besu icon indicating copy to clipboard operation
besu copied to clipboard

Published 20 hours ago verified publisher icon hyperledger

Read file permission denied when starting besu from docker image

Open br-kwon opened this issue 3 years ago • 12 comments
trafficstars

Description

Hello, I'm looking for help with running besu from docker image. The problem I am running into is mounting a named volume (which i named "besu") to a path i specified with --data-path. The container errors out saying:

Failed to retrieve the RocksDB database meta version: /var/lib/besu/DATABASE_METADATA.json (Permission denied) could not be found. You may not have the appropriate permission to access the item.

I suspect that since user is changed from root to "besu", the user "besu" does not have permissions to write in the --data-path dir that i specified.

i can work around this by setting the docker run config --user=0 to switch back to root, but this obviously doesn't seem like the most optimal solution.

Acceptance Criteria

  • I can mount a volume to the besu --data-path config without overriding the user in the container or
  • volume mount is automatically done by the container

Steps to Reproduce (Bug)

  1. Create a named volume called "besu": docker volume create besu
  2. run docker run --name besu -v besu:/var/lib/besu hyperledger/besu:latest --data-path=/var/lib/besu

Expected behavior:

expected to run besu without error (i.e. container user has permissions to read/write to specified volume)

Actual behavior:

container errors out with message seen in the Description Frequency: [What percentage of the time does it occur?] 100%

Versions (Add all that apply)

  • Software version: hyperledger/besu:latest (docker image)
  • OS Name & Version: Ubuntu 22.04.1 LTS
  • Kernel Version: 5.15.0-46-generic
  • Docker Version: 20.10.17

Edit: Updated issue description with given layout (sorry didn't see when clicking "Reference in new issue" from code line!)

br-kwon avatar Aug 22 '22 20:08 br-kwon

some ideas:

  • somehow read runtime configurations for --data-path in the Dockerfile and allow read/write access for user "besu"
  • refactor so container creates the volume (users wouldn't have to mount volumes or binds themselves)

br-kwon avatar Aug 22 '22 20:08 br-kwon

Hi there are you still experiencing this issue? we have made many changes to rocksDB recently. I might tag this as a good first issue to fix, since it is mostly rocksDB config.

non-fungible-nelson avatar Jan 26 '23 12:01 non-fungible-nelson

@br-kwon

non-fungible-nelson avatar Jan 26 '23 12:01 non-fungible-nelson

Is there any solution, I am facing this issues.

The issue only there if I use volume.

ananthanir avatar Mar 01 '23 06:03 ananthanir

Is there any solution, I am facing this issues.

The issue only there if I use volume.

i meet a same problem, and fix it .you need edit data-path config , and set volume mapping.example: docker run -itd --name besu --network ethereum -p 30303:30303/tcp -p 30303:30303/udp -p 8545:8545 -p 8551:8551 -e JAVA_OPTS=-Xmx8g -v $HOME/data1/xypTest:/opt/data -v $HOME/data1/JWT:/JWT hyperledger/besu:latest --network=mainnet --sync-mode=X_SNAP --data-storage-format=BONSAI --rpc-http-enabled --rpc-http-host=0.0.0.0 --rpc-http-api=ETH,NET,WEB3 --rpc-http-cors-origins=* --host-allowlist=* --engine-host-allowlist=* --engine-jwt-secret=/JWT/jwtsecret --engine-rpc-port=8551 --data-path=/opt/data

MatrixYe avatar Mar 07 '23 10:03 MatrixYe

+1 . I don't seem to be having this issue with other eth clients

jgresham avatar Mar 07 '23 19:03 jgresham

Thanks for these reports all, we are looking to reprioritize this. should be a small fix.

non-fungible-nelson avatar Mar 07 '23 20:03 non-fungible-nelson

Is there a work-around for this? Do we need to set the user to besu?

jgresham avatar Apr 11 '23 01:04 jgresham

I was able to get around the error by providing the user and group id's that holds the permission for directory $PWD/besu-data:

services:
  besu:
    image: hyperledger/besu:latest
    container_name: besu
    restart: unless-stopped
    stop_signal: SIGTERM
    stop_grace_period: 5m
    user: "1002:1003"
    volumes:
      - ./besu-data:/var/lib/besu/data
    ...

The mentioned id's in my case was retrieved with:

echo "$(id -u):$(id -g)"

ruanbekker avatar Nov 16 '23 10:11 ruanbekker

Always facing this kind of problem when someone finds a good idea to build an image without using root.... the external folder must be create before the instance run because I need to pass the genesis file and other files and I do not want to create one volume for each file and another just for data....

Why don't you guys create the image using root?

For those that want to bypass this, you can use mine:

magnoabreu/besu-base:<VERSION>

For now I have only

magnoabreu/besu-base:24.1.1 and magnoabreu/besu-base:24.1.2

You must give the besu executable call because I often need to access /bin/bash and can't put "besu" command in CMD or ENTRYPOINT.

Ex.

docker run <DOCKER_PARAMS> -d magnoabreu/besu-base:24.1.2 /besu/bin/besu --besu_params= ... --nat-method=DOCKER ...

or just to play inside it :

docker run <DOCKER_PARAMS> -it magnoabreu/besu-base:24.1.2 /bin/bash

or

docker exec <INSTANCE> /bin/bash

Just be careful: you're ROOT when inside it. You may destroy the universe. ( SARC )

icemagno avatar Feb 20 '24 16:02 icemagno

If there are suggestions that would make sense as a PR, we welcome contributions :)

non-fungible-nelson avatar Feb 27 '24 21:02 non-fungible-nelson