arangodb-docker icon indicating copy to clipboard operation
arangodb-docker copied to clipboard

Published 20 hours ago verified publisher icon arangodb

Permission denied on /var/lib/arangodb3-apps/ when running in OpenShift

Open vpavlin opened this issue 7 years ago • 3 comments

Hi,

I am working on deploying ArangoDB on our OpenShift cluster and everything looks great up to the point where I try to create a database at which point I get:

2018-11-21T09:38:54Z [1] ERROR unable to create application directory '/var/lib/arangodb3-apps/_db/test' for database 'test': failed to create directory '/var/lib/arangodb3-apps/_db/test': Permission denied

I tracked the issue down to missing -R in https://github.com/vpavlin/arangodb-docker/blob/official/Dockerfile34.templ#L46-L47

Steps to reproduce:

$ docker run --name tmp0 -it --rm -u 1001:0 docker.io/arangodb/arangodb:3.3.17 bash
I have no name!@23d6912163fc:/$ ls -la /var/lib/arangodb3-apps/
total 12
drwxrwxr-x. 3 arangodb root     4096 Nov 21 12:47 .
drwxr-xr-x. 1 root     root     4096 Oct  8 13:26 ..
drwxr-xr-x. 3 arangodb arangodb 4096 Oct  8 13:26 _db
I have no name!@23d6912163fc:/$ id
uid=1001 gid=0(root) groups=0(root)
I have no name!@23d6912163fc:/$ touch /var/lib/arangodb3-apps/_db/aaa
touch: cannot touch '/var/lib/arangodb3-apps/_db/aaa': Permission denied

I have built an image from fixed Dockerfile https://quay.io/repository/vpavlin/arangodb?tab=tags which works fine:

$ docker run --name tmp0 -it --rm -u 1001:0 quay.io/vpavlin/arangodb:bug_fix-3.3.17 bash
I have no name!@1f79c56dbc63:/$ ls -la /var/lib/arangodb3-apps/
total 12
drwxrwxr-x. 3 arangodb root 4096 Nov 21 12:48 .
drwxr-xr-x. 1 root     root 4096 Nov 21 11:28 ..
drwxrwxr-x. 3 arangodb root 4096 Nov 21 11:28 _db
I have no name!@1f79c56dbc63:/$ id
uid=1001 gid=0(root) groups=0(root)
I have no name!@1f79c56dbc63:/$ touch /var/lib/arangodb3-apps/_db/aaa
I have no name!@1f79c56dbc63:/$

vpavlin avatar Nov 21 '18 12:11 vpavlin

@vpavlin I think the main problem is that "1001" is not the uid of arangodb. If you use names then it works:

docker run --name tmp0 -it --rm -u arangodb:arangodb docker.io/arangodb/arangodb:3.3.17 bash

Can you confirm this?

fceller avatar Feb 18 '19 14:02 fceller

Could be, the problem is that in OpenShift the uid is random for better security, but the user is in group root, thus the guidelines suggest to chgrp -R 0 see: https://docs.okd.io/latest/creating_images/guidelines.html#openshift-specific-guidelines

vpavlin avatar Feb 18 '19 14:02 vpavlin

I can still reproduce the same issue using Kubernetes if I drop the DAC_OVERRIDE Linux capability in the deployment file even if I am using the root user:

root@test-76c67d987c-pncbc:/# touch  /var/lib/arangodb3-apps/_db/s
touch: cannot touch '/var/lib/arangodb3-apps/_db/s': Permission denied

omarmohsen avatar Dec 18 '19 14:12 omarmohsen