mysql_ssl_rsa_setup: Can't change permissions of the file 'ca-key.pem'

Created on 13 Jun 2017  Â·  11Comments  Â·  Source: docker-library/mysql

I'm using mysql v5.7 image in my Kubernetes and a weird issue happens when I create the pod for the first time. 

Database initialized
Initializing certificates
Generating a 2048 bit RSA private key
..............+++
.....................................................................................................+++
unable to write 'random state'
writing new private key to 'ca-key.pem'
-----
Generating a 2048 bit RSA private key
................+++
............................+++
unable to write 'random state'
writing new private key to 'server-key.pem'
-----
Generating a 2048 bit RSA private key
.......................................+++
.........+++
unable to write 'random state'
writing new private key to 'client-key.pem'
-----
mysql_ssl_rsa_setup: Can't change permissions of the file 'ca-key.pem' (Errcode: 1 - Operation not permitted)
2017-06-13 14:29:12 [ERROR]   Error setting file permissions forca-key.pem and ca.pem
mysql_ssl_rsa_setup: Can't change permissions of the file 'server-key.pem' (Errcode: 1 - Operation not permitted)
2017-06-13 14:29:12 [ERROR]   Error setting file permissions forserver-key.pem and server-cert.pem
mysql_ssl_rsa_setup: Can't change permissions of the file 'client-key.pem' (Errcode: 1 - Operation not permitted)
2017-06-13 14:29:12 [ERROR]   Error setting file permissions forclient-key.pem and client-cert.pem

and then Kubernetes restarts the pod immediately because of this error.

I'm using Azure file storage for /var/lib/mysql. Apparently, the issue is this line: https://github.com/docker-library/mysql/blob/master/5.7/docker-entrypoint.sh#L97

Does anyone know what is going on? AFAIK, Docker creates the container with root so I'm not sure what is this error?

picture afshinm
👍1

Most helpful comment

I tried what you suggested @yosifkit, but no luck. Eventually, I changed the image version to mysql:5.7.16 and now it is working fine. Sorry to disappoint you 😞

picture afshinm on 15 Jun 2017
11 👍1

All 11 comments

While the container is launched as root, the entrypoint script does a chown and then drops to the mysql user. It seems that this user cannot change permissions of the ssl key files it generates in /var/lib/mysql. :confused: Maybe try running the container as the user that owns the directory used from the Azure file storage (something other than root)?

yosifkit picture yosifkit on 13 Jun 2017

@yosifkit I see, thanks for this. Actually, I have the exact same K8s deployment file and the same storage settings on another cluster, and works fine. Let me try what you suggested and I will update this thread.

afshinm picture afshinm on 14 Jun 2017

I tried what you suggested @yosifkit, but no luck. Eventually, I changed the image version to mysql:5.7.16 and now it is working fine. Sorry to disappoint you 😞

afshinm picture afshinm on 15 Jun 2017
11 👍1

@afshinm your issue is successfully solved -- no disappointment here! :smile: :+1: :heart:

tianon picture tianon on 15 Jun 2017
😄1

my

Getting similar issues, I am Mounting MySQL volume on samba share cifs (/mnt/docker/mysql)
MySQL version = 8.0.12

iankittomar picture iankittomar on 27 Aug 2018

@iankittomar Did you find a solution for this, currently running to the same problem… Cheers

Allendorf231 picture Allendorf231 on 16 Oct 2019

Just hit the same issue as well, also with a CIFS share. The problem is that CIFS apparently does not support Linux file permissions and thus the container setup fails.
I also tried placing the files in the share before starting the container, but then the setup fails as it expects to find an empty directory...

ntoljic picture ntoljic on 5 Dec 2019

I tried what you suggested @yosifkit, but no luck. Eventually, I changed the image version to mysql:5.7.16 and now it is working fine. Sorry to disappoint you

@afshinm I encountered the same issue when using the official Docker Library MySQL image version 5.7.31 with the latest, version 1.6.7 stable MySQL Helm chart.

chirangaalwis picture chirangaalwis on 22 Sep 2020

i've got the same issue on Windows 10 with WSL2 Debian....
my simple config : 

version: '2'
services:
  db:
    image: mysql:5.7
    volumes:
      - ./data/mysql:/var/lib/mysql
    environment:
      MYSQL_ROOT_PASSWORD: 2342kj34u23jh4k2342
      MYSQL_DATABASE: db_db
      MYSQL_USER: db_user
      MYSQL_PASSWORD: sn234jk2lfsdf823sdfs

db_1         | 2020-11-05 17:40:17+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 5.7.31-1debian10 started.
db_1         | 2020-11-05 17:40:17+00:00 [Note] [Entrypoint]: Switching to dedicated user 'mysql'
db_1         | 2020-11-05 17:40:17+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 5.7.31-1debian10 started.
db_1         | 2020-11-05 17:40:17+00:00 [Note] [Entrypoint]: Initializing database files
db_1         | 2020-11-05T17:40:17.722101Z 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details).
db_1         | 2020-11-05T17:40:17.728963Z 0 [Warning] Setting lower_case_table_names=2 because file system for /var/lib/mysql/ is case insensitive
db_1         | 2020-11-05T17:40:19.897272Z 0 [Warning] InnoDB: New log files created, LSN=45790
db_1         | 2020-11-05T17:40:20.223400Z 0 [Warning] InnoDB: Creating foreign key constraint system tables.
db_1         | 2020-11-05T17:40:20.269078Z 0 [Warning] No existing UUID has been found, so we assume that this is the first time that this server has been started. Generating a new UUID: f98f288b-1f8d-11eb-8b04-0242ac150002.
db_1         | 2020-11-05T17:40:20.278151Z 0 [Warning] Gtid table is not ready to be used. Table 'mysql.gtid_executed' cannot be opened.
db_1         | mysqld: Can't change permissions of the file 'ca-key.pem' (Errcode: 1 - Operation not permitted)
db_1         | 2020-11-05T17:40:20.302748Z 0 [ERROR] Could not set file permission for ca-key.pem
db_1         | 2020-11-05T17:40:20.302774Z 0 [ERROR] Aborting
db_1         |
test-plugin-001_db_1 exited with code 1
Angelinsky7 picture Angelinsky7 on 5 Nov 2020

@Angelinsky7, it is likely permissions problems caused by sharing files across the host/VM boundary (https://github.com/docker/for-win/issues/4824). A named docker volume should just work and still give you the persistence that you need.

    volumes:
      - mysql-data:/var/lib/mysql
yosifkit picture yosifkit on 6 Nov 2020
👍1

@yosifkit thanks for you answer. But i don't want to use a docker volume. I want to use a mount bind.
So the workaround i found is to start the image from windows command line (without using wsl2), waiting for mysql to create all dirs and files then stopping it and re-running it from wls2.
This is not great at all and feels like a hack but i can make it work like that.

Angelinsky7 picture Angelinsky7 on 6 Nov 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

axiqia picture axiqia  Â·  3Comments
BirkhoffLee picture BirkhoffLee  Â·  4Comments
odero picture odero  Â·  3Comments
perfeyhe picture perfeyhe  Â·  4Comments
jicki picture jicki  Â·  3Comments