docker volume permission issue

Question

I am trying to launch an app, deployed using wildfly18 in a docker container, which internally connects to my host postgresql database installation. During the container creation process, I am also mapping my container's wildfly log directory to my local i.e "host" directory via a named volume, created using the docker volume create command.

The issue is, I get a "permission denied" error when the app runs and the container tries to create log files inside the mapped volume.

My Dockerfile contents are as below:

FROM jboss/base-jdk:8

ENV WILDFLY_VERSION 18.0.1.Final
ENV WILDFLY_SHA1=ef0372589a0f08c36b15360fe7291721a7e3f7d9
ENV JBOSS_HOME /opt/jboss/wildfly

USER root

RUN cd $HOME \
    && curl -O https://download.jboss.org/wildfly/$WILDFLY_VERSION/wildfly-$WILDFLY_VERSION.tar.gz \
    && sha1sum wildfly-$WILDFLY_VERSION.tar.gz | grep $WILDFLY_SHA1 \
    && tar xf wildfly-$WILDFLY_VERSION.tar.gz \
    && mv $HOME/wildfly-$WILDFLY_VERSION $JBOSS_HOME \
    && rm wildfly-$WILDFLY_VERSION.tar.gz 

COPY ./bin $JBOSS_HOME/bin
COPY ./standalone/configuration/* $JBOSS_HOME/standalone/configuration/
COPY ./modules/com $JBOSS_HOME/modules/com
COPY ./modules/system/layers/base/org/ $JBOSS_HOME/modules/system/layers/base/org/
COPY ./standalone/waffle_resource $JBOSS_HOME/standalone/waffle_resource
COPY ./standalone/waffle_resource/waffle.ear $JBOSS_HOME/standalone/deployments/
COPY ./standalone/waffle_resource/waffle-war.ear $JBOSS_HOME/standalone/deployments/

RUN chown -R jboss:jboss ${JBOSS_HOME} && chmod -R g+rw ${JBOSS_HOME}

ENV LAUNCH_JBOSS_IN_BACKGROUND true

USER jboss

EXPOSE 8989 9990

WORKDIR $JBOSS_HOME/bin

CMD ["/opt/jboss/wildfly/bin/standalone.sh", "-b", "0.0.0.0"]

As you can see above, I am using user JBOSS inside the container to kick off wildfly. The commands used to create an image and run a container and also to create a volume are as below:

docker image build -t viaduct/wildfly .

docker volume create viaduct-wildfly-logs

docker run -d -v viaduct-wildfly-logs:/opt/jboss/wildfly/standalone/log --network=host \
  -e "DB_DBNAME=dbname" \
  -e "DB_PORT=5432" \
  -e "DB_USER=xyz" \
  -e "DB_PASS=" \
  -e "DB_HOST=127.0.0.1" \
  --name petes viaduct/wildfly

I verified the permissions within the container and my local "host" directory created by docker volume create command. Also, it's worth noting,

I am running wildlfy as user JBOSS

.

The containers permissions are as below:

[jboss@localhost /]$ ll /opt/jboss/wildfly/standalone/
total 4
drwxrwxr-x 1 jboss jboss   62 Sep 18 00:24 configuration
drwxr-xr-x 6 jboss jboss   84 Sep 18 00:23 data
drwxrwxr-x 1 jboss jboss   64 Sep 18 00:24 deployments
drwxrwxr-x 1 jboss jboss   17 Nov 15  2019 lib
*drwxr-xr-x 2 root  root     6 Sep 17 23:48 log*
drwxrwxr-x 1 jboss jboss 4096 Sep 18 00:24 tmp
drwxrwxr-x 1 jboss jboss   98 Sep 18 00:23 waffle_resource
[jboss@localhost /]$ exit

and the local volume permissions are as below:

[root@localhost xyz]# cd /var/lib/docker/volumes/
[root@localhost volumes]# ll
drwxrwsr-x 3 root root    19 Sep 18 11:48 viaduct-wildfly-logs

The docker volume create command creates directory in my local machine as below:

/var/lib/docker/volumes/viaduct-wildfly-logs/_data

and the permissions for each subdirectories by default are as follows, which definitely is for maintained for security reasons:

drwx--x--x  14 root root   182 Sep 14 09:32 docker
   drwx------  7 root root   285 Sep 18 11:48 volumes
      drwxrwsr-x 3 root root    19 Sep 18 11:48 viaduct-wildfly-logs

To start with, please let me know whether my strategy is correct?

Secondly, let me know the best way to fix the permission issue?

Answer 1

You need to create a user with the same UID/GID and give the permission on the host folder for this volume.

The server is run as the jboss user which has the uid/gid set to 1000. doc