search

jfrog / artifactory-docker-examples

Examples for using Artifactory Docker distribution in various environments
https://www.jfrog.com/artifactory/
Apache License 2.0
330 stars 299 forks source link

/var/opt/jfrog/artifactory has bad permissions for user 'artifactory' (id 1030) #196

Closed kb7791 closed 4 years ago

kb7791 commented 4 years ago

So I initially had my docker-compose file mounting to a local directory on the host machine and I was tasked to convert it to using docker-volumes. So I made changes to my docker-compose file to the following. Basically just added the reference to the volume in each service and then created that top level volumes: section and set both to external: false. This was the original compose file.

version: '3'
services:
  postgresql:
    image: docker.bintray.io/postgres:9.6.11
    container_name: postgresql
    ports:
     - 5432:5432
    environment:
     - POSTGRES_DB=artifactory
     # The following must match the DB_USER and DB_PASSWORD values passed to Artifactory
     - POSTGRES_USER=xxxxx
     - POSTGRES_PASSWORD=xxxxx
    volumes:
     - /ARTIFACTORY_DATA/postgresql:/var/lib/postgresql/data
    restart: always
    ulimits:
      nproc: 65535
      nofile:
        soft: 32000
        hard: 40000
  artifactory:
    image: docker.bintray.io/jfrog/artifactory-pro:6.17.0
    container_name: artifactory
    ports:
     - 80:8081
    depends_on:
     - postgresql
    links:
     - postgresql
    volumes:
     - /ARTIFACTORY_DATA/artifactory:/var/opt/jfrog/artifactory
    environment:
     - DB_TYPE=postgresql
     # The following must match the POSTGRES_USER and POSTGRES_PASSWORD values passed to PostgreSQL
     - DB_USER=xxxxx
     - DB_PASSWORD=xxxxx
     # Add extra Java options by uncommenting the following line
     #- EXTRA_JAVA_OPTIONS=-Xms512m -Xmx4g
    restart: always
    ulimits:
      nproc: 65535
      nofile:
        soft: 32000
        hard: 40000

And this is the compose file after my changes to use docker-volumes.

version: '3'
services:
  postgresql:
    image: docker.bintray.io/postgres:9.6.11
    container_name: postgresql
    ports:
     - 5432:5432
    environment:
     - POSTGRES_DB=artifactory
     # The following must match the DB_USER and DB_PASSWORD values passed to Artifactory
     - POSTGRES_USER=xxxxx
     - POSTGRES_PASSWORD=xxxxx
    volumes:
     - postgres_data:/var/lib/postgresql/data
     - /etc/localtime:/etc/localtime:ro #duplicates host timezone
    restart: always
    ulimits:
      nproc: 65535
      nofile:
        soft: 32000
        hard: 40000
  artifactory:
    image: docker.bintray.io/jfrog/artifactory-pro:6.17.0
    container_name: artifactory
    ports:
     - 80:8081
    depends_on:
     - postgresql
    links:
     - postgresql
    volumes:
     - artifactory_data:/var/opt/jfrog/artifactory
     - /etc/localtime:/etc/localtime:ro
    environment:
     - DB_TYPE=postgresql
     # The following must match the POSTGRES_USER and POSTGRES_PASSWORD values passed to PostgreSQL
     - DB_USER=xxxxx
     - DB_PASSWORD=xxxxx
     # Add extra Java options by uncommenting the following line
     #- EXTRA_JAVA_OPTIONS=-Xms512m -Xmx4g
    restart: always
    ulimits:
      nproc: 65535
      nofile:
        soft: 32000
        hard: 40000
volumes:
    postgres_data:
      external: false
    artifactory_data:
      external: false

I run docker-compose up with no issues and the Artifactory platform launch with no data as i expected since all the data resides still on the host directory.

My next step was using docker cp /old/local/host/mount/artifactory/. artifactory:/var/opt/jfrog/artifactory and docker cp /old/local/host/mount/postgresql/. postgresql:/var/lib/posgresql/data

Once these copies were done I then ran docker-compose down, assuming that the copied data was mounted to the docker-volumes I created and then ran docker-compose up and got the following stack trace. 

artifactory    | 2020-04-02 15:37:16  [760 entrypoint-artifactory.sh] Preparing to run Artifactory in Docker
artifactory    | 2020-04-02 15:37:16  [761 entrypoint-artifactory.sh] Running as uid=1030(artifactory) gid=1030(artifactory)
artifactory    | 2020-04-02 15:37:16   [59 entrypoint-artifactory.sh] Dockerfile for this image can found inside the container.
artifactory    | 2020-04-02 15:37:16   [60 entrypoint-artifactory.sh] To view the Dockerfile: 'cat /docker/artifactory-pro/Dockerfile.artifactory'.
artifactory    | 2020-04-02 15:37:16   [65 entrypoint-artifactory.sh] Checking open files and processes limits
artifactory    | 2020-04-02 15:37:16   [68 entrypoint-artifactory.sh] Current max open files is 32000
artifactory    | 2020-04-02 15:37:16   [80 entrypoint-artifactory.sh] Current max open processes is 65535
artifactory    | 2020-04-02 15:37:16  [212 entrypoint-artifactory.sh] Testing directory /var/opt/jfrog/artifactory has read/write permissions for user 'artifactory' (id 1030)
artifactory    | /entrypoint-artifactory.sh: line 181: /var/opt/jfrog/artifactory/access/test-permissions: Permission denied
artifactory    | /entrypoint-artifactory.sh: line 181: /var/opt/jfrog/artifactory/backup/test-permissions: Permission denied
artifactory    | /entrypoint-artifactory.sh: line 181: /var/opt/jfrog/artifactory/data/test-permissions: Permission denied
artifactory    | /entrypoint-artifactory.sh: line 181: /var/opt/jfrog/artifactory/etc/test-permissions: Permission denied
artifactory    | /entrypoint-artifactory.sh: line 181: /var/opt/jfrog/artifactory/logs/test-permissions: Permission denied
artifactory    | /entrypoint-artifactory.sh: line 181: /var/opt/jfrog/artifactory/metadata/test-permissions: Permission denied
artifactory    | /entrypoint-artifactory.sh: line 181: /var/opt/jfrog/artifactory/replicator/test-permissions: Permission denied
artifactory    | 2020-04-02 15:37:16  [230 entrypoint-artifactory.sh] ###########################################################
artifactory    | 2020-04-02 15:37:16  [231 entrypoint-artifactory.sh] /var/opt/jfrog/artifactory DOES NOT have proper permissions for user 'artifactory' (id 1030)
artifactory    | 2020-04-02 15:37:16  [232 entrypoint-artifactory.sh] Directory: /var/opt/jfrog/artifactory, permissions: 777, owner: artifactory, group: artifactory
artifactory    | 2020-04-02 15:37:16  [233 entrypoint-artifactory.sh] Mounted directory must have read/write permissions for user 'artifactory' (id 1030)
artifactory    | 2020-04-02 15:37:16  [234 entrypoint-artifactory.sh] ###########################################################
artifactory    | 2020-04-02 15:37:16   [49 entrypoint-artifactory.sh] ERROR: Directory /var/opt/jfrog/artifactory has bad permissions for user 'artifactory' (id 1030)

Not sure what I did wrong here or if I missed a step in my compose file or I'm having some other underlying issue. I did things this way because I didnt want to lose any of the data that was already residing in the local host directory. This also worked fine and still does if I revert to using local host points but I need to change it to use docker-volumes. Trying to get this all updated prior to upgrading to Artifactory Pro 7.3.2.

JfrogPrasanna commented 4 years ago

@kb7791

  1. The version of artifactory you are using is old, and we recommend you to move to 7.x if possible. If you move refer the new documentation https://www.jfrog.com/confluence/display/JFROG/Installing+Artifactory
  2. Please note that this repo is deprecated.
  3. The above issue seems like a permission issue where the container user (which is artifactory:artifactory) is not able to access the host files. I suspect that your volume mounting is not correct. 3a. Can you check the source directory permission defined in volume artifactory_data? 3b. Recommend to place old data in a fully accessible folder and then mount it to /var/opt/jfrog/artifactory
  4. Please also make sure you run chown-R 1030:1030 <on the host mounted directory>

Let us know if this worked.

kb7791 commented 4 years ago

@JfrogPrasanna

The host directory 'Artifactory_data' is a docker named volume that is made auto-magically by docker-compose file, by default those volumes are stored in /var/lib/docker/volumes and that directory is owned by root regardless if I create them as a non-root user. So that's the issue I'm having with the artifactory user in the container trying to access the docker named volume that resides in /var/lib/docker/volumes. Having to create a local bind mount in a host directory and chown'ing the the privileges for that local bind mount, doesn't that take away from portability of the container?

kb7791 commented 4 years ago

I had this previously working with what you had already suggested, making directories on my local machine and giving them 1030:1030 permissions, but i was tasked to migrate to docker-volumes and since /var/lib/docker/volumes is set to root permission I would think it would be bad practice to chown that directory

JfrogPrasanna commented 4 years ago

@kb7791 in that case, are you ok for the container to run as root. If so you can pass user: "0:0" for artifactory service in your docker-compose.

kb7791 commented 4 years ago

This can be closed, ended up taking the route of creating a full system export on the old vm and using to restore a new instance on the new VM, might be the long way route but it seemed to work without any issues