Unable to use credentials in files using USER_FILE and PASS_FILE

[dbotamous]

In my docker-compose.yml, I tried:
- USER_FILE=/path/on/dockerhost/piauser.txt
- PASS_FILE=/path/on/dockerhost/piapass.txt

But the container would get a "file does not exist" error, so then I tried putting the files in the pia volume. Now the container is able to read the files, but fails with
PIA password not set. Unable to retrieve new auth token.

Before the addition of USER_FILE and USER_PASS I was able to reference the file in my docker-compose using USER/PASS environment variables:
- USER=/path/on/dockerhost/piauser.txt
- PASS=/path/on/dockerhost/piapass.txt

[thrnz]

I added those vars for use with Docker secrets (#11), but they should still work with the user/pass files manually mounted inside the container, so I'm not sure why that would be failing.

This is what I used to test when I added them if you want to try using the secrets method instead. It should just be a matter of setting the host paths at the end:

version: '3'
services:
  vpn:
    image: thrnz/docker-wireguard-pia
    cap_add:
      - NET_ADMIN
    environment:
      - LOC=swiss
      - USER_FILE=/run/secrets/pia_username
      - PASS_FILE=/run/secrets/pia_password
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.default.disable_ipv6=1
      - net.ipv6.conf.all.disable_ipv6=1
      - net.ipv6.conf.lo.disable_ipv6=1
    secrets:
        - pia_username
        - pia_password

secrets:
    pia_username:
        file: /host/path/to/pia_user_file
    pia_password:
        file: /host/path/to/pia_pass_file

[dbotamous]

Ok cool, I'll play around with that, and let you know.

[dbotamous]

Still no love.
my docker-compose

version: '3.4'
services:
  vpn:
    image: thrnz/docker-wireguard-pia
    cap_add:
      - NET_ADMIN
    environment:
      - LOC=us_silicon_valley
      - USER_FILE=/run/secrets/pia_username
      - PASS_FILE=/run/secrets/pia_password
      - VPNDNS=84.200.69.80,192.168.0.2
      - LOCAL_NETWORK=192.168.0.0/24
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.default.disable_ipv6=1
      - net.ipv6.conf.all.disable_ipv6=1
      - net.ipv6.conf.lo.disable_ipv6=1
    secrets:
        - pia_username
        - pia_password

secrets:
    pia_username:
        file: /host/path/to/vpntest/piauser
    pia_password:
        file: /host/path/to/vpntest/piapass

container logs

user@dockerhost:~/vpntest$ docker logs vpntest_vpn_1
Tue Jun 29 20:32:30 UTC 2021: PIA password not set. Unable to retrieve new auth token.
Tue Jun 29 20:32:30 UTC 2021: Fatal error

files exist, and if i cat them they are correct

user@dockerhost:~/vpntest$ docker exec -it vpntest_vpn_1 bash
bash-5.1# ls -la /run/secrets/
total 16
drwxr-xr-x    2 root     root          4096 Jun 29 20:32 .
drwxr-xr-x    1 root     root          4096 Jun 29 20:32 ..
-rw-r--r--    1 1000     1000            17 Jun 29 20:30 pia_password
-rw-r--r--    1 1000     1000             9 Jun 29 20:30 pia_username
bash-5.1#

container env

bash-5.1# env
HOSTNAME=deed89ec4c7b
PWD=/scripts
LOC=us_silicon_valley
USER_FILE=/run/secrets/pia_username
HOME=/root
VPNDNS=84.200.69.80,192.168.0.2
LOCAL_NETWORK=192.168.0.0/24
TERM=xterm
SHLVL=1
PASS_FILE=/run/secrets/pia_password
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
_=/usr/bin/env

docker inspect

"Mounts": [
               {
                   "Type": "bind",
                   "Source": "/host/path/to/vpntest/piauser",
                   "Target": "/run/secrets/pia_username",
                   "ReadOnly": true
               },
               {
                   "Type": "bind",
                   "Source": "/host/path/to/vpntest/piapass",
                   "Target": "/run/secrets/pia_password",
                   "ReadOnly": true
               }
           ],

Thanks!

[dbotamous]

Also noticed this, if i run the line from get_auth_token from the run script
[ -r "$USER_FILE" ] && echo "$(date): Reading username from $USER_FILE" && USER=$(<"$USER_FILE")
i get nothing, if I cat the file i get results:

user@dockerhost:~/vpntest$ docker exec -it vpntest_vpn_1 bash
bash-5.1# [ -r "$USER_FILE" ] && echo "$(date): Reading username from $USER_FILE" && USER=$(<"$USER_FILE")
bash-5.1# cat "$USER_FILE" && echo "$(date): Reading username from $USER_FILE" && USER=$(<"$USER_FILE")
p123456
Tue Jun 29 20:51:53 UTC 2021: Reading username from /run/secrets/pia_username
bash-5.1#

[thrnz]

[ -r "$USER_FILE" ] just tests to see that the file exists and is readable, and I'm not sure why it would be failing if cat works on the same file.

I don't suppose there's anything special about the underlying piapass and piauser files?

I feel like I'm overthinking this and missing something obvious here.

[dbotamous]

Yeah very weird. I'm pretty sure i just used vi and pasted in the credentials. I tried recreating them but still nothing.
Also removing the check for the file works fine....for some weird reason

user@dockerhost:~/vpntest$ docker exec -it vpntest_vpn_1 bash
bash-5.1# cat /run/secrets/pia_username 
p123456
bash-5.1# cat $USER_FILE
p123456
bash-5.1# echo $USER

bash-5.1# echo "$(date): Reading username from $USER_FILE" && USER=$(<"$USER_FILE")
Wed Jun 30 04:25:42 UTC 2021: Reading username from /run/secrets/pia_username
bash-5.1# echo $USER
p123456
bash-5.1#

[dbotamous]

I removed the check for the user_file and pass_file in the run script, ran it, and it worked.

bash-5.1# ./run
Wed Jun 30 04:42:56 UTC 2021: Reading username from /run/secrets/pia_username
Wed Jun 30 04:42:56 UTC 2021: Reading password from /run/secrets/pia_password
Wed Jun 30 04:42:56 UTC 2021: Generating auth token
Fetching next-gen PIA server list
Verified OK
Verified server list
Registering public key with PIA endpoint; id: us_silicon_valley, cn: siliconvalley402, ip: 154.21.212.65
Generating /etc/wireguard/wg0.conf
Using custom DNS servers: 84.200.69.80,192.168.0.2
Successfully generated /etc/wireguard/wg0.conf
Wed Jun 30 04:42:59 UTC 2021: Bringing up WireGuard interface wg0
[#] ip link add wg0 type wireguard
...
...
...
Wed Jun 30 04:42:59 UTC 2021: WireGuard successfully started
Wed Jun 30 04:42:59 UTC 2021: Allowing network access to 192.168.80.2/20 on eth0
Wed Jun 30 04:42:59 UTC 2021: Firewall enabled: Blocking non-WireGuard traffic
Wed Jun 30 04:42:59 UTC 2021: Allowing network access to 192.168.0.0/24
Wed Jun 30 04:42:59 UTC 2021: Adding route to 192.168.0.0/24

[thrnz]

I don't suppose replacing the check with [ -e "$USER_FILE" ] also fails?

[dbotamous]

bash-5.1# [ -r "$USER_FILE" ] && echo "yep" || echo "nope"
nope
bash-5.1# [ -f "$USER_FILE" ] && echo "yep" || echo "nope"
yep
bash-5.1# echo test > file
bash-5.1# cat file
test
bash-5.1# [ -r /scripts/file ] && echo "yep" || echo "nope"
nope
bash-5.1# [ -f /scripts/file ] && echo "yep" || echo "nope"
yep
bash-5.1# ls -la
total 52
drwxr-xr-x    1 root     root          4096 Jun 30 05:39 .
drwxr-xr-x    1 root     root          4096 Jun 30 05:06 ..
-rw-r--r--    1 root     root             5 Jun 30 05:39 file
-rwxrwxrwx    1 root     root           577 Jun 30 05:29 filetest.sh
-rwxr-xr-x    1 root     root          9550 Jun 25 05:02 pf.sh
-rwxr-xr-x    1 root     root          1163 Jun 25 05:02 pf_success.sh
-rwxr-xr-x    1 root     root          1179 Jun 25 05:02 pia-auth.sh
-rwxr-xr-x    1 root     root          7724 Jun 25 05:02 run
-rwxr-xr-x    1 root     root          7510 Jun 25 05:02 wg-gen.sh
bash-5.1# [ -e "$USER_FILE" ] && echo "yep" || echo "nope"
yep
bash-5.1# 

[thrnz]

Interesting that its happening on other files as well, but very bizarre. I wonder if it would still fail after installing coreutils (apk add coreutils) in the container, though that might be clutching at straws.

[dbotamous]

Does [ -r "/some/randome/file" ]
work for you? Or is this just a "me" issue?

I can try in another docker host I guess.

[dbotamous]

I tried on another host (albeit both hosts are Ubuntu 18.04) and got the same result.

[thrnz]

[ -r /file/path ] should return true for any file that exists and is readable. Does [[ -r /file/path ]] fail as well? Does it also fail outside of the container when run against the same file?

I'll spin up an Ubuntu 18.04 VM later and see if I can reproduce it, but I haven't had any luck doing so yet (on Debian Buster).

[thrnz]

Everything seems to be working normally for me in a freshly created Ubuntu 18.04 VM:

user@ubuntuvm:~/wg-test$ ll
total 20
drwxrwxr-x 2 user user 4096 Jun 30 22:24 ./
drwxr-xr-x 5 user user 4096 Jun 30 22:23 ../
-rw-r--r-- 1 user user  582 Jun 30 22:26 docker-compose.yml
-rw-r--r-- 1 user user   21 Dec  2  2020 pia_pass
-rw-r--r-- 1 user user    9 Dec  2  2020 pia_user
user@ubuntuvm:~/wg-test$ cat docker-compose.yml
version: '3.4'
services:
  vpn:
    image: thrnz/docker-wireguard-pia
    cap_add:
      - NET_ADMIN
    environment:
      - LOC=nz
      - USER_FILE=/run/secrets/pia_username
      - PASS_FILE=/run/secrets/pia_password
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.default.disable_ipv6=1
      - net.ipv6.conf.all.disable_ipv6=1
      - net.ipv6.conf.lo.disable_ipv6=1
    secrets:
      - pia_username
      - pia_password

secrets:
    pia_username:
        file: ./pia_user
    pia_password:
        file: ./pia_pass

user@ubuntuvm:~/wg-test$ sudo docker-compose up -d
Creating network "wg-test_default" with the default driver
Creating wg-test_vpn_1 ... done
user@ubuntuvm:~/wg-test$ sudo docker-compose logs
Attaching to wg-test_vpn_1
vpn_1  | Thu Jul  1 00:52:08 UTC 2021: Reading username from /run/secrets/pia_username
vpn_1  | Thu Jul  1 00:52:08 UTC 2021: Reading password from /run/secrets/pia_password
vpn_1  | Thu Jul  1 00:52:08 UTC 2021: Generating auth token
vpn_1  | Fetching next-gen PIA server list

user@ubuntuvm:~/wg-test$ sudo docker-compose exec vpn bash
bash-5.1# [ -r $USER_FILE ] && echo File exists and is readable || echo File not found or unreadable
File exists and is readable
bash-5.1# [ -r /scripts/pf.sh ] && echo File exists and is readable || echo File not found or unreadable
File exists and is readable
bash-5.1# [ -r /some/file/that/doesnt/exist ] && echo File exists and is readable || echo File not found or unreadable
File not found or unreadable

[dbotamous]

So weird!
I took your exact docker-compose.yml
Worked fine on Mac. Used the EXACT same docker-compose.yml on both my Ubuntu 18.04 docker hosts, and it doesn't work.

I don't get it.

[thrnz]

Kinda clutching at straws, but I don't suppose [[ instead of [ happens to work as expected? Eg: [[ -r $USER_FILE ]]

[dbotamous]

Totally forgot about this issue sorry.
No [[ did not work.... bash-5.1# [[ -r $USER_FILE ]] && echo File exists and is readable || echo File not found or unreadable File not found or unreadable
so weird! I don't understand what is different with my setup.