Permission denied on one docker container - docker

I am new to docker and I am building a simple dashboard app with Loki and Grafana.
I am trying to change the Grafana setup file in the Grafana container, however, it says "Permission denied". I tried mkdir test in the container at multiple locations and they are all permission denied, so I know its a permission issue. For my entire repository, I have 4 separate containers. All other containers do not get permission denied, only the Grafana container. Furthermore, my old Ubuntu VM was corrupted, but the old VM also did not get permission denied, so I am not sure why the new one is.
I have tried running:
sudo chmod -R a+rwx repo
to provide permissions to everything. I checked all the volumes permissions by right-clicking them, and they are all "Create and delete files" for Owner, Group and Others.
On the docker container, I ran a permissions check and got:
However, the other containers have similar permissions.
I also ran id on the container. For the container with no permissions, I got:
for the one that does not work.
The ones that do work return
The entire docker-compose code can be found here:
version: "3"
networks:
bypass:
services:
loki:
image: grafana/loki:2.4.0
volumes:
- ./admin/config:/mnt/config
- ./data/loki:/mnt/loki
ports:
- "3100:3100"
command: -config.file=/mnt/config/loki-config.yaml
restart: unless-stopped
networks:
- bypass
promtail:
image: grafana/promtail:2.4.0
volumes:
- ./data/raw:/mnt/raw
- ./data/log:/mnt/log
- ./admin/config:/mnt/config
command: -config.file=/mnt/config/promtail-config.yaml
restart: unless-stopped
networks:
- bypass
bypass:
image: bypass:latest
ports:
- "8080:8080"
volumes:
- ./data/raw:/mnt/raw
- ./data/log:/mnt/log
- ./admin/config:/mnt/config
- ./data/template:/mnt/template
networks:
- bypass
grafana:
image: grafana/grafana:8.2.5
user: "1000"
volumes:
- ./data/grafana:/var/lib/grafana
- ./data/log:/var/lib/temp_data
restart: unless-stopped
ports:
- "3000:3000"
networks:
- bypass

The issue was under user. I tried specifying
user: "1000"
in the grafana docker-compose because when running id on my local machine, it says that the UID for the user and group are both 1000. Despite this, I had to change the user to
user: "0"
to replicate what I was seeing on the containers of my other services and it worked!

Related

Docker Compose Nextcloud privileges error

I´m trying to install on Raspberry Pi 4 a Nextcloud Docker following the next tutorial:
https://www.addictedtotech.net/installing-nextcloud-on-raspberry-pi-4/
version: '2'
services:
db:
image: yobasystems/alpine-mariadb:latest
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
restart: always
volumes:
- /media/pi/Elements/nextclouddb:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=YOURROOTPASSWORD
- MYSQL_PASSWORD=YOURPASSWORD
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
- UID=1000
- GID=1000
app:
image: nextcloud
ports:
- 8181:80
links:
- db
volumes:
- /media/pi/Elements/nextcloud:/var/www/html
environment:
- UID=1000
- GID=1000
restart: always
After launch the stack, it appears an Interface error:
You don't have permission to access this resource.Server unable to read htaccess file, denying access to be safe.
I've checked the directories and where Nextcloud should is empty, so I think it could be a privileges thing, but the UID and GID are the 'pi' user number:
What can I try next?
Update: TI've tried to create the DB in the internal drive and I see that the Database is created (or updated?) by systemd-timesyncd user, which I don't know why appears. Maybe because the bridge between two containers?
Thanks again
Did you add the user pi to the docker group? To do so : sudo usermod -aG docker pi.
Then confirm with the groups command to check that pi is a member of the docker group.

Having permissions issues with Grafana 7.3.0 on Docker

I'm using docker-compose to create a Docker network of containers with InfluxDB, a python script and Grafana to harvest and visualize response codes, query times & other stats of different websites.
I am using Grafana image 7.3.0 with a volume,
I have modified the paths environment variables so I'll have to use only one volume to save all the data.
When I start the Grafana container it logs:
GF_PATHS_CONFIG='/etc/grafana/grafana.ini' is not readable.
GF_PATHS_DATA='/etc/grafana/data' is not writable.
GF_PATHS_HOME='/etc/grafana/home' is not readable.
You may have issues with file permissions, more information here: http://docs.grafana.org/installation/docker/#migration-from-a-previous-version-of-the-
docker-container-to-5-1-or-later
mkdir: can't create directory '/etc/grafana/plugins': Permission denied
But here is the thing, I'm not migrating from below 5.1 I'm not even migrating at all!
So I tried to follow their instruction to change permissions of files but it did not worked.
I tried to set the user id in the docker-compose but it did not help.
(as-said in the docs 472 == post 5.1, 104 == pre 5.1 but both did not worked)
I can't even change permissions manually (which is not a satisfying solution btw) because the container is crashing.
I normally don't ask questions because they already have answers but I've seen no one with this trouble using 7.3.0 so I guess it's my time to shine Haha.
Here is my docker-compose.yml (only the grafana part)
version: '3.3'
services:
grafana:
image: grafana/grafana:7.3.0
ports:
- '3000:3000'
volumes:
- './grafana:/etc/grafana'
networks:
- db-to-grafana
depends_on:
- db
- influxdb_cli
environment:
- GF_PATHS_CONFIG=/etc/grafana/grafana.ini
- GF_PATHS_DATA=/etc/grafana/data
- GF_PATHS_HOME=/etc/grafana/home
- GF_PATHS_LOGS=/etc/grafana/logs
- GF_PATHS_PLUGINS=/etc/grafana/plugins
- GF_PATHS_PROVISIONING=/etc/grafana/provisioning
user: "472"
Thank you very much for your potential help!
Edit : I've been wondering if there is a grafana user in latest version (8.0), I think that build a home dir for grafana using a Dockerfile could be the solution I just need to find that user.
I'm here to close this subject.
So this was kind of a noob mistake but I could not have known.
The problem came from the fact that Grafana won't chown and chmod the volume folder. The error does not occures but it won't work because it does not save the data.
The solution was to remove the env variables and changing permissions of the local './grafana' folder wich contained the volume.
So I did
chown -R <personal local user> /path/to/local/volume/folder && \
chmod -R 777 /path/to/local/volume/folder
And now it works normally
Here is my new docker compose
docker-compose.yml
grafana:
image: grafana/grafana
ports:
- '3000:3000'
volumes:
- './grafana:/var/lib/grafana'
networks:
- db-to-grafana
depends_on:
- db
- influxdb_cli
Thanks everybody four your help !
Just replace your user's id that you will get on the following command:
$ id -u
Im running 'id -u' in my terminal and getting '1000'. SO, I replaced user: "xxxx" to user: "1000" in docker-compose.yml
version: '3.3'
services:
grafana:
image: grafana/grafana:7.3.0
ports:
- '3000:3000'
volumes:
- './grafana:/etc/grafana'
networks:
- db-to-grafana
depends_on:
- db
- influxdb_cli
environment:
- GF_PATHS_CONFIG=/etc/grafana/grafana.ini
- GF_PATHS_DATA=/etc/grafana/data
- GF_PATHS_HOME=/etc/grafana/home
- GF_PATHS_LOGS=/etc/grafana/logs
- GF_PATHS_PLUGINS=/etc/grafana/plugins
- GF_PATHS_PROVISIONING=/etc/grafana/provisioning
user: "1000"

Containerizing Cordapp with Docker Image and Docker Compose

When running Corda in docker with external Postgres DB configurations, I get insufficient privileges to access error.
Note:
Corda: 4.6 Postgresql: 9.6
Docker engine 20.10.6
Docker-compose: docker-compose version 1.29.1, build c34c88b2
docker-compose.yml file:
version: '3.3'
services:
partyadb:
hostname: partyadb
container_name: partyadb
image: "postgres:9.6"
environment:
POSTGRES_PASSWORD: postgres
POSTGRES_USER: postgres
POSTGRES_DB: partyadb
ports:
- 5432
partya:
hostname: partya
# image: corda/corda-zulu-java1.8-4.7:RELEASE
image: corda/corda-zulu-java1.8-4.6:latest
container_name: partya
ports:
- 10006
- 2223
command: /bin/bash -c "java -jar /opt/corda/bin/corda.jar run-migration-scripts -f /etc/corda/node.conf --core-schemas --app-schemas && /opt/corda/bin/run-corda"
volumes:
- ./partya/node.conf:/etc/corda/node.conf:ro
- ./partya/certificates:/opt/corda/certificates:ro
- ./partya/persistence.mv.db:/opt/corda/persistence/persistence.mv.db:rw
- ./partya/persistence.trace.db:/opt/corda/persistence/persistence.trace.db:rw
# - ./partya/logs:/opt/corda/logs:rw
- ./shared/additional-node-infos:/opt/corda/additional-node-infos:rw
- ./shared/cordapps:/opt/corda/cordapps:rw
- ./shared/drivers:/opt/corda/drivers:ro
- ./shared/network-parameters:/opt/corda/network-parameters:rw
environment:
- ACCEPT_LICENSE=${ACCEPT_LICENSE}
depends_on:
- partyadb
Error:
[ERROR] 12:41:24+0000 [main] internal.NodeStartupLogging. - Exception during node startup. Corda started with insufficient privileges to access /opt/corda/additional-node-infos/nodeInfo-5B........................................47D
The corda/corda-zulu-java1.8-4.6:latest image runs under the user corda, not root. This user has user id 1000, and also is in a group called corda, also with gid 1000:
corda#5bb6f196a682:~$ id -u corda
1000
corda#5bb6f196a682:~$ groups corda
corda : corda
corda#5bb6f196a682:~$ id -G corda
1000
The problem here seems to be that the file you are mounting into the docker container (./shared/additional-node-infos/nodeInfo-5B) does not have permissions setup in such a way as to allow this user to access it. I'm assuming the user needs read and write access. A very simple fix would be to give other read and write access to this file:
$ chmod o+rw ./shared/additional-node-infos/nodeInfo-5B
There are plenty of other ways to manage this kind of permissions issue in docker, but remember that the permissions are based on uid/gid which usually do not map nicely from your host machine into the docker container.
So the error itself describes that it's a permission problem.
I don't know if you crafted this dockerfile yourself, you may want to take a look at generating them with the dockerform task (https://docs.corda.net/docs/corda-os/4.8/generating-a-node.html#use-cordform-and-dockerform-to-create-a-set-of-local-nodes-automatically)
This permission problem could be that you're setting only read / write within the container:
- ./shared/additional-node-infos:/opt/corda/additional-node-infos:rw
or it could be that you need to change the permissions on the shared folder. Try changing the permissions of shared to 777 and see if that works, then restrict your way back down to permissions you're comfortable with.
I just configure the image to be run as root. This works but may not be safe. Simply add
services:
cordaNode:
user: root
to the service configuration.
Ref: How to configure docker-compose.yml to up a container as root

docker volume create - set permissions

I'm running this on debian 9
I'm using sudo docker volume create db to create a volume I'm using in my docker-compose.yml. But I still get the error db_1_d89b59353579 | mkdir: cannot create directory '/var/lib/mysql': Permission denied.
How can I set permissions for the user using that volume. And how to get the user?
Docker-Compose:
version: '2'
volumes:
nextcloud:
db:
services:
db:
image: mariadb
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
restart: always
volumes:
- db:/var/lib/mysql:z
environment:
- MYSQL_ROOT_PASSWORD=***
- MYSQL_PASSWORD=***
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
app:
image: nextcloud
ports:
- 8080:80
links:
- db
volumes:
- nextcloud:/var/www/html
restart: always
I got an install.sh file where I run:
...
sudo docker volume create db
sudo docker-compose build
docker-compose up -d
Try to first change the mounts to local folders and see if that fixes your issue:
version: '2'
volumes:
nextcloud:
db:
services:
db:
...
volumes:
- ./db:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=***
- MYSQL_PASSWORD=***
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
app:
...
volumes:
- ./nextcloud:/var/www/html
restart: always
If that does then check that the volumes are correctly removed by docker-compose down. Run docker volume ls. If they still persist then remove them by hand and rerun your containers with the volumes.
Regarding the difference between mounting to a volume (db:/var/lib/mysql) and mounting to a host path (./db:/var/lib/mysql):
In the first case it is a volume managed by Docker. It is meant for persistence but getting to the files is a bit more tricky. In the second case it is a path on the host and it makes it a lot easier to retrieve persisted files. I recommend to run "docker-compose config" for both situations and see the difference in how docker-compose internally transforms the statement.

Recover gitlab got permission denied

I host a gitlab-ce with docker image and start with docker compose.
Here is my docker compose file
version: "3.6"
services:
web:
image: 'gitlab/gitlab-ce'
container_name: 'gitlab-master'
restart: always
hostname: 'url'
environment:
GITLAB_OMNIBUS_CONFIG: |
external_url 'http://url:9090'
gitlab_rails['gitlab_shell_ssh_port'] = 2224
networks:
- gitlab-network
ports:
- '80:80'
- '443:443'
- '9090:9090'
- '2224:22'
volumes:
- '/srv/gitlab/config:/etc/gitlab'
- '/srv/gitlab/logs:/var/log/gitlab'
- '/srv/gitlab/data:/var/opt/gitlab'
networks:
gitlab-network:
name: gitlab-network
I pack my config folders, logs and data and transfer to another server. When I start a new gitlab server and mount this folders. I got the permission denied error. I use chmod -R 777 /srv/gitlab/*. It still error. How could I fix this?
As stated in this thread, check also the permission of the parent folders.
For some reason permissions to /opt was 700 instead of 755.
After I change it, everything works

Resources