I am able to get the Smallstep Step-CA container to run in Orbstack on macOS.
I found a bit about accessing logs and troubleshooting Docker, and have some update info.
When I try to run the Docker command from the CLI on TrueNAS Scale 24.10.2, I get the following in the logs:
$ sudo docker logs bc430227e0e1
open /home/step/contexts.json failed: permission denied
/entrypoint.sh: line 56: /password: Permission denied
I then added some flags to give more detailed output when running the entrypoint.sh script.
$ sudo docker run --entrypoint /bin/bash -v /mnt/tank/apps/step-ca/step:/home/step \
-p 9000:9000 \
-e "DOCKER_STEPCA_INIT_NAME=Smallstep” \
-e "DOCKER_STEPCA_INIT_DNS_NAMES=localhost,truenas.home,truenas.home.arpa,stepca.home,stepca.home.arpa” \
smallstep/step-ca -x /entrypoint.sh
+ set -eo pipefail
++ step path
open /home/step/contexts.json failed: permission denied
+ export STEPPATH=
+ STEPPATH=
+ REQUIRED_INIT_VARS=('DOCKER_STEPCA_INIT_NAME' ‘DOCKER_STEPCA_INIT_DNS_NAMES’)
+ declare -ra REQUIRED_INIT_VARS
+ '[' -f /usr/sbin/pcscd ‘]’
+ '[' '!' -f /config/ca.json ‘]’
+ init_if_possible
+ local missing_vars=0
+ for var in "${REQUIRED_INIT_VARS[@]}”
+ '[' -z Smallstep ‘]’
+ for var in "${REQUIRED_INIT_VARS[@]}”
+ '[' -z localhost,nas.home,nas.home.arpa,stepca.home,stepca.home.arpa ‘]’
+ '[' 0 = 1 ‘]’
+ step_ca_init
+ DOCKER_STEPCA_INIT_PROVISIONER_NAME=admin
+ DOCKER_STEPCA_INIT_ADMIN_SUBJECT=step
+ DOCKER_STEPCA_INIT_ADDRESS=:9000
+ setup_args=('--name' 'Smallstep' '--dns' 'localhost,nas.home,nas.home.arpa,stepca.home,stepca.home.arpa' '--provisioner' 'admin' '--password-file' '/password' '--provisioner-password-file' '/provisioner_password' '--address' ':9000’)
+ local -a setup_args
+ '[' -n '' ‘]’
+ '[' -n '' ‘]’
+ generate_password
/entrypoint.sh: line 56: /password: Permission denied
From this, it looks like the STEPPATH
variable is not being set at all. It works in OrbStack on macOS, but the step path
command is not returning anything when starting the container on EE. I’m getting this:
open /home/step/contexts.json failed: permission denied
I don’t know why the step path
command is failing here. (See this line in the entrypoint script.) Maybe it has something to do with the storage volume I’m passing through? But other apps have not had the same sort tof problem with “apps” datasets in the same hierarchy.
The /home/step
directory is mapped from apps storage in EE. The apps user should have access to it via the ACL. I’ve tried changing from the “modify” setting to the “full control” setting, making the change recursively for that path in the Dataset editor. No change.
I had also deleted and re-created the apps storage path (everything under /mnt/tank/apps related to “step-ca”) and recreated “step-ca” there. No change.
I had also tried to run the container with root permissions. No change.
I think I will next try moving away from host storage and try iX storage, just to see what happens.