mq-container `open /run/10-dev.mqsc: permission denied` in docker-compose setup

`open /run/10-dev.mqsc: permission denied` in docker-compose setup

Open erwinkramer opened this issue 3 months ago • 2 comments

My container keeps rebooting with this sequence:

2025-08-20T18:25:33.666Z CPU architecture: amd64
2025-08-20T18:25:33.666Z Linux kernel version: 4.4.302+
2025-08-20T18:25:33.666Z Base image: Red Hat Enterprise Linux 9.6 (Plow)
2025-08-20T18:25:33.666Z Running as user ID 1043 with primary group 65543, and supplementary groups 65543
2025-08-20T18:25:33.666Z Capabilities (bounding set): chown,dac_override,fowner,fsetid,kill,setgid,setuid,setpcap,net_bind_service,net_raw,sys_chroot,mknod,audit_write,setfcap
2025-08-20T18:25:33.666Z seccomp enforcing mode: disabled
2025-08-20T18:25:33.666Z Process security attributes: docker-default (enforce)
2025-08-20T18:25:33.666Z Detected 'btrfs' volume mounted to /mnt/mqm
2025-08-20T18:25:33.667Z open /run/10-dev.mqsc: permission denied
Container stopped

I do not mount /run/ so that's something internal.

When i do not use a custom user ID, and instead use a supplementary group, then it works fine, so Running as user ID 1001 with primary group 0, and supplementary groups 0,65543 .

This is my full container configuration:

{
   "CapAdd" : null,
   "CapDrop" : null,
   "cmd" : "",
   "cmd_v2" : "",
   "cpu_priority" : 0,
   "enable_publish_all_ports" : false,
   "enable_restart_policy" : false,
   "enabled" : false,
   "env_variables" : [
      {
         "key" : "LICENSE",
         "value" : "accept"
      },
      {
         "key" : "MQ_QMGR_NAME",
         "value" : "QM1"
      },
      {
         "key" : "DOCKER_API_VERSION",
         "value" : "1.43"
      },
      {
         "key" : "TZ",
         "value" : "Europe/Amsterdam"
      },
      {
         "key" : "PATH",
         "value" : "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/mqm/bin"
      },
      {
         "key" : "container",
         "value" : "oci"
      },
      {
         "key" : "MQ_OVERRIDE_DATA_PATH",
         "value" : "/mnt/mqm/data"
      },
      {
         "key" : "MQ_OVERRIDE_INSTALLATION_NAME",
         "value" : "Installation1"
      },
      {
         "key" : "MQ_USER_NAME",
         "value" : "mqm"
      },
      {
         "key" : "MQ_GRACE_PERIOD",
         "value" : "30"
      },
      {
         "key" : "LANG",
         "value" : "C"
      },
      {
         "key" : "AMQ_DIAGNOSTIC_MSG_SEVERITY",
         "value" : "1"
      },
      {
         "key" : "AMQ_ADDITIONAL_JSON_LOG",
         "value" : "1"
      },
      {
         "key" : "MQ_LOGGING_CONSOLE_EXCLUDE_ID",
         "value" : "AMQ5041I,AMQ5052I,AMQ5051I,AMQ5037I,AMQ5975I"
      },
      {
         "key" : "WLP_LOGGING_MESSAGE_FORMAT",
         "value" : "json"
      },
      {
         "key" : "MQ_CONNAUTH_USE_HTP",
         "value" : "true"
      },
      {
         "key" : "MQ_DEV",
         "value" : "true"
      },
      {
         "key" : "MQ_ENABLE_EMBEDDED_WEB_SERVER",
         "value" : "1"
      },
      {
         "key" : "MQ_GENERATE_CERTIFICATE_HOSTNAME",
         "value" : "localhost"
      },
      {
         "key" : "LD_LIBRARY_PATH",
         "value" : "/opt/mqm/lib64"
      },
      {
         "key" : "MQS_PERMIT_UNKNOWN_ID",
         "value" : "true"
      }
   ],
   "exporting" : false,
   "id" : "9df6ab31bb193a4d3dffc71e5c5eedb66bbd9f5fffc8ee21f3543e8fde41bf41",
   "image" : "icr.io/ibm-messaging/mq:latest",
   "is_ddsm" : false,
   "is_package" : false,
   "labels" : {
      "architecture" : "amd64",
      "authoritative-source-url" : "https://www.ibm.com/software/passportadvantage/",
      "base-image" : "registry.access.redhat.com/ubi9/ubi-minimal",
      "base-image-release" : "9.6-1752069876",
      "build-date" : "2025-07-15T08:45:40+0000",
      "caddy_0" : "http://ibmmq.nasi.guanchen.nl",
      "caddy_0.import" : "tinyauth_forwarder *",
      "caddy_0.reverse_proxy" : "{{upstreams 9443}}",
      "caddy_1.layer4.:1414" : "",
      "caddy_1.layer4.:1414.@a" : "remote_ip 192.168.50.0/24",
      "caddy_1.layer4.:1414.route" : "@a",
      "caddy_1.layer4.:1414.route.proxy" : "{{ upstreams 1414 }}",
      "com.docker.compose.config-hash" : "12528dcfd7f70ad5cbb87a0c3ea1e2aa25d32508971249c714a990cea25886f0",
      "com.docker.compose.container-number" : "1",
      "com.docker.compose.depends_on" : "",
      "com.docker.compose.image" : "sha256:9e36370b93ae719d0098b7e0c71f2dd65a5c3717dc185fc94e41bd403fdf8d93",
      "com.docker.compose.oneoff" : "False",
      "com.docker.compose.project" : "garden",
      "com.docker.compose.project.config_files" : "/volume1/docker/projects/garden/docker-compose.yaml",
      "com.docker.compose.project.working_dir" : "/volume1/docker/projects/garden",
      "com.docker.compose.replace" : "59979b293b8a508e8ab6a2d1d02ec7378a5df3f226085bab7896e9feca120043",
      "com.docker.compose.service" : "ibm-mq",
      "com.docker.compose.version" : "2.20.1",
      "com.redhat.component" : "ubi9-minimal-container",
      "com.redhat.license_terms" : "https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI",
      "description" : "Simplify, accelerate and facilitate the reliable exchange of data with a security-rich messaging solution — trusted by the world’s most successful enterprises",
      "distribution-scope" : "private",
      "io.buildah.version" : "1.41.0-dev",
      "io.k8s.description" : "Simplify, accelerate and facilitate the reliable exchange of data with a security-rich messaging solution — trusted by the world’s most successful enterprises",
      "io.k8s.display-name" : "IBM MQ Advanced for Developers Server",
      "io.openshift.expose-services" : "",
      "io.openshift.tags" : "mq messaging",
      "maintainer" : "IBM",
      "mq-build" : "p943-L250527",
      "name" : "ibm-mqadvanced-server-dev",
      "release" : "r2",
      "run" : "podman run -d -e LICENSE=accept ibm-mqadvanced-server-dev:9.4.3.0-r2.20250715084208.7be81c6-amd64",
      "summary" : "IBM MQ Advanced for Developers Server",
      "url" : "https://www.ibm.com/products/mq/advanced",
      "vcs-ref" : "7be81c6ea1b9e5a25f3432517362ac5a402bf024",
      "vcs-type" : "git",
      "vcs-url" : "[email protected]:mq-cloudpak/mq-container.git",
      "vendor" : "IBM",
      "version" : "9.4.3.0"
   },
   "links" : [],
   "memory_limit" : 0,
   "name" : "ibmmq",
   "network" : [
      {
         "driver" : "bridge",
         "name" : "eden"
      }
   ],
   "network_mode" : "eden",
   "port_bindings" : [],
   "privileged" : false,
   "shortcut" : {
      "enable_shortcut" : false,
      "enable_status_page" : false,
      "enable_web_page" : false,
      "web_page_url" : ""
   },
   "use_host_network" : false,
   "version" : 2,
   "volume_bindings" : [
      {
         "host_volume_file" : "/docker/projects/garden/docker-ibmmq/config",
         "is_directory" : true,
         "mount_point" : "/mnt/mqm",
         "type" : "rw"
      },
      {
         "host_volume_file" : "/docker/projects/garden/docker-ibmmq/mykey",
         "is_directory" : true,
         "mount_point" : "/etc/mqm/pki/keys/mykey",
         "type" : "rw"
      }
   ]
}

Aug 20 '25 18:08 erwinkramer

mq-container mq-container copied to clipboard

`open /run/10-dev.mqsc: permission denied` in docker-compose setup

mq-container
mq-container copied to clipboard