docker-compose run changes permissions on mounted PGDATA volume, prevents postgres startup #346
Comments
|
The From what I understand, your issue is that the postgres image starts initially as a localhost only daemon for initialization. So it is not available to anything outside localhost. Then once initialization is complete, it is stopped and restarted to listen on all interfaces. This is working as designed and allows you to know when initialization is complete: it responds to an external connection. Here are the snippets that start the localhost only daemon, stop it, and start the new daemon: Lines 97 to 99 in 6750eda Lines 137 to 145 in 6750eda (the final exec "$@" will replace the bash startup process with the remote-available postgres)
The localhost-only init server will only happen when the database files are empty. So after first start (if the named volume is not deleted), it should start directly to the regular postgres server. (see also #203 (comment)) |
|
Yeah, my issue is that if I docker-compose run before the final exec in the entrypoint, the regular postgres server fails to start. Would it be possible to only 777 the PGDATA directory in the Dockerfile if it doesn't already exist? That would be changing RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" # this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)to something like RUN set -ex; \
if [ ! -d "$PGDATA" ] ; then \
mkdir -p "$PGDATA"; \
chown -R postgres:postgres "$PGDATA"; \
# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
chmod 777 "$PGDATA"; \
fiNot sure if that would screw up the arbitrary --user support, but it seems like it'd keep it from clobbering the permissions if they've been set elsewhere. |
|
But in the Dockerfile, we haven't run anything yet, so PGDATA will be
exactly the same every time and that block will simply always run.
:confused:
|
|
Doh, forget that suggestion. docker-compose run changing the perms confused me. |
|
So do we have a simple reproducer for the issue here, or was @yosifkit's explanation sufficient? 😄 |
|
The repro is use the compose file above, run It mattered to me as I was trying to use docker-compose run to check that postgres was up before continuing, and it took me a while to figure out that run was keeping it from starting up. |
|
Running That being said, I cannot reproduce a failure to start with the exact $ cat docker-compose.yml
version: '3'
services:
db:
image: postgres:9.6.4
volumes:
- db:/var/lib/postgresql/data
volumes:
db:
$ docker-compose up -d
Creating network "tmp_default" with the default driver
Creating volume "tmp_db" with default driver
Pulling db (postgres:9.6.4)...
9.6.4: Pulling from library/postgres
Digest: sha256:586320aba4a40f7c4ffdb69534f93c844f01c0ff1211c4b9d9f05a8bddca186f
Status: Downloaded newer image for postgres:9.6.4
Creating tmp_db_1 ...
Creating tmp_db_1 ... done
$ docker-compose logs --tail=10
Attaching to tmp_db_1
db_1 | LOG: database system is shut down
db_1 | done
db_1 | server stopped
db_1 |
db_1 | PostgreSQL init process complete; ready for start up.
db_1 |
db_1 | LOG: database system was shut down at 2017-10-12 17:50:18 UTC
db_1 | LOG: MultiXact member wraparound protections are now enabled
db_1 | LOG: autovacuum launcher started
db_1 | LOG: database system is ready to accept connections
$ docker-compose run db ls
bin docker-entrypoint-initdb.d home media proc sbin tmp
boot docker-entrypoint.sh lib mnt root srv usr
dev etc lib64 opt run sys var
$ docker-compose ps
Name Command State Ports
-----------------------------------------------------------
tmp_db_1 docker-entrypoint.sh postgres Up 5432/tcp |
|
Sorry, How long are you waiting between |
|
I can reproduce |
|
I cannot reproduce this with a different image ( |
|
If I add |
|
Right, the default 777 likely comes from: Line 125 in aaf2098 Then at runtime it is set to 700: postgres/10/docker-entrypoint.sh Line 34 in aaf2098 but this isn't executed when docker-compose run substitutes it with a custom command, so I guess the volume remains as 777.
|
|
@giorgiosironi I tried with docker-compose run db, but this still create the folder of postgres with permission... Some clue? Im a novice :'( |
|
AFAIK |
|
I did that that, but the folder still with permission :'( |
|
hit the same issue |
|
I think I understand what's happening here. I think there's a race to initialize the same volume on Docker's side -- when you do I would recommend running your secondary container without the volume (which you can't do directly via |
|
Closing, since this appears to be a (resolved) issue with usage, not an issue we could actually fix in the image. See my comment above (#346 (comment)) for the suggested workaround. |
I'm using a docker-compose.yml like this in Docker version 17.06.2-ce-mac27 (19124):
If I docker-compose run on the db service from that yaml, it changes the permissions on the mount in the main db service container to 777:
This tripped me up because postgres checks the permissions on its data directory at startup, and if it isn't 700, it refuses to start up. I wrote a script to docker-compose up my db service and then docker-compose run a script in the db service that checks if postgres is running using psql. Since I do a docker-compose run immediately, docker-entrypoint.sh is still doing its multiple rounds of postgres startup in the main container. postgres does a permissions check after the initial docker-compose run, and fails to startup due to the perm change. I was able to work around it by using docker-compose exec instead of docker-compose run, but it took me a lot of puzzling around.
I think this is happening because the Dockerfile sets the permissions to 777 at https://github.com/docker-library/postgres/blob/master/Dockerfile-debian.template#L126 but the entrypoint only sets them back to 700 https://github.com/docker-library/postgres/blob/master/docker-entrypoint.sh#L34. Not sure if there's a way to keep from making that directory 777, but it would've saved me a fair bit of confusion.
The text was updated successfully, but these errors were encountered: