Permission denied on config

I'm running Logstash 6.5.4 in Docker with my custom configuration. However the configuration cannot be read by Logstash. There are exceptions regarding file reading not enabled. I've tried setting permissions of different levels. The Dockerfile now contains group and owner permissions on the folder but I've tried permissions on the file itself as well. Also chmod permission were tried on the folder itself.
The container starts and executes the lines in the exception and then restarts.

Dockerfile:

FROM docker.elastic.co/logstash/logstash:6.5.4
RUN rm -f /usr/share/logstash/pipeline/logstash.conf
COPY pipeline.conf /usr/share/logstash/pipeline/
USER root
RUN chown -R logstash /usr/share/logstash/pipeline && chgrp -R logstash /usr/share/logstash/pipeline && chmod ug+rwxs /usr/share/logstash/pipeline/pipeline.conf

Exception:

09/01/2019 10:06:47[2019-01-09T09:06:47,744][INFO ][logstash.setting.writabledirectory] Creating directory {:setting=>"path.queue", :path=>"/usr/share/logstash/data/queue"}
09/01/2019 10:06:47[2019-01-09T09:06:47,754][INFO ][logstash.setting.writabledirectory] Creating directory {:setting=>"path.dead_letter_queue", :path=>"/usr/share/logstash/data/dead_letter_queue"}
09/01/2019 10:06:48[2019-01-09T09:06:48,176][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"6.5.2"}
09/01/2019 10:06:48[2019-01-09T09:06:48,197][INFO ][logstash.agent           ] No persistent UUID file found. Generating new UUID {:uuid=>"1345747c-d3e3-4b51-94fd-a698b631d244", :path=>"/usr/share/logstash/data/uuid"}
09/01/2019 10:06:48[2019-01-09T09:06:48,864][ERROR][logstash.config.sourceloader] Could not fetch all the sources {:exception=>Errno::EACCES, :message=>"Permission denied - /usr/share/logstash/pipeline/pipeline.conf", :backtrace=>["org/jruby/RubyIO.java:3600:in `read'", "/usr/share/logstash/logstash-core/lib/logstash/config/source/local.rb:71:in `block in read'", "org/jruby/RubyArray.java:1734:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/config/source/local.rb:61:in `read'", "/usr/share/logstash/logstash-core/lib/logstash/config/source/local.rb:94:in `read'", "/usr/share/logstash/logstash-core/lib/logstash/config/source/local.rb:190:in `local_pipeline_configs'", "/usr/share/logstash/logstash-core/lib/logstash/config/source/multi_local.rb:26:in `block in pipeline_configs'", "org/jruby/RubyArray.java:2486:in `map'", "/usr/share/logstash/logstash-core/lib/logstash/config/source/multi_local.rb:21:in `pipeline_configs'", "/usr/share/logstash/logstash-core/lib/logstash/config/source_loader.rb:61:in `block in fetch'", "org/jruby/RubyArray.java:2481:in `collect'", "/usr/share/logstash/logstash-core/lib/logstash/config/source_loader.rb:60:in `fetch'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:150:in `converge_state_and_update'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:101:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/runner.rb:362:in `block in execute'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:24:in `block in initialize'"]}
09/01/2019 10:06:48[2019-01-09T09:06:48,872][ERROR][logstash.agent           ] An exception happened when converging configuration {:exception=>RuntimeError, :message=>"Could not fetch the configuration, message: Permission denied - /usr/share/logstash/pipeline/pipeline.conf", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/agent.rb:157:in `converge_state_and_update'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:101:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/runner.rb:362:in `block in execute'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:24:in `block in initialize'"]}
09/01/2019 10:06:49[2019-01-09T09:06:49,091][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}

I'd suggest setting USER logstash again at the end of your Dockerfile.

Also, on some systems, we rely on the config being readable by the root group (GID 0). The ideal permissions for the file are probably:

0440 logstash:root

or, numerically speaking:

0440 1000:0 (edited, I had the UID and GID backwards!)

It's not super important, but putting the execute, setuid, and setgid bits on the config file is probably not a good idea.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.