mkfifo fail when running as non root user

[emperorkebab]

Describe the problem

When running crdb docker container with the option user: 1000:1000 the container fails with the following log error:

mkfifo: cannot create fifo 'server_fifo': Permission denied

which i think originates from here:

cockroach/build/deploy/cockroach.sh

Line 134 in 6d36207

local start_node_query=( exec $cockroach_entrypoint start-single-node \

---

To Reproduce

1. Create dirs mycrdb/certs and mycrdb/data (owned by user 1000, and default perms 755) to avoid "could not write CAs" cockroach error when initializing.
2. Buid the container using this compose:

mycrdb:
    image: cockroachdb/cockroach:latest
    container_name: mycrdb
    command: "start-single-node --advertise-addr mycrdb"
    user: 1000:1000
    ports:
      - "9090:8080"
      - "26257:26257"
    networks:
      - mynetwork
    volumes:
      - ./mycrdb/certs:/cockroach/certs:rw
      - ./mycrdb/data:/cockroach/cockroach-data:rw

3. See container logs.

docker logs -f mycrdb

---

Expected behavior

The cockroachdb container gets generated without errors, and the generated content in the bind volumes are owned by the user with id 1000 instead of root.

---

Additional data / screenshots

Related to:

• Current guidance on how to run containerized CRDB clusters has users running as root in the container docs#8416
• Root access is not required for installation and operations docs#7697

---

Environment:

• CockroachDB version v24.1.0
• Server OS: Linux/Ubuntu

Additional context
What was the impact?
Can't proceed with container hardening.

Jira issue: CRDB-39655

[blathers-crl]

Hi @emperorkebab, please add branch-* labels to identify which branch(es) this C-bug affects.

_{🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf.}

[blathers-crl]

Hello, I am Blathers. I am here to help you get the issue triaged.

Hoot - a bug! Though bugs are the bane of my existence, rest assured the wretched thing will get the best of care here.

I have CC'd a few people who may be able to assist you:

• @tbg (author of storage: TestSplitSnapshotRace_SnapshotWins is disabled #8416)

If we have not gotten back to your issue within a few business days, you can try the following:

• Join our community slack channel and ask on #cockroachdb.
• Try find someone from here if you know they worked closely on the area and CC them.

_{🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is dev-inf.}

[emperorkebab]

I just realized this could made irrelevant by #85062 if it gets merged