I'm trying to enhance the security on neo4j under docker.
neo4j: 3.4.10 / 3.4.18
docker: 1.13.1
the docker command I used is listed as below
NEO4J_HOME=/var/lib/neo4j
docker run \
-d \
--name=neo4j \
-v $NEO4J_HOME/logs:/logs \
-v $NEO4J_HOME/data:/data \
-v /tmp:/tmp \
--publish=192.168.0.4:7474:7474 --publish=192.168.0.4:7687:7687 \
--read-only \
neo4j:3.4.18
However, the container cannot start and error is shown as below
[root#xxxxxx ~]# docker logs --tail all neo4j
chown: changing ownership of '/var/lib/neo4j': Read-only file system
I know that to implement the read-only flag, I will make the container root system read-only and I have to use the volume flag (-v) to let the neo4j can write data outside the containers. Just don't know what I missed...and no idea why the error message (changing ownership) here.
Related
For local development of applications where isolation of folder/file permissions are not mission critical, I'd like to mount local directories into transient containers but retain the ability to delete/modify those directories from the host account without sudo.
I have read that I can create specific volumes and then mount those precreated volumes. The thing is I would like to use self-removing transient containers arbitrarily (e.g. docker run --rm -v "$(pwd):/app" golang go build src/main.go).
The objective is to make it easy to work with various technologies (like databases or languages) without needing to install them on the host.
Running
docker run \
--rm \
-v "${HOME}/foo:/app" \
alpine touch /app/bar.txt
Running this will create a folder/file with root permissions. Trying to use the --user flag still mounts the directory as root gives me the following error:
touch: /app/bar.txt: Permission denied
docker run \
--rm \
--user "$(id -u):$(id -g)" \
-v "${HOME}/foo:/app" \
alpine touch /app/bar.txt
This failure obviously extends to trying to spin up a database instance
docker run \
--rm \
--net=host \
--user $(id -u):$(id -g) \
-v "${HOME}/mongo/foo:/data/db" \
mongo:latest
I'm currently following this tutorial to run a model on Docker that was built using the Google Cloud AutoML Vision:
https://cloud.google.com/vision/automl/docs/containers-gcs-tutorial
I'm having trouble running the container, specifically running this command:
sudo docker run --rm --name ${CONTAINER_NAME} -p ${PORT}:8501 -v ${YOUR_MODEL_PATH}:/tmp/mounted_model/0001 -t ${CPU_DOCKER_GCR_PATH}
I have my environment variables set up right (did an echo $<env_var>). I do not have a /tmp/mounted_model/0001 directory on my local system. My model path is configured to be the model location on the cloud storage.
${YOUR_MODEL_PATH} must be a directory on the host on which you're running the container.
Your question suggests that you're using the Cloud Storage bucket path but you cannot do this.
Reviewing the tutorial, I think the instructions are confusing.
You are told to:
gsutil cp \
${YOUR_MODEL_PATH} \
${YOUR_LOCAL_MODEL_PATH}/saved_model.pb
So, your command should probably be:
sudo docker run \
--rm \
--interactive --tty \
--name=${CONTAINER_NAME} \
--publish=${PORT}:8501 \
--volume=${YOUR_LOCAL_MODEL_PATH}:/tmp/mounted_model/0001 \
${CPU_DOCKER_GCR_PATH}
NB I added --interactive --tty to make debugging easier; it's optional
NB ${YOUR_LOCAL_MODEL_PATH} not ${YOUR_MODEL_PATH}
NB The command should not be -t ${CPU_DOCKER_GCR_PATH} omit the -t
I've not run through this tutorial.
I am pretty new to Docker. Now I want to run a docker version of Sonarqube and upate the property file (sonar.properties) inorder to point my databsae to mysql rather than the default H2.
I am able to run the image with default configuration and even performed a scan on it. While following the instructions in its official docker page (Sonarqube docker documentation), I am not able to proceed further from the second point under the "First Installation" heading. Second point is as follows
Initialize SONARQUBE_HOME folder tree with --init. This will initialize the default configuration, copy embedded plugins, and prepare the data folder:
$ docker run --rm \
-v $SONARQUBE_HOME/conf:/opt/sonarqube/conf \
-v $SONARQUBE_HOME/extensions:/opt/sonarqube/extensions \
-v $SONARQUBE_HOME/data:/opt/sonarqube/data \
sonarqube --init
which I believe will help me to have a custom configurations folder. Following error shows up while running this command.
renju#renju-pc:~$ sudo docker run --rm -v
$SONARQUBE_HOME/conf:/opt/sonarqube/conf -v
$SONARQUBE_HOME/extensions:/opt/sonarqube/extensions -v
$SONARQUBE_HOME/data:/opt/sonarqube/data sonarqube --init tail: cannot
open './logs/es.log' for reading: No such file or directory
01:33:11.950 [main] WARN
org.sonar.application.config.AppSettingsLoaderImpl - Configuration
file not found: /opt/sonarqube/conf/sonar.properties Exception in
thread "main" java.lang.IllegalArgumentException: Command-line
argument must start with -D, for example -Dsonar.jdbc.username=sonar.
Got: --init at
org.sonar.application.config.CommandLineParser.argumentsToProperties(CommandLineParser.java:56)
at
org.sonar.application.config.CommandLineParser.parseArguments(CommandLineParser.java:37)
at
org.sonar.application.config.AppSettingsLoaderImpl.load(AppSettingsLoaderImpl.java:66)
at org.sonar.application.App.start(App.java:51) at
org.sonar.application.App.main(App.java:98)
My asumption is that it is because of the unavailability of the folder "opt/sonarqube/conf".
Why is that folder missing? As per doc,
Use bind-mounted folders
The images contain the SonarQube installation at /opt/sonarqube. You need to use bind-mounted folders to override selected files or directories :
/opt/sonarqube/conf: configuration files, such as sonar.properties
/opt/sonarqube/data: data files, such as the embedded H2 database and Elasticsearch indexes
/opt/sonarqube/logs: contains SonarQube logs about access, web process, CE process, Elasticsearch logs
/opt/sonarqube/extensions: plugins, such as language analyzers
Am I missing any intermediate steps here?
I work on Ubuntu 19.10.
You are not missing anything.
Current documentation in the Docker Hub is for the Sonarqube 8. They are working on releasing documentation for the Sonarqube7.
Please check the below link: https://github.com/SonarSource/docker-sonarqube/issues/340#issuecomment-553397995
Please follow the below steps.
Create volumes sonarqube_conf, sonarqube_data, sonarqube_logs, and sonarqube_extensions and start the image with the following command. This will populate all the volumes (copying default plugins, create the Elasticsearch data folder, create the sonar.properties configuration file). Watch the logs, and, once the container is properly started, you can force-exit (ctrl+c) and proceed to the next step.
$ docker run --rm \
-p 9000:9000 \
-v sonarqube_conf:/opt/sonarqube/conf \
-v sonarqube_extensions:/opt/sonarqube/extensions \
-v sonarqube_logs:/opt/sonarqube/logs \
-v sonarqube_data:/opt/sonarqube/data \
%%IMAGE%%
Run the image with your JDBC username and password
$ docker run -d --name sonarqube \
-p 9000:9000 \
-e sonar.jdbc.username=sonar \
-e sonar.jdbc.password=sonar \
-v sonarqube_conf:/opt/sonarqube/conf \
-v sonarqube_extensions:/opt/sonarqube/extensions \
-v sonarqube_logs:/opt/sonarqube/logs \
-v sonarqube_data:/opt/sonarqube/data \
%%IMAGE%%
I am currently testing functions I wrote for neo4j on a jupyter notebook container.
The functions worked on my local machine but I get a connection error number 111 when I attempt to call the function.
Update: I have attempted to uncomment this line in neo4j.conf:
dbms.connectors.default_listen_address=0.0.0.0
The main problem is, I cannot get neo4j.conf to take the change without breaking the system.
My docker run code was like this previously:
sudo docker run \
--publish=7474:7474 --publish=7687:7687 \
-v ~/neo4j/data:/data \
-v ~/n4j_conf:/conf \
-v ~/neo4j/import:/var/lib/neo4j/import \
-v ~/n4j_plugins:/var/lib/neo4j/plugins \
neo4j
However, I noticed my error and changed the container volume directory to:
sudo docker run \
--publish=7474:7474 --publish=7687:7687 \
-v ~/neo4j/data:/data \
-v ~/n4j_conf:/var/lib/neo4j/conf \
-v ~/neo4j/import:/var/lib/neo4j/import \
-v ~/n4j_plugins:/var/lib/neo4j/plugins \
neo4j
And now... the logs say that neo4j cannot start successfully.
End update
Would I need to change my volume configuration to the previous version and... somehow have neo4j read the conf file from another directory?
Ive been given a docker container which is run via a bash script. The container should set up a php web app, it then goes on to call other scripts and containers. It seems to work fine for others, but for me its throwing an error.
This is the code
sudo docker run -d \
--name eluci \
-v ./config/eluci.settings:/mnt/eluci.settings \
-v ./config/elucid.log4j.settings.xml:/mnt/eluci.log4j.settings.xml \
--link eluci-database:eluci-database \
/opt/eluci/run_eluci.sh
This is the error
docker: Error response from daemon: create ./config/eluci.settings:
"./config/eluci.settings" includes invalid characters for a local
volume name, only "[a-zA-Z0-9][a-zA-Z0-9_.-]" are allowed. If you intended to
pass a host directory, use absolute path.
Im running docker on a centos VM using virtualbox on a windows 7 host.
From googling it seems to be something to do with the mount, however I dont want to change it in case the setting it breaks or is relied upon in another docker container. I still have a few more bash scripts to run, which should orchestrate the rest of the build process. As a complete newb to Docker, this has got me stumped.
The command docker run -v /path/to/dir does not accept relative paths, you should provide an absolute path. The command can be re-written as:
sudo docker run -d \
--name eluci \
-v "/$(pwd)/config/eluci.settings:/mnt/eluci.settings" \
-v "/$(pwd)/config/elucid.log4j.settings.xml:/mnt/eluci.log4j.settings.xml" \
--link eluci-database:eluci-database \
/opt/eluci/run_eluci.sh