8

I'm trying to launch postgres in IBM containers. I have just created volume by:

$ cf ic volume create pgdata

Then mount it:

$ cf ic run --volume pgdata:/var/pgsql -p 22 registry.ng.bluemix.net/ruimo/pgsql944-cli

After logging into container through ssh, I found the mounted directory is owned by root:

drwxr-xr-x  3 root root   4096 Jul  8 08:20 pgsql

Since postgres does not permit to run by root, I want to change the owner of this directory. But I cannot change the owner of this directory:

# chown postgres:postgres pgsql
chown: changing ownership of 'pgsql': Permission denied

Is it possible to change owner of mounted directory?

ralphearle
  • 1,696
  • 13
  • 18
ruimo
  • 343
  • 3
  • 12

3 Answers3

7

In IBM Containers, the user namespace is enabled for docker engine. When, the user namespace is enabled, the effective root inside the container is a non-root user out side the container process and NFS is not allowing the mapped non-root user to perform the chown operation on the volume inside the container. Please note that the volume pgdata is a NFS, this can verified by executing mount -t nfs4 from container.

You can try the workaround suggested for How can I fix the permissions using docker on a bluemix volume?

In this scenario it will be

1. Mount the Volume to `/mnt/pgdata` inside the container

cf ic run --volume pgdata:/mnt/pgdata -p 22 registry.ng.bluemix.net/ruimo/pgsql944-cli

2. Inside the container

2.1 Create "postgres" group and user    
groupadd --gid 1010 postgres
useradd --uid 1010 --gid 1010 -m --shell /bin/bash postgres

2.2 Add the user to group "root"
adduser postgres root
chmod 775 /mnt/pgdata

2.3 Create pgsql directory under bind-mount volume
su -c "mkdir -p /mnt/pgdata/pgsql" postgres
ln -sf /mnt/pgdata/pgsql /var/pgsql

2.2 Remove the user from group "root"
deluser postgres root
chmod 755 /mnt/pgdata
Community
  • 1
  • 1
Neeraj Kashyap
  • 116
  • 1
  • 3
  • Thanks, adding postgres user to the root group tentatively did the magic! – ruimo Oct 05 '15 at 07:12
  • This seems to help tentatively but how would it look to make it permanent? If I follow this and then start a new container I'm back to permission denied on the `pgsql` subdirectory. I'm also using the `postgres:9.5` image which might make things a little different. – krsyoung Mar 16 '16 at 14:38
  • For reference I was not able to make this work using the official DockerHub postgres 9.5 image. It required modification to the `docker-entrypoint.sh` file using some of the ideas above before things would work. – krsyoung Mar 18 '16 at 17:13
  • @krsyoung: Can you share what you did to make it work? – stan May 21 '16 at 22:55
  • 2
    Hey @StanislavPalatnik, I uploaded an example of the changes I made here: https://github.com/krsyoung/ibm-containers-postgres. Let me know how you make out! – krsyoung May 23 '16 at 02:29
  • @krsyoung: Thanks! That was almost perfect. One issue is that the check for PG_VERSION fails because the "non-root" root is trying to access a postgres owned file. I just chmodded the pgdata folder to 744 before the check and back to 700 after. Worked like a charm! – stan May 24 '16 at 02:14
0

In your Dockerfile you can modify the permissions of a directory.

RUN chown postgres:postgres pgsql

Additionally when you ssh in you can modify the permissions of the directory by using sudo. sudo chown postgres:postgres pgsql

Jeff Sloyer
  • 4,899
  • 1
  • 24
  • 48
  • Both did not work for me. Do you mean vanilla docker but IBM containers? – ruimo Jul 11 '15 at 10:51
  • Both are applicable to vanilla containers. Ibm containers are the same thing – Jeff Sloyer Jul 11 '15 at 11:02
  • @ruimo are you still having this issue? – Jeff Sloyer Jul 20 '15 at 12:23
  • 1
    Yes, it seems that the file system for bluemix volume does not permit root user to change files owned by other user's... – ruimo Jul 21 '15 at 07:39
  • @JeffSloyer, I encountered a similar issue and both of these solution do not work for me. I expected atleast the second one to work. I hooked up a tomcat container( that I had handy) to the volume and sshed to the container. Issuing a chown resulted in permission denied message. – Manglu Mar 22 '17 at 23:28
0

Here are 3 different but possible solutions:

  1. Using a dockerfile and doing a chown before mounting the volume.
  2. USER ROOT command in dockerfile before you do a chown.
  3. Use --cap-add flag.
Community
  • 1
  • 1
prasadk
  • 1
  • Thanks for info. 1, 2 did not work for me. Locating "RUN chown" before volume statement or adding 'User root' before "RUN chown" took no effect. For solution 3, I don't know how I can pass --cap-add option to "cf ic run" command... – ruimo Sep 01 '15 at 05:28