Postgres: Volume permission denied

Created on 17 Dec 2017  路  8Comments  路  Source: docker-library/postgres

Hi!
I was trying to setup postgres container with docker-compose and a volume for data persistence, but I encounter some permissions issue that I am not able to resolve:

I'm working on Ubuntu Server 17.04 Zesty.
My docker-compose.yml:

version: '3'
services:
  db:
    restart: always
    image: postgres:10.1
#    ports:
#      - "5432:5432"
    env_file:
      - db-vars.env
    network_mode: bridge
    volumes:
      - /var/lib/gogs/psql:/var/lib/postgresql/data
#      - ./pg_hba.conf:/var/lib/postgresql/data/pg_hba.conf

The db-vars.env file:

POSTGRES_PASSWORD=[REDACTED]
POSTGRES_DB=gogs
POSTGRES_USER=root

Logs:

The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.

The database cluster will be initialized with locale "en_US.utf8".
The default database encoding has accordingly been set to "UTF8".
The default text search configuration will be set to "english".

Data page checksums are disabled.

fixing permissions on existing directory /var/lib/postgresql/data ... ok
creating subdirectories ... ok
selecting default max_connections ... 100
selecting default shared_buffers ... 128MB
selecting dynamic shared memory implementation ... posix
creating configuration files ... ok
running bootstrap script ... ok
2017-12-17 11:55:35.930 UTC [34] FATAL:  could not open file "base/1/2674_fsm": Permission denied
2017-12-17 11:55:35.930 UTC [34] STATEMENT:  CREATE VIEW pg_replication_slots AS
            SELECT
                    L.slot_name,
                    L.plugin,
                    L.slot_type,
                    L.datoid,
                    D.datname AS database,
                    L.temporary,
                    L.active,
                    L.active_pid,
                    L.xmin,
                    L.catalog_xmin,
                    L.restart_lsn,
                    L.confirmed_flush_lsn
            FROM pg_get_replication_slots() AS L
                    LEFT JOIN pg_database D ON (L.datoid = D.oid);

2017-12-17 11:55:35.930 UTC [34] PANIC:  could not open control file "global/pg_control": Permission denied
Aborted (core dumped)
child process exited with exit code 134
initdb: removing contents of data directory "/var/lib/postgresql/data"
could not open directory "/var/lib/postgresql/data": Permission denied
initdb: failed to remove contents of data directory
performing post-bootstrap initialization ... 2017-12-17 11:55:37.632 UTC [1] LOG:  listening on IPv4 address "0.0.0.0", port 5432
2017-12-17 11:55:37.632 UTC [1] LOG:  listening on IPv6 address "::", port 5432
2017-12-17 11:55:37.661 UTC [1] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
2017-12-17 11:55:37.698 UTC [24] LOG:  database system was interrupted; last known up at 2017-12-17 11:55:35 UTC
2017-12-17 11:55:38.218 UTC [24] LOG:  database system was not properly shut down; automatic recovery in progress
2017-12-17 11:55:38.232 UTC [24] LOG:  redo starts at 0/1079C28
2017-12-17 11:55:38.262 UTC [24] LOG:  invalid record length at 0/126F098: wanted 24, got 0
2017-12-17 11:55:38.262 UTC [24] LOG:  redo done at 0/126EED0
2017-12-17 11:55:38.262 UTC [24] LOG:  last completed transaction was at log time 2017-12-17 11:55:35.929971+00
2017-12-17 11:55:38.421 UTC [1] LOG:  database system is ready to accept connections
2017-12-17 11:55:53.779 UTC [31] FATAL:  no pg_hba.conf entry for host "172.17.0.6", user "root", database "gogs", SSL off
2017-12-17 11:55:53.818 UTC [32] FATAL:  could not open relation mapping file "global/pg_filenode.map": Permission denied
2017-12-17 11:55:54.831 UTC [33] FATAL:  could not open relation mapping file "global/pg_filenode.map": Permission denied
2017-12-17 11:55:55.827 UTC [34] FATAL:  could not open relation mapping file "global/pg_filenode.map": Permission denied
2017-12-17 11:55:57.181 UTC [35] FATAL:  could not open relation mapping file "global/pg_filenode.map": Permission denied

Could you please tell me what am I doing wrong? I am clueless about this... Previous image versions weren't working either.
I also have problem with mounting pg_hba.conf:
- ./pg_hba.conf:/var/lib/postgresql/data/pg_hba.conf
As then postgres complains about non-empty data directory...

picture TeoTN

Most helpful comment

Add volume paths to ".dockeringore " file. This problem occurs when build process tries to add files in the volume paths to the docker container while when you running will cause to write them in docker user context.

picture navidnabavi on 26 Jul 2018
👍2719 🎉13 🚀9 😄3

All 8 comments

I was able to get the volume to work by giving the directory the docker group and allowing docker permission to modify the directory.
chown root:docker /var/lib/gogs/psql
chmod 770 /var/lib/gogs/psql

Keep in mind, after the container start. The permissions are changed and you will need to sudo most commands involving this directory.

pthomas931 picture pthomas931 on 18 Dec 2017

@pthomas931 Thank you for your reply!
Unfortunately, for some reason the ownership is changed immediately back to my user. When I run root@[...]:/srv/docker/gogs# chown -R root:docker /var/lib/gogs/psql && ls -la /var/lib/gogs/psql I'm getting it correct:

...
-rw-------  1 root  docker  4513 gru 18 20:57 pg_hba.conf
...

But then ownership is changed and running ls -la on the directory shows it's again piotr piotr, even though I'm running these as root...

TeoTN picture TeoTN on 18 Dec 2017

I have tried reinstalling docker and docker-compose and set everything up from scratch, this time configuring it not to require sudo. However, the problem persists: whenever I run docker-compose up -d the ownership of the postgres volume is changed from piotr:docker to piotr:piotr. I have followed installation tutorial from the official page.
I think this is a bug.

TeoTN picture TeoTN on 3 Jan 2018

It seems like AppArmor is preventing the postgres user in the container (which happens to be id 999 and probably matches your piotr user) from accessing the /var/lib/postgresql/data directory. Maybe try running it with --security-opt="apparmor=unconfined".

For reference, the container starts as root, does a chown of the /var/lib/postgresql/data to postgres, and then steps down from root to postgres.

yosifkit picture yosifkit on 3 Jan 2018

Well, this was quite a good hint, thank you :) It turned out that the second app in docker-compose has been mounting parent directory and, probably, changing its ownership... Thanks!

TeoTN picture TeoTN on 4 Jan 2018
👎3 👍2

@TeoTN Can you explain please? I need help, Im novice and I have the problem about persist my postgresql database because when I maked docker-compose up, all files are with permission ...

cmardonespino picture cmardonespino on 10 Apr 2018

Add volume paths to ".dockeringore " file. This problem occurs when build process tries to add files in the volume paths to the docker container while when you running will cause to write them in docker user context.

navidnabavi picture navidnabavi on 26 Jul 2018
👍2719 🎉13 🚀9 😄3

Thanks fo posting this @navidnabavi , I hadn't done this before and found a good example of the solution here: https://github.com/moby/moby/issues/1295#issuecomment-258168065. That together with your comment helped me out.

bowdena picture bowdena on 15 Oct 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

tjamet picture tjamet  路  4Comments
TJM picture TJM  路  4Comments
bsctl picture bsctl  路  4Comments
orion110217 picture orion110217  路  3Comments
mcnesium picture mcnesium  路  3Comments