for why this doesn't work correctly. Any suggestions appreciated.

[johnarnold]

I believe that this is a uid/guid mismatch problem, I'm just not sure how to fix it. The ssl-cert group's guid is the same in the host as in the container, but it doesn't "just work" as I would expect.

[LindsayHill]

I think it's best to just track this in StackStorm/st2-docker#43, since it's Docker-related, not core ST2. Closing this in favor of StackStorm/st2-docker#43