nilsnolde
commented
1 year ago actually all docker containers require a UID of 1000 it seems, not that it matters much
Closed nilsnolde closed 1 year ago
nilsnolde
commented
1 year ago actually all docker containers require a UID of 1000 it seems, not that it matters much
missinglink
commented
1 year ago Yeah for sure, permissions inside permissions, can be a nightmare.
I thought I'd fixed this last year, we haven't had many reports recently. How it's supposed to work is that the pelias command detects your UID automatically so you shouldn't have to do anything.
nilsnolde
commented
1 year ago can't see much in the pelias commands other than the deprecated DOCKER_USER.
the pelias command detects your UID automatically so you shouldn't have to do anything.
but how would that work even? it detects your UID but it can't take that for the docker-internal user, that would have to be decided in the image building when creating the user. we could change the permissions with the pelias command to 1000:1000 but not without sudo. (also would be strange, my data dir would then be owned by the host user overpass :D).
I think everyone got lucky so far, always having run this with the machine's first user:)
nilsnolde
commented
1 year ago I had a similar use case before and had to change our valhalla image to accommodate for that: https://github.com/gis-ops/docker-valhalla/blob/a503d556a75661a644c25b16fa82eafa89b3f963/Dockerfile#L44-L50
definitely not arguing that's an option for your docker recipes, it's also a total nightmare.
missinglink
commented
1 year ago You can specify the docker user at runtime too
nilsnolde
commented
1 year ago huh.. let me research hahah :sweat_smile:
missinglink
commented
1 year ago nilsnolde
commented
1 year ago ah right, totally forgot about that..
I guess that's what DOCKER_USER was for?
nilsnolde
commented
1 year ago thanks!! didn't find that! yes, that should definitely do it. I'll just quietly close this issue and admit my idiot mistake of not using the provided docker-compose.yml..
missinglink
commented
1 year ago Haha all good, permissions are the most common issue we get, I might spend some more time on the pelias system check command to see if it can detect issues like this automatically.
there's some bug reports around that already, e.g. https://github.com/pelias/docker/issues/214 (AccessDenied, the container can't write into the
$DATA_DIR/elasticsearchdirectory)the problem seems to me that the ES container internally has the
elasticsearchuser with UID/GID 1000 doing all the operations. while myDATA_DIRis owned by the same user I run docker with and happens to have UID/GID 1003. so the container can't create any data/directories insideDATA_DIRwith its 775 permission bits.urgh, this is a mess with docker user management.. been there a few times.. essentially, IMO there's no fool-proof way that'll work in all situations without at least one root command. so maybe the way it works right now is the best we can do..
for now I'll make the
DATA_DIR777. no idea what else to try (made my local docker user part of group 1000, but thenpelias elastic startchanges the permissions back to 1003/1003).