docker-neo4j
docker-neo4j copied to clipboard
neo4j
EXTENSION_SCRIPT fails in docker
#55 describes changing the user neo4j runs as in Docker from root to neo4j.
In making this (good) change is seem that the EXTENSION_SCRIPT feature is now broken as the loader script still runs as root, before the neo4j process starts as the neo4j user. Running the loader as root creates some files owned by root, and then the neo4j user doesn't have permissions for those files.
This manifests itself with neo4j not being able to start:
2018-10-01 13:24:00.914+0000 ERROR Failed to start Neo4j: Starting Neo4j failed: Component 'org.neo4j.server.database.LifecycleManagingDatabase@7a36aefa' was successfully initialized, but failed to start. Please see the attached cause exception "/var/lib/neo4j/logs/debug.log (Permission denied)". Starting Neo4j failed: Component 'org.neo4j.server.database.LifecycleManagingDatabase@7a36aefa' was successfully initialized, but failed to start. Please see the attached cause exception "/var/lib/neo4j/logs/debug.log (Permission denied)".
org.neo4j.server.ServerStartupException: Starting Neo4j failed: Component 'org.neo4j.server.database.LifecycleManagingDatabase@7a36aefa' was successfully initialized, but failed to start. Please see the attached cause exception "/var/lib/neo4j/logs/debug.log (Permission denied)".
at org.neo4j.server.exception.ServerStartupErrors.translateToServerStartupError(ServerStartupErrors.java:68)
at org.neo4j.server.AbstractNeoServer.start(AbstractNeoServer.java:220)
at org.neo4j.server.ServerBootstrapper.start(ServerBootstrapper.java:111)
at org.neo4j.server.ServerBootstrapper.start(ServerBootstrapper.java:79)
at org.neo4j.server.CommunityEntryPoint.main(CommunityEntryPoint.java:32)
This change seems to have happened at version 3.3.4. With version 3.3.3 you do not see this problem and the neo4j process is running as root.
I found a probable fix for this. In the docker-entrypoint.sh file the execution of the extension script happens after setting the permissions and ownership of the /data directory so that the server can be run as the neo4j user. But the extension script runs as the root user so sets some permissions back.
If the order of these operations is reversed then it seem to avoid the problem.
The contents of the /var/lib/neo4j/logs/ dir also needs to be deleted (might be better what change permissions of /var/lib/neo4 dir?)
See here for the current code: https://github.com/neo4j/docker-neo4j-publish/blob/94477399f63ab99c035e50b46f642e791413dcaa/3.4.9/community/docker-entrypoint.sh#L203-L210
If changed to this it seems to work:
[ -f "${EXTENSION_SCRIPT:-}" ] && . ${EXTENSION_SCRIPT}
# Chown the data dir now that (maybe) an initial password has been
# set (this is a file in the data dir)
if [[ "$(id -u)" = "0" ]]; then
chmod -R 755 /data
chown -R "${userid}":"${groupid}" /data
rm /var/lib/neo4j/logs/*
fi
