3.4.0 mender-server set up failed

I followed the 3.4.0 document to set up the mender-server.
https://docs.mender.io/3.4/server-installation/installation-with-docker-compose#close

But there are two container can’t be create, I can’t create the first user.

menderproduction_mender-device-auth_1
menderproduction_mender-useradm_1

I tried to use docker logs to check the error.
It showed:

failed to read rsa private key: failed to read server private key file: open /etc/deviceauth/rsa/private.pem: permission denied

failed to read rsa private key: failed to read server private key file: open /etc/useradm/rsa/private.pem: permission denied

But I didn’t find the private.pem file in that place, I don’t know how to fix the problem.

By the way, the same the same process I create 3.3.0 mender-server demo and enterprise is OK.
Is there any new step I need to do in 3.4.0 version?

2022/10/27 Update

I solved the issue.

See that his data volume is bound /production/keys-generated/keys/deviceauth/private.key
Check whether this private.key has permission

found no permission

$ chmod +777 ~/mender-server/production/keys-generated/keys/useradm/private.key
$ chmod +777 ~/mender-server/production/keys-generated/keys/deviceauth/private.key

$ sudo ~/mender-server/production/run up -d

Change the permissions to full and start again, and you will see the useradm and deviceauth can be activated!

You also can check the 3.3.0’s private.key permission and change the 3.4.0’s to the same permission.

2 Likes

Hello,

I have the same problem but clearly this is not the right solution. It works, yes obviously, but private key should not be accessible to world.
On my v3.3 private key was permissions 600 and I guess you have the same on v3.4 (I have this.).

Anybody having the same issue with a more convenient solution for that ?

Joel

Hi @joelguittet,

one way should be to adjust the prod.yml to use the actual UID/GID like this:

 mender-useradm:
     command: server --automigrate
     user: "${UID}:${GID}"

Having said that, we strongly recommend. using the k8s version of the server setup.

Greetz,
Josef

1 Like

I tried to let the permission to the less. And it can works when I use 004 permission.

3 Likes

I needed to add your ‘user: …’ line to mender-device-auth as well.

After those two changes, all containers were fine.

1 Like