I'm running grafana and influxdb containers in a CentOS environment, but when I start the containers, both says that can't create the files on the mapped directories.
I have the same very environment running on Ubuntu with no troubles.
I have already chown'ed the directory to 472:472 I have mapped in docker-compose.yml the user Id of the owner (in ubuntu it solved the problem) I'm running out of ideas!
Here is the command to start the containers
CURRENT_UID=$(id -u):$(id -g) docker-compose -f /home/rastreamento/docker-compose.yml up -d
Here is the yml for docker-composer that works fine on ubuntu:
version: '3'
services:
grafana:
image: "grafana/grafana"
environment:
- WORKING_DIR=/var/lib/grafana/working_dir
- GF_SECURITY_DISABLE_GRAVATAR=true
- GF_DEFAULT_INSTANCE_NAME=Valid
- GF_SERVER_DOMAIN=200.166.40.21
- GF_SERVER_ENFORCE_DOMAIN=false
- GF_SERVER_ROOT_URL=http://200.166.40.21
- GF_ANALYTICS_CHECK_FOR_UPDATES=false
- GF_USERS_ALLOW_SIGN_UP=false
- GF_USERS_VIEWERS_CAN_EDIT=false
ports:
- "1982:3000"
volumes:
- /home/dev/grafana:/var/lib/grafana
links:
- influxdb
networks:
backend:
ipv4_address: 172.20.0.3
restart: unless-stopped
depends_on:
- influxdb
user: ${CURRENT_UID}
influxdb:
image: "influxdb"
environment:
- INFLUXDB_ADMIN_ENABLED=true
- INFLUXDB_DATA_MAX_SERIES_PER_DATABASE=0
- INFLUXDB_DATA_MAX_VALUES_PER_TAG=0
ports:
- "8086:8086"
- "8083:8083"
volumes:
- /home/dev/influxdb:/var/lib/influxdb
networks:
backend:
ipv4_address: 172.20.0.2
restart: unless-stopped
user: ${CURRENT_UID}
networks:
backend:
driver: bridge
ipam:
config:
- subnet: 172.20.0.0/24
Here is one output from the container running Grafana.
grafana_1 | mkdir: cannot create directory '/var/lib/grafana/plugins': Permission denied
InfluxDB output:
influxdb_1 | run: create server: mkdir all: mkdir /var/lib/influxdb/meta: permission denied
I'm out of ideas now after 2 days of research to solve it.
thanks
EDIT 1:
As asked by Jan Garaj, the Docker information follows below: ps. I changed the wished host mapping to enable the container to run and access it's bash.
docker info
[rastreamento@VMINDUS ~]$ docker info
Containers: 30
Running: 1
Paused: 0
Stopped: 29
Images: 2
Server Version: 1.13.1
Storage Driver: overlay2
Backing Filesystem: xfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: journald
Cgroup Driver: systemd
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Swarm: inactive
Runtimes: docker-runc runc
Default Runtime: docker-runc
Init Binary: /usr/libexec/docker/docker-init-current
containerd version: (expected: aa8187dbd3b7ad67d8e5e3a15115d3eef43a7ed1)
runc version: 9c3c5f853ebf0ffac0d087e94daef462133b69c7 (expected: 9df8b306d01f59d3a8029be411de015b7304dd8f)
init version: fec3683b971d9c3ef73f284f176672c44b448662 (expected: 949e6facb77383876aeff8a6944dde66b3089574)
Security Options:
seccomp
WARNING: You're not using the default seccomp profile
Profile: /etc/docker/seccomp.json
selinux
Kernel Version: 3.10.0-1062.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
Number of Docker Hooks: 3
CPUs: 2
Total Memory: 3.666 GiB
Name: VMINDUS
ID: ZOZE:KEGT:SKTP:SG5J:3DKD:LCT3:STRW:FDO4:SFDP:FJJK:IAKQ:72DW
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Registries: docker.io (secure)
Filesystem permissions
[rastreamento@VMINDUS ~]$ ls -l
total 12
-rwxrwxrwx. 1 rastreamento docker 1221 Feb 11 15:05 docker-compose.yml
drwxr-xr-x. 2 root root 6 Feb 11 15:54 grafana
drwxr-xr-x. 2 root root 6 Feb 11 15:54 influxdb
-rwxrwxrwx. 1 rastreamento docker 116 Feb 17 14:46 start_containers.sh
-rwxrwxrwx. 1 rastreamento docker 20 Feb 22 2019 stop_containers.sh
ID from Grafana
[rastreamento@VMINDUS ~]$ docker exec -it 691c907ed1f1 /bin/bash
grafana@691c907ed1f1:/usr/share/grafana$ id
uid=472(grafana) gid=472(grafana) groups=472(grafana)
For a matter of testing I started Grafana docker mapping the user to root and the directory /home/grafana as follows:
[rastreamento@VMINDUS ~]$ sudo docker run --user 0:0 -p 3000:3000 --volume /home/rastreamento/grafana:/home/grafana/ d0454da13c84
In the container shell I checked the id running the instance and tried to list the files in the /home/grafana directory
grafana@2263170898d0:/var/lib$ [rastreamento@VMINDUS ~]$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
345145c9a591 d0454da13c84 "/run.sh" 7 seconds ago Up 4 seconds 0.0.0.0:3000->3000/tcp heuristic_wescoff
[rastreamento@VMINDUS ~]$ docker exec -it 345145c9a591 /bin/bash
root@345145c9a591:/usr/share/grafana# cd /home/grafana/
root@345145c9a591:/home/grafana# ls
ls: cannot open directory '.': Permission denied
root@345145c9a591:/home/grafana# id
uid=0(root) gid=0(root) groups=0(root)
As you can see, the user and group Ids seems to have been changed as it's supposed to be when the container was started, but even though, I can't get access to the host mapped directory.
Still no clues of why it works on Ubuntu but it doesn't in CentOs. I've never used CentOs, is there any other configuration to enable applications to access the host resources? Some security configuration? I'm really having a hard time with it.
As assigned by Avi Farada in this post, adding a volume bind solved my problem.
:z - will add permissions to all containers using label 'svirt_sandbox_file_t' :Z - will add permissions only to the current container label
Just add to docker run ':z' like this:
docker run -v ./api:/usr/src/app:Z
or in my case, in docker-composer:
volumes:
- ./api:/usr/src/app:Z
More information on this check the docker official documentation.
Another clever suggestion was addressed by Jan Garaj, and the different behaviour I had between the two machines was probably due to a version mismatch. I used the CentOS package manager to install docker, while in the other hand, on Ubuntu I downloaded the latest version from the official repo.
[ edit ]
I used the Docker from the package repo of CentOS. That was completely outdated!!!
On Docker official installation guide, the first thing they do is uninstall the stock docker on the machine, in case you've might done the same dumb thing I did.
Just install Docker by following the instructions on: