search

MariaDB / mariadb-docker

Docker Official Image packaging for MariaDB
https://mariadb.org
GNU General Public License v2.0
770 stars 438 forks source link

[Docker on Windows] Permission denied when running the container as an arbitrary user #382

Closed o-alquimista closed 3 years ago

o-alquimista commented 3 years ago

Context

I have been successfully running this MariaDB container as an arbitrary user on GNU/Linux. On Windows 10, for some reason, it only works if I keep using the default mysql user.

docker

Setup

Docker Compose service definition (relevant line is user:):

  mariadb:
    build: ./build/mariadb/
    container_name: fragments-mariadb
    user: "100000:100000"
    volumes:
      - type: volume
        source: database
        target: /var/lib/mysql/
      - type: volume
        source: socket_mariadb
        target: /run/mysqld/
    networks:
      - storage

MariaDB image build:

FROM mariadb:10.5

ENV MARIADB_ROOT_PASSWORD="example"
ENV MARIADB_USER="example"
ENV MARIADB_PASSWORD="example"
ENV MARIADB_ROOT_HOST="localhost"

RUN groupadd --gid 100000 example && \
    adduser --no-create-home --uid 100000 --ingroup example--disabled-login --disabled-password --gecos "Example" example

Logs

Attaching to fragments-mariadb
fragments-mariadb | 2021-07-10 22:09:13+00:00 [Note] [Entrypoint]: Entrypoint script for MariaDB Server 1:10.5.11+maria~focal started.
fragments-mariadb | 2021-07-10 22:09:13+00:00 [Note] [Entrypoint]: Initializing database files
fragments-mariadb | 2021-07-10 22:09:13 0 [Warning] Can't create test file /var/lib/mysql/339034a75eb6.lower-test
fragments-mariadb | 2021-07-10 22:09:13 0 [ERROR] mysqld: Can't create/write to file '/var/lib/mysql/aria_log_control' (Errcode: 13 "Permission denied")
fragments-mariadb | 2021-07-10 22:09:13 0 [ERROR] mysqld: Got error 'Can't create file' when trying to use aria control file '/var/lib/mysql/aria_log_control'
fragments-mariadb | 2021-07-10 22:09:13 0 [ERROR] Plugin 'Aria' init function returned error.
fragments-mariadb | 2021-07-10 22:09:13 0 [ERROR] Plugin 'Aria' registration as a STORAGE ENGINE failed.
fragments-mariadb | 2021-07-10 22:09:13 0 [ERROR] InnoDB: Operating system error number 13 in a file operation.
fragments-mariadb | 2021-07-10 22:09:13 0 [ERROR] InnoDB: The error means mysqld does not have the access rights to the directory.
fragments-mariadb | 2021-07-10 22:09:13 0 [ERROR] InnoDB: Operating system error number 13 in a file operation.
fragments-mariadb | 2021-07-10 22:09:13 0 [ERROR] InnoDB: The error means mysqld does not have the access rights to the directory.
fragments-mariadb | 2021-07-10 22:09:13 0 [ERROR] InnoDB: Cannot open datafile './ibdata1'
fragments-mariadb | 2021-07-10 22:09:13 0 [ERROR] InnoDB: Could not open or create the system tablespace. If you tried to add new data files to the system tablespace, and it failed here, you should now edit innodb_data_file_path in my.cnf back to what it was, and remove the new ibdata files InnoDB created in this failed attempt. InnoDB only wrote those files full of zeros, but did not yet use them in any way. But be careful: do not remove old data files which contain your precious data!
fragments-mariadb | 2021-07-10 22:09:13 0 [ERROR] InnoDB: Database creation was aborted with error Cannot open a file. You may need to delete the ibdata1 file before trying to start up again.
fragments-mariadb | 2021-07-10 22:09:14 0 [ERROR] Plugin 'InnoDB' init function returned error.
fragments-mariadb | 2021-07-10 22:09:14 0 [ERROR] Plugin 'InnoDB' registration as a STORAGE ENGINE failed.
fragments-mariadb | 2021-07-10 22:09:14 0 [ERROR] Failed to initialize plugins.
fragments-mariadb | 2021-07-10 22:09:14 0 [ERROR] Aborting
fragments-mariadb |
fragments-mariadb | Installation of system tables failed!  Examine the logs in
fragments-mariadb | /var/lib/mysql/ for more information.
fragments-mariadb |
fragments-mariadb | The problem could be conflicting information in an external
fragments-mariadb | my.cnf files. You can ignore these by doing:
fragments-mariadb |
fragments-mariadb |     shell> /usr/bin/mysql_install_db --defaults-file=~/.my.cnf
fragments-mariadb |
fragments-mariadb | You can also try to start the mysqld daemon with:
fragments-mariadb |
fragments-mariadb |     shell> /usr/sbin/mysqld --skip-grant-tables --general-log &
fragments-mariadb |
fragments-mariadb | and use the command line tool /usr/bin/mysql
fragments-mariadb | to connect to the mysql database and look at the grant tables:
fragments-mariadb |
fragments-mariadb |     shell> /usr/bin/mysql -u root mysql
fragments-mariadb |     mysql> show tables;
fragments-mariadb |
fragments-mariadb | Try 'mysqld --help' if you have problems with paths.  Using
fragments-mariadb | --general-log gives you a log in /var/lib/mysql/ that may be helpful.
fragments-mariadb |
fragments-mariadb | The latest information about mysql_install_db is available at
fragments-mariadb | https://mariadb.com/kb/en/installing-system-tables-mysql_install_db
fragments-mariadb | You can find the latest source at https://downloads.mariadb.org and
fragments-mariadb | the maria-discuss email list at https://launchpad.net/~maria-discuss
fragments-mariadb |
fragments-mariadb | Please check all of the above before submitting a bug report
fragments-mariadb | at https://mariadb.org/jira
fragments-mariadb |
fragments-mariadb exited with code 1

Am I doing something wrong?

grooverdan commented 3 years ago

With the user specified, the entrypoint no longer has the permissions to change the ownership of the volume (https://github.com/MariaDB/mariadb-docker/blob/master/docker-entrypoint.sh#L163). If you change the ownership of the top level directory in the volume to 100000:100000 before starting it should start correctly.

o-alquimista commented 3 years ago

Remember that issue I opened a few months ago about permission errors?

Now I'm running the container with --user set to an arbitrary user. This results in data and socket directories that are owned by this user. I find it surprising because I didn't expect that would work out of the box.

That's exactly what I'm trying to do, but using Windows instead of GNU/Linux, and Docker instead of Podman. Maybe it's due to differences between the two OSes, or differences between Docker and Podman?

grooverdan commented 3 years ago

The previous issue only executes a permission change if the user if uid=0. This is already a mapped user in podman and isn't a privileged user. What is the motivation for using user for you?

Testing your case with podman GNU/Linux:

$ podman volume create database
database

# using your Dockerfile
$ buildah bud --tag mariadb-docker:382 .
STEP 1: FROM mariadb:10.5

$   podman run -i --user=100000:100000 -v  database:/var/lib/mysql  mariadb-docker:382 
Error: lchown /home/dan/.local/share/containers/storage/volumes/database/_data: invalid argument

$   podman run -i --user=example:example -v  database:/var/lib/mysql  mariadb-docker:382 
Error: OCI runtime error: cannot setresgid to 100000: Invalid argument

(so number is probably high into the uid mappings)
(changing 100000 -> 10000 and rebuilding)

$ buildah bud --tag mariadb-docker:382 .
STEP 1: FROM mariadb:10.5
STEP 2: ENV MARIADB_ROOT_PASSWORD="example"
STEP 3: ENV MARIADB_USER="example"
STEP 4: ENV MARIADB_PASSWORD="example"
STEP 5: ENV MARIADB_ROOT_HOST="localhost"
STEP 6: RUN groupadd --gid 10000 example &&     adduser --no-create-home --uid 10000 --ingroup example --disabled-login --disabled-password --gecos "Example" example
Adding user `example' ...

$   podman run -i --user=example:example -v  database:/var/lib/mysql  mariadb-docker:382 
2021-07-12 03:23:27+00:00 [Note] [Entrypoint]: Entrypoint script for MariaDB Server 1:10.5.11+maria~focal started.
2021-07-12 03:23:27+00:00 [Note] [Entrypoint]: Initializing database files
....
2021-07-12  3:23:31 0 [Note] Reading of all Master_info entries succeeded
2021-07-12  3:23:31 0 [Note] Added new Master_info '' to hash table
2021-07-12  3:23:31 0 [Note] mysqld: ready for connections.
Version: '10.5.11-MariaDB-1:10.5.11+maria~focal'  socket: '/run/mysqld/mysqld.sock'  port: 3306  mariadb.org binary distribution

As we see above podman is changing the ownership on the volume when the container is started.

So it seems that the Windows Docker Compose isn't changing the permissions on the volume. As the container is started as example it won't have the needed permissions to change the ownership on any non-example directory. So it cannot be fixed with any change to the mariadb container.

If there is any guidance that could help when you seek help on https://github.com/docker/for-win please let me know.

o-alquimista commented 3 years ago

What is the motivation for using user for you?

It's not so important, really. I can keep using the default mysql user. It works for me.

Maybe this issue will be helpful to future visitors who rely more on this Windows/Docker setup. I mostly use Podman and Linux.