[
https://issues.apache.org/jira/browse/GUACAMOLE-1375?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17380229#comment-17380229
]
Mike Jumper commented on GUACAMOLE-1375:
----------------------------------------
Please don't open a bug report if you simply have questions about Guacamole.
The [email protected] mailing list would be the place for that:
http://guacamole.apache.org/support/#mailing-lists
{quote}
The guacd-docker image runs under user guacd and not root, so even if I exec
into the container I can't run it manually either.
{quote}
{{docker exec}} allows you to run commands as any user:
https://docs.docker.com/engine/reference/commandline/exec/
You could also just use the {{guacamole/guacd}} image as the base image in your
own {{Dockerfile}} and run things like {{update-ca-certificates}} at image
build time.
> GUACD Docker Image - Can not run update-ca-certificates successfully
> ---------------------------------------------------------------------
>
> Key: GUACAMOLE-1375
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1375
> Project: Guacamole
> Issue Type: Improvement
> Components: guacd-docker
> Affects Versions: 1.3.0
> Environment: Docker
> Reporter: Nicolas Köhl
> Priority: Minor
> Labels: Certificate
>
> When running GUACD-Docker image, in order to inject private CA certificates
> into the certificate store, one is supposed to run update-ca-certificates in
> order to rebuild the ca_certificates.crt file in /etc/ssl/certs folder to
> include the additional CAs. I was able to place the 3 root certificates via
> a bind mount into /usr/local/share/ca-certificates. When I run
> *update-ca-certificates* as a command in the docker container at
> _entrypoint_, it fails due to a permissions limitation.
> The error message shown is that the command does not have permission to
> create the symbolic link in the folder /etc/ssl/certs and the docker image
> will fail to deploy.
> ln: failed to create symbolic link '/etc/ssl/certs/xxxxxxxx.pem': Permission
> denied
> {{{{}}}}The guacd-docker image runs under user guacd and not root, so even if
> I exec into the container I can't run it manually either. I realize this is a
> good security measure but I'm wondering how to do this properly?
> I'm hoping that guacd reads /etc/ssl/certs/ca_certificates.crt to
> authenticate RDP connections, but I won't be able to RDP and verify the any
> certificate based off my private PKI infrastructure until I can add trusted
> roots to that store.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
