Closed bsutton closed 7 months ago
What options does your container runtime provide? Is it a rootless mode?
The mysql id of 999 is fixed in the container.
$ ls -la build-mariadb-server-10.11-datadir/
total 111012
drwxr-xr-x. 6 dan dan 260 Jan 16 09:53 .
drwxrwxrwt. 24 root root 600 Jan 16 09:53 ..
-rw-rw----. 1 dan dan 417792 Jan 16 09:53 aria_log.00000001
-rw-rw----. 1 dan dan 52 Jan 16 09:53 aria_log_control
-rw-rw----. 1 dan dan 910 Jan 16 09:53 ib_buffer_pool
-rw-rw----. 1 dan dan 12582912 Jan 16 09:51 ibdata1
-rw-rw----. 1 dan dan 100663296 Jan 16 09:51 ib_logfile0
-rw-rw----. 1 dan dan 0 Jan 16 09:51 multi-master.info
drwx------. 2 dan dan 1800 Jan 16 09:51 mysql
-rw-r--r--. 1 dan dan 15 Jan 16 09:51 mysql_upgrade_info
drwx------. 2 dan dan 60 Jan 16 09:51 performance_schema
drwx------. 2 dan dan 2120 Jan 16 09:51 sys
drwx------. 2 dan dan 60 Jan 16 09:51 test
/tmp
$ podman run --userns=keep-id:uid=999,gid=999 -v ./build-mariadb-server-10.11-datadir:/var/lib/mysql --rm mariadb:10.11
2024-01-15 23:01:23+00:00 [Note] [Entrypoint]: Entrypoint script for MariaDB Server 1:10.11.6+maria~ubu2204 started.
2024-01-15 23:01:23+00:00 [Note] [Entrypoint]: MariaDB upgrade not required
2024-01-15 23:01:23 0 [Note] Starting MariaDB 10.11.6-MariaDB-1:10.11.6+maria~ubu2204 source revision fecd78b83785d5ae96f2c6ff340375be803cd299 as process 1
...
$ podman exec -ti jolly_jepsen ps -ef
UID PID PPID C STIME TTY TIME CMD
mysql 1 0 0 23:01 ? 00:00:00 mariadbd
mysql 33 0 0 23:03 pts/0 00:00:00 ps -ef
I'm also curious why are host volume mounts used instead of named volumes?
I don't know what 'rootless mode' is.
The host is running ubuntu.
On the host, 999 gets mapped to whatever app first creates a system user so it is essentially random on the host which is why I'm looking to explicitly control it.
On Tue, Jan 16, 2024 at 10:07 AM Daniel Black @.***> wrote:
What options does your container runtime provide? Is it a rootless mode?
The mysql id of 999 is fixed in the container.
$ ls -la build-mariadb-server-10.11-datadir/ total 111012 drwxr-xr-x. 6 dan dan 260 Jan 16 09:53 . drwxrwxrwt. 24 root root 600 Jan 16 09:53 .. -rw-rw----. 1 dan dan 417792 Jan 16 09:53 aria_log.00000001 -rw-rw----. 1 dan dan 52 Jan 16 09:53 aria_log_control -rw-rw----. 1 dan dan 910 Jan 16 09:53 ib_buffer_pool -rw-rw----. 1 dan dan 12582912 Jan 16 09:51 ibdata1 -rw-rw----. 1 dan dan 100663296 Jan 16 09:51 ib_logfile0 -rw-rw----. 1 dan dan 0 Jan 16 09:51 multi-master.info drwx------. 2 dan dan 1800 Jan 16 09:51 mysql -rw-r--r--. 1 dan dan 15 Jan 16 09:51 mysql_upgrade_info drwx------. 2 dan dan 60 Jan 16 09:51 performance_schema drwx------. 2 dan dan 2120 Jan 16 09:51 sys drwx------. 2 dan dan 60 Jan 16 09:51 test
/tmp $ podman run --userns=keep-id:uid=999,gid=999 -v ./build-mariadb-server-10.11-datadir:/var/lib/mysql --rm mariadb:10.11 2024-01-15 23:01:23+00:00 [Note] [Entrypoint]: Entrypoint script for MariaDB Server 1:10.11.6+maria~ubu2204 started. 2024-01-15 23:01:23+00:00 [Note] [Entrypoint]: MariaDB upgrade not required 2024-01-15 23:01:23 0 [Note] Starting MariaDB 10.11.6-MariaDB-1:10.11.6+maria~ubu2204 source revision fecd78b83785d5ae96f2c6ff340375be803cd299 as process 1 ...
$ podman exec -ti jolly_jepsen ps -ef UID PID PPID C STIME TTY TIME CMD mysql 1 0 0 23:01 ? 00:00:00 mariadbd mysql 33 0 0 23:03 pts/0 00:00:00 ps -ef
I'm also curious why are host volume mounts used instead of named volumes?
— Reply to this email directly, view it on GitHub https://github.com/MariaDB/mariadb-docker/issues/554#issuecomment-1892857075, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAG32OHPJY6UTMHFL4EQCQ3YOWZBVAVCNFSM6AAAAABB33PBWKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOJSHA2TOMBXGU . You are receiving this because you authored the thread.Message ID: @.***>
Rootless mode is part of some container runtimes that execute containers without (host) root permissions.
In the example provided I used the keep-id
feature of the runtime to map the 999 user inside the container, to the current user dan
, so that it could access the volume on the local filesystem. Rootful modes provide also options for explicit mappings,
podman run --uidmap=999:0 --user 999 -v ./build-mariadb-server-10.11-datadir:/var/lib/mysql --rm mariadb:10.11
Also should have worked (https://github.com/containers/common/issues/1802)
User ID maps are supported by the container runtime, which is why I'm not looking to explicitly implement a mariadb container control for it. Essentially doing so would modify the container at runtime (not supported on runtimes like apptainer) and slow the initialization speed. Also named volumes exist for providing exclusive storage to containers.
Without easy documentation, I can see why you describe it as random, or not within your control. After all we only need to set 1 host -> container uid number correctly, so I'm going to try to document this so every container doesn't need to implement the same thing.
If I've understood what you are saying, then the problem is that mariadb (partially) ignores the mapping.
On docker, I've tried mapping the user with docker-compose option user 2002:2002
with 2002 being the uid of the host user mysql.
The problem is that they mysql container creates files using the 'mysql' name rather than the uid the container is running with (as per the above user
option).
The result is that I get some files with the correct permissions (those created with the uid) and some not (those that have the owner set to 'mysql').
The only way I can get it to work is to clone the mariadb docker file and modify the mysql uid/gid. When I do this, it doesn't matter if maria uses the id or the name of the user, the permissions will be correct.
By altering https://github.com/MariaDB/mariadb-docker/blob/master/10.11/Dockerfile
to have
RUN groupadd -g 2002 -r mysql && useradd -u 2002 -r -g mysql mysql --home-dir /var/lib/mysql
Note the addition of the -g and -u switches otherwise the file is original.
This combined with the container mapping gives the desired results but without the custom container I can't get it to work.
Here is my docker-compose file:
version: '3.3'
services:
mysql:
container_name: mysql
image: onepub/onepub-mariadb:${ONEPUB_VERSION}
restart: on-failure
environment:
# override from env file to be empty, otherwise it prevents proper initialization of mysql
MYSQL_ROOT_PASSWORD: ${MYSQL_ADMIN_PASSWORD}
MYSQL_DATABASE: ${MYSQL_SCHEMA}
TZ: ${TIME_ZONE-Australia/Melbourne}
MARIADB_AUTO_UPGRADE: "true"
command: >
--lower-case-table-names=1 --bind-address=127.0.0.1 --datadir=/innodb-data/ --innodb_log_group_home_dir=/innodb-logs/ --max-allowed-packet=512M --innodb_buffer_pool_chunk_size=${MYSQL_INNODB_BUFFER_POOL_CHUNK_SIZE-8M} --innodb_buffer_pool_size=${MYSQL_INNODB_BUFFER_POOL_SIZE-512M} --table_open_cache=${MYSQL_TABLE_OPEN_CACHE-512} --max_connections=${MYSQL_MAX_CONNECTIONS-98} --innodb_flush_neighbors=0 --innodb_fast_shutdown=1 --innodb_flush_log_at_trx_commit=1 --innodb_flush_method=fsync --innodb_doublewrite=0 --innodb_use_native_aio=0 --innodb_read_io_threads=10 --innodb_write_io_threads=10 --slow_query_log_file=/tmp/mysql-slow.log --long-query-time=0.3 --slow_query_log --innodb-print-all-deadlocks
volumes:
- /db/mysql-innodb-data:/innodb-data
- /db/mysql-innodb-logs:/innodb-logs
network_mode: "host"
logging:
driver: "journald"
user: 2002:2002
The full docker file - note that on the above mentioned line has been changed:
# copied from https://github.com/MariaDB/mariadb-docker/blob/master/10.11/Dockerfile
# The only change is that we explicityly set the mysql uid and gid
# vim:set ft=dockerfile:
FROM ubuntu:jammy
# add our user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added
#
# ONEPUB - set -g and -u to 2002
#
RUN groupadd -g 2002 -r mysql && useradd -u 2002 -r -g mysql mysql --home-dir /var/lib/mysql
# add gosu for easy step-down from root
# https://github.com/tianon/gosu/releases
# gosu key is B42F6819007F00F88E364FD4036A9C25BF357DD4
ENV GOSU_VERSION 1.17
ARG GPG_KEYS=177F4010FE56CA3336300305F1656F24C74CD1D8
# pub rsa4096 2016-03-30 [SC]
# 177F 4010 FE56 CA33 3630 0305 F165 6F24 C74C D1D8
# uid [ unknown] MariaDB Signing Key <signing-key@mariadb.org>
# sub rsa4096 2016-03-30 [E]
# install "libjemalloc2" as it offers better performance in some cases. Use with LD_PRELOAD
# install "pwgen" for randomizing passwords
# install "tzdata" for /usr/share/zoneinfo/
# install "xz-utils" for .sql.xz docker-entrypoint-initdb.d files
# install "zstd" for .sql.zst docker-entrypoint-initdb.d files
# hadolint ignore=SC2086
RUN set -eux; \
apt-get update; \
DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
ca-certificates \
gpg \
gpgv \
libjemalloc2 \
pwgen \
tzdata \
xz-utils \
zstd ; \
savedAptMark="$(apt-mark showmanual)"; \
apt-get install -y --no-install-recommends \
dirmngr \
gpg-agent \
wget; \
rm -rf /var/lib/apt/lists/*; \
dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
wget -q -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
wget -q -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
GNUPGHOME="$(mktemp -d)"; \
export GNUPGHOME; \
gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
for key in $GPG_KEYS; do \
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \
done; \
gpg --batch --export "$GPG_KEYS" > /etc/apt/trusted.gpg.d/mariadb.gpg; \
if command -v gpgconf >/dev/null; then \
gpgconf --kill all; \
fi; \
gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
gpgconf --kill all; \
rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
apt-mark auto '.*' > /dev/null; \
[ -z "$savedAptMark" ] || apt-mark manual $savedAptMark >/dev/null; \
apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
chmod +x /usr/local/bin/gosu; \
gosu --version; \
gosu nobody true
RUN mkdir /docker-entrypoint-initdb.d
# Ensure the container exec commands handle range of utf8 characters based of
# default locales in base image (https://github.com/docker-library/docs/blob/135b79cc8093ab02e55debb61fdb079ab2dbce87/ubuntu/README.md#locales)
ENV LANG C.UTF-8
# OCI annotations to image
LABEL org.opencontainers.image.authors="MariaDB Community" \
org.opencontainers.image.title="MariaDB Database" \
org.opencontainers.image.description="MariaDB Database for relational SQL" \
org.opencontainers.image.documentation="https://hub.docker.com/_/mariadb/" \
org.opencontainers.image.base.name="docker.io/library/ubuntu:jammy" \
org.opencontainers.image.licenses="GPL-2.0" \
org.opencontainers.image.source="https://github.com/MariaDB/mariadb-docker" \
org.opencontainers.image.vendor="MariaDB Community" \
org.opencontainers.image.version="10.11.6" \
org.opencontainers.image.url="https://github.com/MariaDB/mariadb-docker"
# bashbrew-architectures: amd64 arm64v8 ppc64le s390x
ARG MARIADB_VERSION=1:10.11.6+maria~ubu2204
ENV MARIADB_VERSION $MARIADB_VERSION
# release-status:Stable
# release-support-type:Long Term Support
# (https://downloads.mariadb.org/rest-api/mariadb/)
# Allowing overriding of REPOSITORY, a URL that includes suite and component for testing and Enterprise Versions
ARG REPOSITORY="http://archive.mariadb.org/mariadb-10.11.6/repo/ubuntu/ jammy main main/debug"
RUN set -e;\
echo "deb ${REPOSITORY}" > /etc/apt/sources.list.d/mariadb.list; \
{ \
echo 'Package: *'; \
echo 'Pin: release o=MariaDB'; \
echo 'Pin-Priority: 999'; \
} > /etc/apt/preferences.d/mariadb
# add repository pinning to make sure dependencies from this MariaDB repo are preferred over Debian dependencies
# libmariadbclient18 : Depends: libmysqlclient18 (= 5.5.42+maria-1~wheezy) but 5.5.43-0+deb7u1 is to be installed
# the "/var/lib/mysql" stuff here is because the mysql-server postinst doesn't have an explicit way to disable the mysql_install_db codepath besides having a database already "configured" (ie, stuff in /var/lib/mysql/mysql)
# also, we set debconf keys to make APT a little quieter
# hadolint ignore=DL3015
RUN set -ex; \
{ \
echo "mariadb-server" mysql-server/root_password password 'unused'; \
echo "mariadb-server" mysql-server/root_password_again password 'unused'; \
} | debconf-set-selections; \
apt-get update; \
# postinst script creates a datadir, so avoid creating it by faking its existance.
mkdir -p /var/lib/mysql/mysql ; touch /var/lib/mysql/mysql/user.frm ; \
# mariadb-backup is installed at the same time so that `mysql-common` is only installed once from just mariadb repos
apt-get install -y --no-install-recommends mariadb-server="$MARIADB_VERSION" mariadb-backup socat \
; \
rm -rf /var/lib/apt/lists/*; \
# purge and re-create /var/lib/mysql with appropriate ownership
rm -rf /var/lib/mysql /etc/mysql/mariadb.conf.d/50-mysqld_safe.cnf; \
mkdir -p /var/lib/mysql /run/mysqld; \
chown -R mysql:mysql /var/lib/mysql /run/mysqld; \
# ensure that /run/mysqld (used for socket and lock files) is writable regardless of the UID our mysqld instance ends up having at runtime
chmod 1777 /run/mysqld; \
# comment out a few problematic configuration values
find /etc/mysql/ -name '*.cnf' -print0 \
| xargs -0 grep -lZE '^(bind-address|log|user\s)' \
| xargs -rt -0 sed -Ei 's/^(bind-address|log|user\s)/#&/'; \
# don't reverse lookup hostnames, they are usually another container
printf "[mariadb]\nhost-cache-size=0\nskip-name-resolve\n" > /etc/mysql/mariadb.conf.d/05-skipcache.cnf; \
# Issue #327 Correct order of reading directories /etc/mysql/mariadb.conf.d before /etc/mysql/conf.d (mount-point per documentation)
if [ -L /etc/mysql/my.cnf ]; then \
# 10.5+
sed -i -e '/includedir/ {N;s/\(.*\)\n\(.*\)/\n\2\n\1/}' /etc/mysql/mariadb.cnf; \
fi
VOLUME /var/lib/mysql
COPY healthcheck.sh /usr/local/bin/healthcheck.sh
COPY docker-entrypoint.sh /usr/local/bin/
ENTRYPOINT ["docker-entrypoint.sh"]
EXPOSE 3306
CMD ["mariadbd"]
A slightly simpler form is:
FROM mariadb:10.11
RUN useradd -u 2002 -r localuser --home-dir /var/lib/mysql
As this is all build time, to do this for a prebuild image of a dynamic uid is more complex.
And then in compose for the service user: localuser
. The container started as a non-root user will not switch to mysql
.
There's also usermode_ns: host, which comes down to dockerd user namespace and userns-remap with the notable text:
This re-mapping is transparent to the container, but introduces some configuration complexity in situations where the container needs access to resources on the Docker host, such as bind mounts into areas of the filesystem that the system user cannot write to. From a security standpoint, it is best to avoid these situations.
The issue here is that it requires customisation of the container - which I have successfully done - but it would seem preferable that this is a supported feature which doesn't require a container mod.
I can't imagine that I'm the only person trying to mount the db from the host.
On Wed, Jan 17, 2024 at 1:37 PM Daniel Black @.***> wrote:
A slightly simpler form is:
FROM mariadb:10.11
RUN useradd -u 2002 -r localuser --home-dir /var/lib/mysql
As this is all build time, to do this for a prebuild image of a dynamic uid is more complex.
And then in compose for the service user: localuser. The container started as a non-root user will not switch to mysql.
There's also usermode_ns: host https://docs.docker.com/compose/compose-file/compose-file-v3/#userns_mode, which comes down to dockerd user namespace https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-user-namespace-options and userns-remap https://docs.docker.com/engine/security/userns-remap/ with the notable text:
This re-mapping is transparent to the container, but introduces some configuration complexity in situations where the container needs access to resources on the Docker host, such as bind mounts into areas of the filesystem that the system user cannot write to. From a security standpoint, it is best to avoid these situations.
— Reply to this email directly, view it on GitHub https://github.com/MariaDB/mariadb-docker/issues/554#issuecomment-1894842400, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAG32OADTSJWHTTMVLA7IU3YO42OTAVCNFSM6AAAAABB33PBWKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOJUHA2DENBQGA . You are receiving this because you authored the thread.Message ID: @.***>
The issue here is that it requires customisation of the container - which I have successfully done - but it would seem preferable that this is a supported feature which doesn't require a container mod.
Actually user: 2002
in compose might be sufficient on an unmod container.
I can't imagine that I'm the only person trying to mount the db from the host.
Note, I'm not saying "no", just understanding the domain a bit more in the complexity of multiple runtime implementations, root(full|less) modes, an standard behaviour, OCI, runtime and other containers.
ref: https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#user-namespace-mappings ref: https://github.com/opencontainers/runtime-spec/blob/main/config.md#configLinuxMountOptions idMap SHOULD be implemented by runtimes
Actually user: 2002 in compose might be sufficient on an unmod container. I don't believe so, as this is where I started my journey.
The problem is that some of the mariad db processes create some file using the 'mysql' username rather than uid that they are running under. The result is that in the log and data directory you have some files owned by 2002 and some owned by 'mysql' . This ends badly.
On Wed, Jan 17, 2024 at 3:57 PM Daniel Black @.***> wrote:
The issue here is that it requires customisation of the container - which I have successfully done - but it would seem preferable that this is a supported feature which doesn't require a container mod.
Actually user: 2002 in compose might be sufficient on an unmod container.
I can't imagine that I'm the only person trying to mount the db from the host.
Note, I'm not saying "no", just understanding the domain a bit more in the complexity of multiple runtime implementations, root(full|less) modes, an standard behaviour, OCI, runtime and other containers.
ref: https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#user-namespace-mappings ref: https://github.com/opencontainers/runtime-spec/blob/main/config.md#configLinuxMountOptions idMap SHOULD be implemented by runtimes
— Reply to this email directly, view it on GitHub https://github.com/MariaDB/mariadb-docker/issues/554#issuecomment-1894941598, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAG32OHYZYOGKKWQW3433EDYO5K3RAVCNFSM6AAAAABB33PBWKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOJUHE2DCNJZHA . You are receiving this because you authored the thread.Message ID: @.***>
Chim in because out of curiousity, so I tried the compose
version: '3.3'
services:
mysql:
container_name: mysql
image: mariadb:11.0
# restart: on-failure
environment:
# override from env file to be empty, otherwise it prevents proper initialization of mysql
MYSQL_ROOT_PASSWORD: rootpass
MYSQL_DATABASE: somedbname
MARIADB_AUTO_UPGRADE: "true"
command: >
--lower-case-table-names=1 --bind-address=127.0.0.1 --datadir=/innodb-data/ --innodb_log_group_home_dir=/innodb-logs/ --max-allowed-packet=512M --innodb_buffer_pool_chunk_size=${MYSQL_INNODB_BUFFER_POOL_CHUNK_SIZE-8M} --innodb_buffer_pool_size=${MYSQL_INNODB_BUFFER_POOL_SIZE-512M} --table_open_cache=${MYSQL_TABLE_OPEN_CACHE-512} --max_connections=${MYSQL_MAX_CONNECTIONS-98} --innodb_flush_neighbors=0 --innodb_fast_shutdown=1 --innodb_flush_log_at_trx_commit=1 --innodb_flush_method=fsync --innodb_doublewrite=0 --innodb_use_native_aio=0 --innodb_read_io_threads=10 --innodb_write_io_threads=10 --slow_query_log_file=/tmp/mysql-slow.log --long-query-time=0.3 --slow_query_log --innodb-print-all-deadlocks
volumes:
- ./data:/innodb-data
- ./logs:/innodb-logs
# network_mode: "host"
logging:
driver: "journald"
user: 2002:2002
❯ docker exec -it mysql ps -ef
UID PID PPID C STIME TTY TIME CMD
2002 1 0 0 05:34 ? 00:00:00 mariadbd --lower-case-table-names=1 --bind-address=127.0.0.1 --datadir=/innodb-data/ --innodb_log_group_home_dir=/innodb-logs/ --max-allowed-packet=512M --innodb_buffer_pool_chunk_size
2002 117 0 0 05:40 pts/0 00:00:00 ps -ef
❯ docker exec -it mysql ls -aln /innodb-data
total 71812
drwxrwxr-x 1 2002 2002 378 Jan 17 05:36 .
drwxr-xr-x 1 0 0 4096 Jan 17 05:34 ..
-rw------- 1 2002 2002 131 Jan 17 05:36 .my-healthcheck.cnf
-rw-rw---- 1 2002 2002 16875520 Jan 17 05:36 aria_log.00000001
-rw-rw---- 1 2002 2002 52 Jan 17 05:36 aria_log_control
-rw-rw---- 1 2002 2002 9 Jan 17 05:36 ddl_recovery.log
-rw-rw---- 1 2002 2002 690 Jan 17 05:36 ib_buffer_pool
-rw-rw---- 1 2002 2002 12582912 Jan 17 05:36 ibdata1
-rw-rw---- 1 2002 2002 12582912 Jan 17 05:36 ibtmp1
-rw-r--r-- 1 2002 2002 14 Jan 17 05:36 mariadb_upgrade_info
-rw-rw---- 1 2002 2002 0 Jan 17 05:36 multi-master.info
drwx------ 1 2002 2002 2718 Jan 17 05:36 mysql
drwx------ 1 2002 2002 12 Jan 17 05:35 performance_schema
drwx------ 1 2002 2002 12 Jan 17 05:36 somedbname
drwx------ 1 2002 2002 6536 Jan 17 05:35 sys
-rw-rw---- 1 2002 2002 10485760 Jan 17 05:36 undo001
-rw-rw---- 1 2002 2002 10485760 Jan 17 05:36 undo002
-rw-rw---- 1 2002 2002 10485760 Jan 17 05:36 undo003
It run as 2002 as expected, I just need to ensure that host path the data
and logs
writable by 2002. Need more explicit which part that doesn't work?
The problem is that the mysql
process will run from a user other than root
which does not follow the docker patterns.
This container is a single process and that process should run from the root
user.
So the uid
and gid
mapping will work correctly and the file ownership in the host will be fixed.
No no, docker pattern and security should drop root
as soon as possible or even run with specified user
that why many rootless docker image mostly run as 1000 or some other user specified.
Seems to work fine over here with uid
and gid
explicitly set (besides dropping all capabilities and running the image readonly).
version: "3"
services:
mariadb:
container_name: mariadb
image: mariadb:10.6.16
restart: unless-stopped
command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
user: 2002:2002
cap_drop:
- ALL
security_opt:
- no-new-privileges:true
read_only: true
tmpfs:
- /tmp:noexec
- /run:noexec
- /run/mysqld:noexec
volumes:
- ./mariadb:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD
- MYSQL_PASSWORD
- MYSQL_DATABASE=mariadb
- MYSQL_USER=mariadb
- MARIADB_AUTO_UPGRADE=1
- MARIADB_DISABLE_UPGRADE_BACKUP=0
Running find . ! -user 2002
inside the bind mounted mariadb
directory returns 0 files.
Thanks @Jip-Hop, for highlighting the read_only mode. tmpfs
also highlighting how things like pidfiles and sockets add to the inflexibility of the image (more to fix).
Highlighting cap_drop: all
I think is an important aspect as it highlights exactly what capabilities the root user (checked with grep ^Cap /proc/self/status
and it seems only root -CapBnd
remains when --user specified meaning it needs a filesystem cap label to gain capability. (readable list)
I just read though a number of best practices guides to be sure, and none mention going to a non-root user.
So if we go back to security principles of risk/convenience tradeoff lets look at exactly what's is/needed.
mysql
user inside container was following what MariaDB did outside the container, and running as root for mariadb-install-db
would error (though --user root
would allow this)./var/lib/mysql
(DATADIR) volume has the right ownership for mariadbd
to write database files. There isn't the ability of OCI container to specify to the container runtime that volumes need to be owned by a particular user, so by default attract a root
user.So options:
user:
specified by the user can set arbitary uid that map to the host storage (though it need to be documented clearer)USER mysql
is the Dockerfile cannot cope with arbitrary volumesmariadbd
to capset
to drop capabilities, not complain about an euid of 0, mask off the filesystem that it doesn't need somehowe, and then it can run as the default USER root
.Are the FAQs sufficient?
My project uses host volume mounts for data and log directories.
The problem is that the mysql uid and gid are allocated randomly within the container and as such are 'mapped' to a random user/group on the host ( I guess technically it's not random, just not within my control).
If we could set the uid:gid for the mysql user and group within the container, then we could setup host uid:gid that match and is mapped to a coherent name.