Neo4J Docker image requires write permission at "everyone" level??

[aliantjamaica]

After installing neo4j 3.3 image on Ubuntu 16.04 the container terminates after start due to a permission error attempting to access the debug.log. Normally I would expect that if the owner of the folder/file has write permission then that should be enough, however it turns out I need to give "everyone" permission to write also. This seems a little strange to me. Is this normal? and should I have concerns about security? issues. The following is my docker run command: sudo docker run -d --publish=7474:7474 --publish=7687:7687 --volume=$HOME/neo4j/data:/data --volume=$HOME/neo4j/logs:/logs --volume=$HOME/neo4j/conf:/conf --env NEO4J_AUTH=none --ulimit=nofile=40000:40000 --env=NEO4J_dbms_allowupgrade=true --env=dbms_connectors_defaultlisten__NEO4J_address=0.0.0.0 neo4j:3.3

[panthershark]

I'm trying to figure out what is up with this too. I think this issue is related. https://github.com/neo4j/docker-neo4j/issues/131

[mjmare]

Even giving write perms to everyone did not solve this problem for me. Only reverting to version 3.3.3 helps.

[panthershark]

This image no longer runs as root and that is probably related. I'm not having any issues with 3.3.5 since removing the logs volume.

[MOSSupport]

I pulled 3.4.9 If I run docker with --volume=$HOME/neo4j/logs:/logs, then docker make $HOME/neo4j/logs folder's owner with root. And a newly created docker container exit with /logs/debug.log (Permission denied) exception.

$ docker run --publish=7474:7474 --publish=7687:7687 --volume=$HOME/neo4j/logs:/logs --env=NEO4J_ACCEPT_LICENSE_AGREEMENT=yes neo4j:enterprise

smpark@Ubun80:~/neo4j$ ll drwxr-xr-x 2 root root 4096 Nov 9 15:56 logs/

However if I docker run with --volume=$HOME/neo4j/data:/data, then a new docker container run well without root ownersip on $HOME/neo4j/data. $ docker run --publish=7474:7474 --publish=7687:7687 --volume=$HOME/neo4j/data:/data --env=NEO4J_ACCEPT_LICENSE_AGREEMENT=yes neo4j:enterprise

Active database: graph.db Directories in use: home: /var/lib/neo4j config: /var/lib/neo4j/conf logs: /var/lib/neo4j/logs plugins: /var/lib/neo4j/plugins import: /var/lib/neo4j/import data: /var/lib/neo4j/data <<< seems propblematic certificates: /var/lib/neo4j/certificates run: /var/lib/neo4j/run Starting Neo4j. 2018-11-09 07:02:00.762+0000 INFO ======== Neo4j 3.4.9 ======== 2018-11-09 07:02:00.786+0000 INFO Starting... 2018-11-09 07:02:01.868+0000 INFO Initiating metrics... 2018-11-09 07:02:02.641+0000 INFO Sending metrics to CSV file at /var/lib/neo4j/metrics 2018-11-09 07:02:02.810+0000 INFO Bolt enabled on 0.0.0.0:7687. 2018-11-09 07:02:04.731+0000 INFO Started. 2018-11-09 07:02:04.874+0000 INFO Mounted REST API at: /db/manage 2018-11-09 07:02:04.932+0000 INFO Server thread metrics has been registered successfully 2018-11-09 07:02:05.606+0000 INFO Remote interface available at http://localhost:7474/

And $HOME/neo4j/data have another owner, systemd-network not root. smpark@Ubun80:~/neo4j$ ll drwxr-xr-x 4 systemd-network systemd-journal 4096 Nov 9 16:02 data/

Should I removing the logs volume???

[jennyowen]

I wrote this on related issue #164 but I'll copy the explanation here too:

Permissions on mounted folders are a reoccurring problem with our docker images (and docker in general). By default, Neo4j runs as the user neo4j (because #50), who only exists in the container, not on the host. That means that it's hard to set up folders on the host, which this new user has permissions for.

This is quite a complicated issue, and it's hard to fix file permissions in a way that won't also break backwards compatibility for other users.

There's some discussion of that here:

161

You can use the --user flag on docker run to specify which user to run neo4j as. If you use a user that has write access to your data/log/conf folders then folder ownership is not changed. Note that the --user flag to docker is the user the container will run stuff as inside the container (see: https://docs.docker.com/engine/api/v1.30/#operation/ContainerCreate). This means if you specify a host user name, docker won't recognise it as having write access to your folder. You need to specify the user ID. As an example, you can do --user="$(id -u)":"$(id -g)" to specify the current user. This is a docker limitation and there's not much we can do about it.

Another alternative is to mount docker volumes (instead of host folders) to your container. For example:

docker volume create --name neo4jdata docker volume create --name neo4jlogs docker run \ --publish=7474:7474 --publish=7687:7687 \ --volume neo4jdata:/data --volume neo4jlogs:/logs \ neo4j:latest This would persist log and data information between containers, since your data would be stored in the docker volume.

I realise the current behaviour of Neo4j docker is not good. I'm hoping to be able to do an overhaul of the docker code for the next minor release, and fix these persistent file permissions problems.

[jennyowen]

Mounting the /logs volume was "fixed" as of https://github.com/neo4j/docker-neo4j/pull/161

I say "fixed" because it still gives everyone permissions to the logs folder if you don't specify a user.

Apart from the logs mounting issue I'll close this particular issue as a duplicate of #164.

[ogerly]

First travel report of a hiker in DEV Land: at the moment it is a huge country .. only parts are illuminated .. but I have already a rough outline ... Streets and areas with their tasks ... i live in the village WEBDEV ... but have to go shopping at neo4j ... the neo4j department store I had built before ... but my dog "docker" does not get the door open the css greengrocer is relatively independent ... and my javascript tool i always have on man ... now i have to teach my dog how to open the door to the department store. I'm just wondering if we can just remove the door to the department store ... all around is sand ... and all around a huge security fence ... looks like a big sandpit - prison.

[rulatir]

Quoting the neo4j page at dockerhub:

We have updated the error messaging with advice about how to fix file permission errors.

No, this is not the case. I am getting those error messages, but they only tell me what's wrong. There is exactly zero "advice" on how to fix it. What I would understand as an advice is a suggestion as to which of the multiple possible strategies is THE recommended one:

1. Manually create the user and group on the host (hoping there is no UID/GID conflict with a host user or group), then manually create the required directory structure on the host side of the /data volume, with all the ownerships as the container expects?
2. Build your own image that usermods and grpmods neo4j in the container and then find | chowns?
3. Something else entirely?