I have postgres docker image, which can be deployed on Bluemix Containers. It works fine. But when I attached volume, container fails with permission error.
I am using $PGDATA as /var/lib/postgresql/data.
Entry point script, I have mentioned, sudo chown -R postgres /var/lib/postgresql/data. Also I have mounted volume using option -v data1:/var/lib/postgresql/data
But when I start container, chown always fails with 'Permission Error'.
I have added postgres user as part of root group.
But it still gives me same error.
chown: changing ownership of ?/var/lib/postgresql/data?: Permission denied
How do I fix this issue?
I found a way arround adding postgress to root group (which is a security flaw in my eyes).
At first you make the volume writable for everyone, then add an folder in the volume with the user you want to run your daemon with (in your case postgres). After this you can reset the volumes access right to default again.
I use this snippet in my entrypoint scripts on setup time:
chsh -s /bin/bash www-data
chmod 777 /var/www
su -c "mkdir -p /var/www/html" www-data
chmod 755 /var/www
usermod -s /bin/false www-data
Instead of chown volume directory to postgres user, change its permission to allow group write:
$ chmod g+w $PGDATA
Since you already added root group to user postgres it should work now.
Related
I am beginner docker user.
I installed docker and postgresql in Mac OS.
and why most of documents mention the directory
/var/lib/postgresql/data as an volume setting???
Because in my local directory, there is not existed /var/lib/postgresql..
Is it default option? or am I missing something?
Yes, correct, /var/lib/postgresql does not exist on your local computer, but it does in the created container. The volumes parameter is used to associate the local data with the container data, in order to preserve the data in case the container crashes
For example:
volumes:
- ./../database/main:/var/lib/postgresql/data
Above we link the local directory from the left side to the container directory
If you are using official PostgreSQL image from Docker Hub, then you can check the contents of its Dockerfile. E.g. here is a fragment of postgres:15 image responsible for data directory:
ENV PGDATA /var/lib/postgresql/data
# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA"
VOLUME /var/lib/postgresql/data
As you can see Postgres is configured to have data in that directory. And to persist the data even if container is stopped and removed, the volume is created. Volumes have lifetime independent of the container which allows them to "survive".
When I try to do a mongodump :
mongodump -u aaa -p abc123 --authenticationDatabase admin -d TestDb --gzip --out /var/backups/dump-25-05-22/mybackup.gz
inside my mongodb pod (kubectl exec -t <pod_name> --bash> I am getting an error :
Failed: error dumping metadata: error creating directory for metadata file /var/backups/...: permission denied
For context I do not have access to the host machine where the k8s instance is running, I can only do kubectl commands so the issue can only be fixed from K8S side.
These are the current permissions on the mount path (/var/backups) :
ls -la
drwxr-xr-x 2 root root 4096 Jun 11 2021 .
drwxr-xr-x 1 root root 4096 Jun 11 2021 ..
I have also tried the following :
1.
sudo chmod 777 -R /var/backups/
bash: sudo: command not found
chmod 777 -R /var/backups/
error changing permissions of '/var/backups/': Operation not permitted
Tried to enable sudo mode (Requires password and I dont know it)
su -
Having done a lot of digging around this the best solution I have is to tweak the mongo Dockerfile and build my own custom image.
The only feasible solution I found is at this link and it says "Configure mongo to run as root via editing the mongo config and copying it during the docker build process. This assumes you're using a docker file to build that image. Then it will have no problem accessing the attached volume."
My question(s):
Given an example Dockerfile as below how would I make the so-called mongod user run as root ? :
FROM mongo:3.2
COPY entrypoint.sh /root/entrypoint.sh
RUN chown -R mongodb:mongodb /var/log /data/db
USER mongodb
ENTRYPOINT ["/root/entrypoint.sh"]
At which level is this mongodb user accessible ? I have checked the users in the mongodb container but they is no entry for such (Unless Im missing something obvious) :
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats
I try to start postgresql : /usr/pgsql-11/bin/pg_ctl -D appli/postgres/data/ -l logfile start
but I don't understand why I have always this error in my logfile :
FATAL: could not create lock file "/var/run/postgresql/.s.PGSQL.5432.lock": Permission denied
I tried to change permission but I get always Permission denied :
chown -R postgres:postgres /var/run/postgresql
chmod 755 /var/run/postgresql
Edit postgresql.conf and change unix_socket_directoriesback to the factory default value /tmp.
Alternatively, start PostgreSQL as operating system user postgres.
If you installed from source, the directory should probably be '/tmp'. If you installed from a repository, the shipped start-up script should handle the permissions for you. Why not use that rather than running pg_ctl yourself?
I had the same problem and what did it for me was creating the directory "postgresql" which didn't exist previously for some bizarre reason and running
sudo chown postgres /var/run/postgresql
after that pg_ctl was able to create the lock file without problems.
I ran into it with an alpine docker image. As it turned out they changed the default:
Using /tmp for sockets allows everyone to spoof a PostgreSQL server.
There are 2 options:
Create the /run/postgresql dir:
mkdir /run/postgresql && chown postgres: /run/postgresql
Change unix_socket_directories in postgresql.conf (unix_socket_directories = '/tmp').
This is what I enter:
user#user-computer:/usr/lib/postgresql/9.4/bin$ ./postgres -D /etc/postgresql/9.4/main/
This is what I get:
[4173-1] FATAL: could not access private key file "/etc/ssl/private/ssl-cert-snakeoil.key": Permission denied
Can anyone help me? should I change permissions on ss-cert...key file?
The error happens because you're trying to launch PostgreSQL as your own unpriviledged user, and it's not meant to run like that.
Ubuntu provides PostgreSQL packaged in a way that it should be launched with:
$ sudo /etc/init.d/postgresql start
# or
$ sudo service postgresql start
or for finer-grained control with pg_ctlcluster, see
http://manpages.ubuntu.com/manpages/trusty/man8/pg_ctlcluster.8.html
This can happen when the postgres user doesnt belong to ssl-cert usergroup
Try adding postgres user to the group ssl-cert
make sure that postgres is the owner of /var/lib/postgresql/version_no/main
eg: sudo chown postgres -R /var/lib/postgresql/9.6/main/
Run the below code to fix the usergroup issue and fixing the permissions
# > It happened to me and it turned out that I removed erroneously the postgres user from "ssl-cert" group, set it back with
sudo gpasswd -a postgres ssl-cert
# Fixed ownership and mode
sudo chown root:ssl-cert /etc/ssl/private/ssl-cert-snakeoil.key
sudo chmod 740 /etc/ssl/private/ssl-cert-snakeoil.key
# now postgresql starts! (and install command doesn't fail anymore)
sudo service postgres restart
#also try running pg_ctlcluster <version> <cluster> <action>
sudo pg_ctlcluster 9.6 main start
courtsey to GabLeRoux
I'm trying to run postgresql in docker container, but of course I need to have my database data to be persistent, so I'm trying to use data only container which expose volume to store database at this place.
So, my data container has such Dockerfile:
FROM ubuntu
# Create data directory
RUN mkdir -p /data/postgresql
# Create /data volume
VOLUME /data/postgresql
Which I run:
docker run --name postgresql_data lyapun/postgresql_data true
In my postgresql.conf I set:
data_directory = '/data/postgresql'
Then I run my postgresql container in such way:
docker run -d --name postgre --volumes-from postgresql_data lyapun/postgresql
And I got:
2014-07-04 07:45:57 GMT FATAL: data directory "/data/postgresql" has wrong ownership
2014-07-04 07:45:57 GMT HINT: The server must be started by the user that owns the data directory.
How to deal with this issue? I googled a lot to find some information about using postgresql with docker volumes, but I didn't found anything.
Thanks!
Ok, seems like I found workaround for this issue.
Instead of running postgres in such way:
CMD ["/usr/lib/postgresql/9.1/bin/postgres", "-D", "/var/lib/postgresql/9.1/main", "-c", "config_file=/etc/postgresql/9.1/main/postgresql.conf"]
I wrote bash script:
chown -Rf postgres:postgres /data/postgresql
chmod -R 700 /data/postgresql
sudo -u postgres /usr/lib/postgresql/9.1/bin/postgres -D /var/lib/postgresql/9.1/main -c config_file=/etc/postgresql/9.1/main/postgresql.conf
And replaced CMD in postgresql image to:
CMD ["bash", "/run.sh"]
It works!
You have to set ownership of directory /data/postgresql to the same user, under which you are running your postgresql binary. For example, in Ubuntu it is usually postgres user.
Then you have to use this command:
chown postgres.postgres /data/postgresql
A better way to solve that issue, assuming your postgres images is named "postgres" and that your backup is ./backup.tar:
First, add this to your postgres Dockerfile:
VOLUME ["/etc/postgresql", "/var/log/postgresql", "/var/lib/postgresql"]
Then run:
docker run -it --name postgres -v $(pwd):/db postgres sh -c "tar xvf /db/backup.tar --no-overwrite-dir" && \
docker run -it --name data --volumes-from postgres busybox true && \
docker rm postgres && \
docker run -it --name postgres --volumes-from=data postgres
You don't have permission issues since the archive is extracted by the postgres user of your postgres image, so it is the owner of the extracted files.
You can then backup your data using the data container. The advantage of this solution is that you don't chmod/chown every time you run the image.
This type of errors is quite common when you link a NTFS directory into your docker container. NTFS directories don't support ext3 file & directory access control.
The only way to make it work is to link directory from a ext3 drive into your container.
I got a bit desperate when I played around Apache / PHP containers with linking the www folder. After I linked files reside on a ext3 filesystem the problem disappear.
I published a short Docker tutorial on youtube, may it helps to understand this problem: https://www.youtube.com/watch?v=eS9O05TTFjM