-
Notifications
You must be signed in to change notification settings - Fork 24.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dockerised server cannot access bindmounts with the documented group ID #47929
Comments
Since the Elasticsearch images are based on CentOS 7, they use a chroot version feature-frozen since 2013. chroot only has only started applying user-associated groups in 2014. I believe that to be the cause of this bug in the Elasticsearch images; recent documentation for chroot will say that |
Pinging @elastic/es-core-infra (:Core/Infra/Core) |
@fedde-s This is indeed something that should be addressed in the docs, given that as you correctly mentioned the Practically speaking I think we should adjust the docs in the linked section to:
For your use case you'd use something like (I chose a random
which allows the docker image to run using:
In the future when we switch to a newer base image with a newer |
Fix reference about the uid:gid that Elasticsearch runs as inside the Docker container and add a packaging test to ensure that bind mounting a data dir with a random uid and gid:0 works as expected. Relates elastic#49529 Closes elastic#47929
Elasticsearch version (
docker run --rm docker.elastic.co/elasticsearch/elasticsearch-oss:7.4.0 elasticsearch --version
):Plugins installed: []
JVM version (
docker run --rm docker.elastic.co/elasticsearch/elasticsearch-oss:7.4.0 /bin/bash -c 'source "`dirname "$0"`"/elasticsearch-env && "$JAVA" --version' /usr/share/elasticsearch/bin/elasticsearch
):OS version (
uname -srvm
):Linux 4.15.0-65-generic #74-Ubuntu SMP Tue Sep 17 17:06:04 UTC 2019 x86_64
Description of the problem including expected versus actual behavior:
The documentation on bind-mounting configuration into an Elasticsearch Docker container claims that the container will run Elasticsearch as a user with group ID 1000, and the notes on defaults underneath contain detailed instructions to create a bind-mountable data directory to be accessed by such a user. However, when I follow these instructions, Elasticsearch fails with this message:
"org.elasticsearch.bootstrap.StartupException: ElasticsearchException[failed to bind service]; nested: AccessDeniedException[/usr/share/elasticsearch/data/nodes];",
The output below suggests that the Dockerfile did add a user with this default group, but the command that the entrypoint uses to switch to that user's user ID does not reference that configuration to set the group ID for the user.
Steps to reproduce:
sudo -- sh -c 'mkdir esdatadir && chmod g+rwx esdatadir && chgrp 1000 esdatadir'
Provide logs (if relevant):
The text was updated successfully, but these errors were encountered: