mysql icon indicating copy to clipboard operation
mysql copied to clipboard
verified publisher icon docker-library

8.4.0 docker: ls: cannot access '/docker-entrypoint-initdb.d/': Operation not permitted

Open CxistHans opened this issue 1 year ago • 2 comments

service

docker service create --name test_mysql \
  --env MYSQL_ROOT_PASSWORD=8NTVs5enkH7byuQS \
  --config source=mysql.cnf,target=/etc/mysql/my.cnf \
  mysql:8.4.0

config: mysql.cnf

# only test for empty

errorLog

2024-06-12 15:03:50+08:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 8.4.0-1.el8 started.
2024-06-12 15:03:50+08:00 [Note] [Entrypoint]: Switching to dedicated user 'mysql'
2024-06-12 15:03:50+08:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 8.4.0-1.el8 started.
ls: cannot access '/docker-entrypoint-initdb.d/': Operation not permitted

info

Kernel Version: 3.10.0-957.el7.x86_64 CentOS Linux release 7.6.1810 (Core) Docker Version: Server Version: 19.03.8

QA

When I remove --config, it can start normally. After adding it, even if mysql.cnf does not have any configuration, it cannot start.
Tried both mysql:8.4.0 and 8.4.0-oraclelinux8, same problem. This problem was not discovered when some servers were deployed, but this problem was discovered when this older server was deployed.

CxistHans avatar Jun 12 '24 08:06 CxistHans

This is likely seccomp -- you'll want to update Docker, libseccomp2, runc, etc on your host: https://github.com/docker-library/official-images/issues/16829

tianon avatar Jun 12 '24 16:06 tianon

@tianon On another CentOS 7 machine, the docker version is the same, the libseccomp version is the same, and the kernel is slightly inconsistent. It is 3.10.0-1062.el7.x86_64. It started normally with 8.4.0-oraclelinux8. Is there any other way to support the deployment of 8.4.0 through docker service?

CxistHans avatar Jun 13 '24 04:06 CxistHans

Sorry for missing this.

Is there any other way to support the deployment of 8.4.0 through docker service?

It works fines here (and on one of your hosts). Just like with any newer software, it isn't guaranteed to run on older hosts. Even when using containers, the combination of libseccomp2, dockerd, runc, containerd, and kernel versions on the host might be important for newer syscalls. Resulting in "Operation not permitted" because of a denial via libseccomp.

You could try running it via --security-opt seccomp=unconfined on docker run, but it doesn't look like that is supported for swarm services yet (https://github.com/docker/cli/pull/5698).

Unfortunately, this doesn't look like anything we can change in the image, so I'll close this.

yosifkit avatar Nov 20 '25 00:11 yosifkit