search

pelias / pip-service

Pelias point-in-polygon-service
https://pelias.io
MIT License
16 stars 18 forks source link

pip-service can't create /mnt/pelias in Docker #108

Closed arne-cl closed 4 years ago

arne-cl commented 5 years ago

With the current Dockerfile, it is not possible to use the download command of pip-service (needed for it's initContainer in a Kubernetes setup).

$ docker run --entrypoint=/code/pelias/pip-service/bin/download -ti pelias/pip-service:lates
t --admin-only
/code/pelias/pip-service/node_modules/fs-extra/lib/mkdirs/mkdirs-sync.js:45
        throw err0
        ^

Error: EACCES: permission denied, mkdir '/mnt/pelias'
    at Object.mkdirSync (fs.js:753:3)
    at mkdirsSync (/code/pelias/pip-service/node_modules/fs-extra/lib/mkdirs/mkdirs-sync.js:31:9)
    at mkdirsSync (/code/pelias/pip-service/node_modules/fs-extra/lib/mkdirs/mkdirs-sync.js:36:14)
    at Object.mkdirsSync (/code/pelias/pip-service/node_modules/fs-extra/lib/mkdirs/mkdirs-sync.js:36:14)
    at Object.download (/code/pelias/pip-service/node_modules/pelias-whosonfirst/utils/download_data_all.js:15:6)
    at Object.<anonymous> (/code/pelias/pip-service/node_modules/pelias-whosonfirst/utils/download_data.js:68:36)
    at Module._compile (internal/modules/cjs/loader.js:689:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:700:10)
    at Module.load (internal/modules/cjs/loader.js:599:32)
    at tryModuleLoad (internal/modules/cjs/loader.js:538:12)

Note, that this problem doesn't seem to occur in Kubernetes when an emptyDir is mounted to /data (instead of using a PVC), cf. pelias/kubernetes#79.

arne-cl commented 5 years ago

This seem to be two issues, not one.

Permissions for /mnt/pelias can be fixed in the Dockerfile of pip-service, while permissions for /data (or /data/whosonfirst) can only be fixed in Dockerfile of pelias/baseimage (before VOLUME "/data").

leangeder commented 5 years ago

I got the same issue. You have to run the container image with the UID/GUID 1000. On Kubernete, it will be define like this:

  securityContext:
    runAsUser: 1000
    runAsGroup: 1000
    fsGroup: 1000
orangejulius commented 5 years ago

@leangeder all the Pelias docker images default to using uid 1000 (as they define a pelias user with uid 1000 and switch to it with the USER directive).

However it might be interesting to add runAsUser and the other settings in https://github.com/pelias/kubernetes, so that people can change it if they'd like.

orangejulius commented 4 years ago

I think we determined this (as it pertains to the PIP service itself) ended up being a local filesystem permissions issue. We try to make the Pelias docker project runner fix or detect those issues where possible.

For kubernetes, if this is still necessary, please open a new issue in https://github.com/pelias/kubernetes