I'm using the following Dockerfile and docker-compose.yml.
Dockerfile
ARG RUST_BUILDER_IMAGE=clux/muslrust:1.67.0
FROM $RUST_BUILDER_IMAGE as chef
USER root
RUN cargo install cargo-chef
WORKDIR /app
# Cargo chef plan
FROM chef as planner
ENV RUSTFLAGS="--cfg tokio_unstable"
# Copy dirs
COPY . .
RUN cargo chef prepare --recipe-path recipe.json
FROM chef as builder
ARG CARGO_BUILD_TARGET=x86_64-unknown-linux-musl
ARG RUSTRELEASEDIR="debug"
ENV RUSTFLAGS="--cfg tokio_unstable"
COPY --from=planner /app/recipe.json ./recipe.json
RUN cargo chef cook --recipe-path recipe.json --target ${CARGO_BUILD_TARGET}
# Copy the rest of the dirs
COPY . .
# Build the project
RUN echo "pub const VERSION: &str = \"$(git describe --tag)\";" > "crates/utils/src/version.rs"
RUN cargo build --target ${CARGO_BUILD_TARGET}
RUN cp ./target/$CARGO_BUILD_TARGET/$RUSTRELEASEDIR/lemmy_server /app/lemmy_server
# The alpine runner
FROM alpine:3 as lemmy
# Install libpq for postgres
RUN apk add libpq
# Copy resources
COPY --from=builder /app/lemmy_server /app/lemmy
EXPOSE 8536
CMD ["/app/lemmy"]
docker-compose.yml
version: "3.3"
networks:
# communication to web and clients
lemmyexternalproxy:
# communication between lemmy services
lemmyinternal:
driver: bridge
internal: true
services:
proxy:
image: nginx:1-alpine
networks:
- lemmyinternal
- lemmyexternalproxy
ports:
# actual and only port facing any connection from outside
- "1236:1236"
- "8536:8536"
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf:ro
restart: always
depends_on:
- pictrs
- lemmy-ui
lemmy:
# image: dessalines/lemmy:dev
# use this to build your local lemmy server image for development
# run docker compose up --build
build:
context: ../..
dockerfile: docker/dev/Dockerfile
# this hostname is used in nginx reverse proxy and also for lemmy ui to connect to the backend, do not change
hostname: lemmy
networks:
- lemmyinternal
restart: always
environment:
- RUST_LOG="warn,lemmy_server=debug,lemmy_api=debug,lemmy_api_common=debug,lemmy_api_crud=debug,lemmy_apub=debug,lemmy_db_schema=debug,lemmy_db_views=debug,lemmy_db_views_actor=debug,lemmy_db_views_moderator=debug,lemmy_routes=debug,lemmy_utils=debug,lemmy_websocket=debug"
- RUST_BACKTRACE=full
volumes:
- ./lemmy.hjson:/config/config.hjson
depends_on:
- postgres
- pictrs
lemmy-ui:
image: dessalines/lemmy-ui:0.17.2
# use this to build your local lemmy ui image for development
# run docker compose up --build
# assuming lemmy-ui is cloned besides lemmy directory
# build:
# context: ../../../lemmy-ui
# dockerfile: dev.dockerfile
networks:
- lemmyinternal
environment:
# this needs to match the hostname defined in the lemmy service
- LEMMY_UI_LEMMY_INTERNAL_HOST=lemmy:8536
# set the outside hostname here
- LEMMY_UI_LEMMY_EXTERNAL_HOST=localhost:1236
- LEMMY_HTTPS=false
- LEMMY_UI_DEBUG=true
depends_on:
- lemmy
restart: always
pictrs:
image: asonix/pictrs:0.3.1
# this needs to match the pictrs url in lemmy.hjson
hostname: pictrs
# we can set options to pictrs like this, here we set max. image size and forced format for conversion
# entrypoint: /sbin/tini -- /usr/local/bin/pict-rs -p /mnt -m 4 --image-format webp
networks:
- lemmyinternal
environment:
- PICTRS_OPENTELEMETRY_URL=http://otel:4137
- PICTRS__API_KEY=API_KEY
- RUST_LOG=debug
- RUST_BACKTRACE=full
user: 991:991
volumes:
- ./volumes/pictrs:/mnt
restart: always
postgres:
image: postgres:15-alpine
# this needs to match the database host in lemmy.hson
# Tune your settings via
# https://pgtune.leopard.in.ua/#/
# You can use this technique to add them here
# https://stackoverflow.com/a/30850095/1655478
hostname: postgres
command: [
"postgres",
"-c", "session_preload_libraries=auto_explain",
"-c", "auto_explain.log_min_duration=5ms",
"-c", "auto_explain.log_analyze=true",
"-c", "track_activity_query_size=1048576"
]
networks:
- lemmyinternal
# adding the external facing network to allow direct db access for devs
- lemmyexternalproxy
ports:
# use a different port so it doesnt conflict with potential postgres db running on the host
- "5433:5432"
environment:
- POSTGRES_USER=lemmy
- POSTGRES_PASSWORD=password
- POSTGRES_DB=lemmy
volumes:
- ./volumes/postgres:/var/lib/postgresql/data
restart: always
otel:
image: otel/opentelemetry-collector:latest
command: --config otel-local-config.yaml
networks:
- lemmyinternal
- lemmyexternalproxy
ports:
- "4317:4317"
volumes:
- type: bind
source: ./otel.yml
target: /otel-local-config.yaml
restart: unless-stopped
depends_on:
- jaeger
jaeger:
image: jaegertracing/all-in-one:1
networks:
- lemmyinternal
- lemmyexternalproxy
ports:
- "14250:14250"
# To view traces, visit http://localhost:16686
- "16686:16686"
restart: unless-stopped
When I try running the command sudo docker-compose up -d --build I get the following error:
Building lemmy
[+] Building 0.7s (9/19)
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 97B 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 93B 0.0s
=> [internal] load metadata for docker.io/library/alpine:3 0.0s
=> [internal] load metadata for docker.io/clux/muslrust:1.67.0 0.0s
=> CACHED [chef 1/3] FROM docker.io/clux/muslrust:1.67.0 0.0s
=> CACHED [lemmy 1/3] FROM docker.io/library/alpine:3 0.0s
=> [internal] load build context 0.2s
=> => transferring context: 147.86kB 0.0s
=> ERROR [lemmy 2/3] RUN apk add libpq 0.6s
=> ERROR [chef 2/3] RUN cargo install cargo-chef 0.6s
------
> [lemmy 2/3] RUN apk add libpq:
#6 0.533 exec /bin/sh: permission denied
------
------
> [chef 2/3] RUN cargo install cargo-chef:
#8 0.519 exec /bin/sh: permission denied
------
executor failed running [/bin/sh -c apk add libpq]: exit code: 1
ERROR: Service 'lemmy' failed to build : Build failed
It only gives me this error when I try running the command on my computer that uses Fedora 37. I tried this on another computer that has Windows 11 as its OS and it worked as expected.
Edit: Per Matt Blaha's request, I ran sudo ausearch -m AVC. I got the following output:
----
time->Mon Mar 13 06:21:58 2023
type=AVC msg=audit(1678702918.336:74574): avc: denied { write } for pid=1317985 comm="pict-rs" name="pictrs" dev="sda2" ino=3899807 scontext=system_u:system_r:container_t:s0:c100,c560 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=0
----
time->Mon Mar 13 06:22:08 2023
type=AVC msg=audit(1678702928.673:74597): avc: denied { read } for pid=1318095 comm="lemmy" name="lemmy.hjson" dev="sda2" ino=3899212 scontext=system_u:system_r:container_t:s0:c51,c467 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
----
time->Mon Mar 13 06:22:35 2023
type=AVC msg=audit(1678702955.849:74631): avc: denied { read } for pid=1318336 comm="nginx" name="nginx.conf" dev="sda2" ino=3899213 scontext=system_u:system_r:container_t:s0:c369,c816 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
----
time->Mon Mar 13 06:22:39 2023
type=AVC msg=audit(1678702959.676:74663): avc: denied { setattr } for pid=1318675 comm="chmod" name="postgres" dev="sda2" ino=3902050 scontext=system_u:system_r:container_t:s0:c5,c553 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=0
----
time->Mon Mar 13 06:22:39 2023
type=AVC msg=audit(1678702959.679:74664): avc: denied { setattr } for pid=1318679 comm="chown" name="postgres" dev="sda2" ino=3902050 scontext=system_u:system_r:container_t:s0:c5,c553 tcontext=system_u:object_r:user_home_t:s0 tclass=dir permissive=0
----
time->Mon Mar 13 06:22:54 2023
type=AVC msg=audit(1678702974.663:74696): avc: denied { entrypoint } for pid=1319016 comm="runc:[2:INIT]" path="/bin/busybox" dev="sda2" ino=264 scontext=system_u:system_r:container_t:s0:c147,c401 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
----
time->Mon Mar 13 06:22:54 2023
type=AVC msg=audit(1678702974.665:74697): avc: denied { entrypoint } for pid=1319017 comm="runc:[2:INIT]" path="/usr/bin/dash" dev="sda2" ino=498 scontext=system_u:system_r:container_t:s0:c15,c360 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
Yeah, your problem is that SELinux is blocking the access. (Which is good! resist the urge to disable SELinux.)
docker-compose can relabel the files for you.
For files being denied, when you define a volume just add the z or Z flag as appropriate.
z is for files to be shared between containers, Z is for files to be used by only one container.
https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label
Do note this important warning:
"This affects the file or directory on the host machine itself and can have consequences outside of the scope of Docker."
It looks like all of your files are in a home folder and labeled correctly that way. You may just have to use restorecon on them if anything breaks, but be aware.
So where you have:
volumes:
- ./volumes/postgres:/var/lib/postgresql/data
try:
volumes:
- ./volumes/postgres:/var/lib/postgresql/data:Z