Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permission denied on /var/lib/arangodb3-apps/ when running in OpenShift #57

Open
vpavlin opened this issue Nov 21, 2018 · 3 comments
Open

Permission denied on /var/lib/arangodb3-apps/ when running in OpenShift #57

vpavlin opened this issue Nov 21, 2018 · 3 comments
Assignees
@fceller

Comments

@vpavlin
Copy link
Contributor

vpavlin commented Nov 21, 2018

Hi,

I am working on deploying ArangoDB on our OpenShift cluster and everything looks great up to the point where I try to create a database at which point I get:

2018-11-21T09:38:54Z [1] ERROR unable to create application directory '/var/lib/arangodb3-apps/_db/test' for database 'test': failed to create directory '/var/lib/arangodb3-apps/_db/test': Permission denied

I tracked the issue down to missing -R in https://github.com/vpavlin/arangodb-docker/blob/official/Dockerfile34.templ#L46-L47

Steps to reproduce:

$ docker run --name tmp0 -it --rm -u 1001:0 docker.io/arangodb/arangodb:3.3.17 bash
I have no name!@23d6912163fc:/$ ls -la /var/lib/arangodb3-apps/
total 12
drwxrwxr-x. 3 arangodb root     4096 Nov 21 12:47 .
drwxr-xr-x. 1 root     root     4096 Oct  8 13:26 ..
drwxr-xr-x. 3 arangodb arangodb 4096 Oct  8 13:26 _db
I have no name!@23d6912163fc:/$ id
uid=1001 gid=0(root) groups=0(root)
I have no name!@23d6912163fc:/$ touch /var/lib/arangodb3-apps/_db/aaa
touch: cannot touch '/var/lib/arangodb3-apps/_db/aaa': Permission denied

I have built an image from fixed Dockerfile
https://quay.io/repository/vpavlin/arangodb?tab=tags which works fine:

$ docker run --name tmp0 -it --rm -u 1001:0 quay.io/vpavlin/arangodb:bug_fix-3.3.17 bash
I have no name!@1f79c56dbc63:/$ ls -la /var/lib/arangodb3-apps/
total 12
drwxrwxr-x. 3 arangodb root 4096 Nov 21 12:48 .
drwxr-xr-x. 1 root     root 4096 Nov 21 11:28 ..
drwxrwxr-x. 3 arangodb root 4096 Nov 21 11:28 _db
I have no name!@1f79c56dbc63:/$ id
uid=1001 gid=0(root) groups=0(root)
I have no name!@1f79c56dbc63:/$ touch /var/lib/arangodb3-apps/_db/aaa
I have no name!@1f79c56dbc63:/$
This was referenced Nov 21, 2018
Merged
Open
@fceller
Copy link
Contributor

fceller commented Feb 18, 2019

@vpavlin I think the main problem is that "1001" is not the uid of arangodb. If you use names then it works:

docker run --name tmp0 -it --rm -u arangodb:arangodb docker.io/arangodb/arangodb:3.3.17 bash

Can you confirm this?

@fceller fceller self-assigned this Feb 18, 2019
@vpavlin
Copy link
Contributor Author

vpavlin commented Feb 18, 2019

Could be, the problem is that in OpenShift the uid is random for better security, but the user is in group root, thus the guidelines suggest to chgrp -R 0 see: https://docs.okd.io/latest/creating_images/guidelines.html#openshift-specific-guidelines

@omarmohsen
Copy link

I can still reproduce the same issue using Kubernetes if I drop the DAC_OVERRIDE Linux capability in the deployment file even if I am using the root user:

root@test-76c67d987c-pncbc:/# touch  /var/lib/arangodb3-apps/_db/s
touch: cannot touch '/var/lib/arangodb3-apps/_db/s': Permission denied

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fceller fceller

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fceller @vpavlin @omarmohsen