search

yobasystems / alpine-mariadb

MariaDB running on Alpine Linux [Docker]
https://hub.docker.com/r/yobasystems/alpine-mariadb/
237 stars 71 forks source link

Define User on Host #51

Open JacobOkanta opened 3 years ago

JacobOkanta commented 3 years ago

I've been trying to change all of my containers to use a specific user on the host system, using the "user" config option in compose if the container doesn't support UID by default. This container seems to fail to start with that even if the ownership of directories are correct. This line seems most relevant but I'll link the full log "/usr/bin/mysqld: One can only use the --user switch if running as root" https://pastebin.com/53WYt41t Is this something that won't work with this container or am I doing just missing something?

dominictayloruk commented 3 years ago

The user is mysql, with user id 100 and group id 101.

mysql:x:100:101:mysql:/var/lib/mysql:/sbin/nologin

This is the default, to change the user would require amending the Dockerfile as the mysql user chowns the /run/mysqld & /var/lib/mysql directories.

https://github.com/yobasystems/alpine-mariadb/blob/6b8eb2fb00fe08177a2f672be8aa3777d33a5d5b/alpine-mariadb-amd64/files/run.sh#L18

https://github.com/yobasystems/alpine-mariadb/blob/6b8eb2fb00fe08177a2f672be8aa3777d33a5d5b/alpine-mariadb-amd64/files/run.sh#L23

You would probably have to rebuild the container, and amend to your liking. Maybe the Mariadb documentation has some more info for you https://mariadb.com/kb/en/documentation/

SoulInfernoDE commented 1 year ago

Hi @dominictayloruk , i need to reopen this issue. I stumpled upon this exact same problem. I was looking around the mysql and mariadb image which seems to support user change as per README on the docker hub https://hub.docker.com/_/mysql: image

If there is any way to implement user change on docker-compose for this image this would help many setups in many ways and would much be appreciated. I really want to avoid setting up buildbots for changing that if there is any chance to implement this directly.

I also found this issue:

https://github.com/MariaDB/mariadb-docker/issues/304

To clarify why this is needed here are the log-lines: image image image image

dominictayloruk commented 1 year ago

Whats the underlying storage setup?

SoulInfernoDE commented 1 year ago

Hey @dominictayloruk thanks for trying to help with this :+1:

I am using Docker on a Synology NAS and trying to set up nextcloud with alpine images.

So here are some details how my setup will look like:

I created a user (UID:1052 GID:100) that is used for all apps that will run docker containers. This user has full control of the folders and subfolders he is attached to including perm-changes.

This is the compose file part of mariadb i am using.

Note: I hardened the privileges for more security with no-new-privileges:true

version: '3.9'
services:
  mariadb:
    image: yobasystems/alpine-mariadb:latest
    container_name: Nextcloud-DB
    env_file: /volume1/NextCloud/credentials/credentials.env
    security_opt:
      - no-new-privileges:true
    user: 1052:100
    command: --user 1052:100 --transaction-isolation=READ-COMMITTED --log-bin=mariadb-binlog --binlog-format=ROW --innodb-read-only-compressed=OFF
    volumes:
      - /volume1/NextCloud/database:/var/lib/mysql:rw
    environment:
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
#     - MYSQL_PASSWORD=credentials.env
#     - MYSQL_ROOT_PASSWORD=credentials.env
      - MYSQL_CHARSET=utf8mb4
      - MYSQL_COLLATION=utf8mb4_general_ci
      - TZ=Europe/Berlin
    restart: on-failure:5
    sysctls:
      net.core.somaxconn: 65535

These are the permissions set on the host system beforehand:

700 /volume1/NextCloud/config 1052 33 directory
700 /volume1/NextCloud/credentials 1052 100 directory
700 /volume1/NextCloud/customapps 1052 33 directory
700 /volume1//NextCloud/database 1052 100 directory
700 /volume1/NextCloud/main 1052 33 directory
700 /volume1NextCloud/redis 1052 33 directory
700 /volume1/NextCloud/themes 1052 33 directory

Using btrfs and the synology kernel 3.10 with DSM 7.2 on synology braswell (Intel cpu) 716+ and the synology reverse proxy for ssl

Looking through the PR that fixed the issue in the original image tianon seems to have fixed it in this line 35 from here :

docker-entrypoint.sh

Im not sure if and how it could be translated to alpine linux as my knowledge is a bit off here i think. Looking further through the fix i think he is using gosu for it which seems to be available to alpine also from a fast google search.