mysql permission issues

[ghost]

Hello All, Could you advise of cause on this error and support a solution?

Running command:

docker run -it --rm \
            -v /docker/misp-db:/var/lib/mysql \
            harvarditsecurity/misp /init-db &&

Met with:

chown: cannot read directory '/var/lib/mysql': Permission denied chown: changing ownership of '/var/lib/mysql': Permission denied Cannot change ownership of the database directories to the 'mysql' user. Check that you have the necessary permissions and try again. chown: cannot read directory '/var/lib/mysql': Permission denied

I looked into container file system and permissions of the mysql folder is set to "root" though unable to access.

Thank you!

[ghost]

Disregard - unaware the host needed to meet a "matching" build requirement first.

[ventz]

@RANGERBEE Just curious - what do you mean by matching build requirement?

[ghost]

Thought I simply needed to run docker environment and build - unaware the host had dependencies:

https://github.com/MISP/MISP/blob/2.4/INSTALL/xINSTALL.centos7.txt

[ventz]

@RANGERBEE I think there might be some confusion here. These do not apply here - they are for CentOS.

The docker image is based on Ubuntu and it just works out of the box "as is". You don't need any other pre-requirements. It's all self contained.

[ghost]

Yes that was the issue. Was installing onto a Centos7 minimal build. Was just trying to NOW to build centos instance to support the Ubuntu container.

Do I need anything more than an Ubuntu minimal iso host install and docker to support the image?

[ventz]

If your host (docker "engine") is CentOS -- that's not a problem.

The host abstracts the container system. The container itself however is Ubuntu, but all of the dependencies are provided for you (see: https://github.com/harvard-itsecurity/docker-misp/blob/master/container/Dockerfile)

As long as you have a functional docker engine and the Ubuntu:16.04 container, you should be fine.

You can test your setup by doing:

docker run -it --rm ubuntu:16.04 /bin/bash

If that works - you are good to go.

[ghost]

@ventz Thank you!! Saved me some work. I am working on a Centos host and the Ubuntu container starts just fine.

My originally stated issue persists.

I was looking at the Docker build file and noticed the Volume mount. Does this not require the host to have that "/var/lib/mysql" pre-existing or does Docker create the folder upon build followed by mount - for storage persistence? Could this be my issue?

Thank you again for the quick response!

[ventz]

Docker will create it for you -- everything is abstracted into $docker-root/misp-db if you are following the tutorial/example.

If you are using /docker for $docker-root, I would suggest this:

# rm -Rf /docker/misp-db
# mkdir -p /docker/misp-db

And then start with the 1-3 steps.

[ghost]

@ventz I still have this annoying error that I can not find a solution.

I did include your last suggestion.

Met with:

chown: cannot read directory '/var/lib/mysql': Permission denied chown: changing ownership of '/var/lib/mysql': Permission denied Cannot change ownership of the database directories to the 'mysql' user. Check that you have the necessary permissions and try again. chown: cannot read directory '/var/lib/mysql': Permission denied 180511 18:32:46 mysqld_safe Logging to syslog. 180511 18:32:46 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2 "No such file or directo ry") ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2 "No such file or directo ry") ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2 "No such file or directo ry") ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2 "No such file or directo ry") ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2 "No such file or directo ry") ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2 "No such file or directo ry") ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2 "No such file or directo ry") ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2 "No such file or directo ry") ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2 "No such file or directo ry") touch: cannot touch '/var/lib/mysql/.db_initialized': Permission denied chown: cannot read directory '/var/lib/mysql': Permission denied

everything else looks to work fine..

Any ideas?

[ghost]

It looks like mysql:mysql is not being applied via chown in the Dockerfile... (?)

[ventz]

@RANGERBEE I think you are looking at the local file system (the host) instead of the container file system.

The entire docker file system will be in /docker/misp-db on the host.

The other possibility is that selinux is applying something to / on the host, and preventing docker access. The easiest way to check that is to change your docker root to /root/docker and create a /root/docker/misp-db, and try it there.

[ghost]

@ventz Thanks.

I will check that out. The directory you see in the image is from the container. ( I use Rancher to manage)

I prep my hosts with this script code:( see anything ?)

                        sed -i -- "s/SELINUX=.*/SELINUX=disabled/g" /etc/sysconfig/selinux &&
            cat /etc/sysconfig/selinux;
            sysctl -w vm.swappiness=1;
            sysctl -w vm.max_map_count=262144;
            sed -i -e "\$avm.max_map_count=262144" /etc/sysctl.conf &&
            chcon -R system_u:object_r:admin_home_t:s0 /opt/MISP/;
            groupadd docker;
            usermod -aG docker $USER;
            gpasswd -a $USER docker;
            cd /usr/libexec/docker;
            ln -s docker-runc-current docker-runc;

Thanks for your time!!

[ventz]

The first line will disable selinux but only after a reboot (in case you have not rebooted yet)

Ah - you are not launching the container as root -- that's the issue I believe. (If you are adding $USER, that $USER would have to have ownership rwx of /docker)

[ghost]

@ventz Thank you.

I will be circling back around to the CentOS host to check against that folder... Currently have it running in an Ubuntu host just fine for my PoC.

Side note: have you given thought to using these base images? https://github.com/whiteops-dot-com/centos-baseimage https://github.com/phusion/baseimage-docker

Thanks again!

[ventz]

Np - glad it's working.

I have -- the phusion one is very popular (and they make a great point about "multiple processes" vs vs "logical level services", which a lot of people argue on re: "fat containers" and how you should run "1 thing" in a docker container).

With this container, the the goal was to follow the manual MISP instructions as close as possible, for two reasons:

1.) to stay ideally as close as possible to the upstream branch so that we can effortlessly update as it updates. We chose Ubuntu because we think it's a better OS choice for this kind of stuff (vs CentOS/RHEL which tends to be ideal for a flat appliance that doesn't require the latest package versions, and needs stable packaging that doesn't change) 2.) to only add additional "docker specific" things, and convenient automation of the original steps. (ex: if there are 5 steps - adding a single step that automates the 5 is acceptable)

This really summarizes as: we wanted this truly to be an official docker version of the official MISP release. There are a lot of extra features we can add, but we tried holding off of that.

That said, for other images - there's nothing wrong with using the phusion container. I am not quite convinced on the need for ssh, but I would argue that having cron is needed, and having an init system is basically a must. Back to the phusion argument, the philosophy of docker that's "one thing per container" is really one service, versus one process. I think it's much worse to launch 5 containers for 1 service, rather than 1 container with 5 processes for 1 service.

[ghost]

Rebuilt the Centos7 instance - add the following to my prep script:

mkdir /docker;
mkdir /docker/misp-db;
chown -R 1000:1000 /docker;
cd /opt/docker-misp;

Then build / init / run all working fine now...

Thanks!