Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

root user has no permissions within container #884

Closed
alecraso opened this issue Sep 24, 2021 · 5 comments
Closed

root user has no permissions within container #884

alecraso opened this issue Sep 24, 2021 · 5 comments
Labels
question Usability question, not directly related to an error with the image

Comments

@alecraso
Copy link

Issue seen in pg13

Specifically, when running a CI build in Travis (I think it happening within a Travis build is coincidental, but perhaps not). The postgres image is built using the postgres image with no tag specified. When the container is run, the following error occurs:

db-server | ls: cannot access '/docker-entrypoint-initdb.d/': Operation not permitted
db-server exited with code 2

The offending line of code is the following:

postgres/13/bullseye/docker-entrypoint.sh

Line 296 in c3bf1dd

ls /docker-entrypoint-initdb.d/ > /dev/null

After connecting to the running container (by setting the command to sleep), running ls -al shows the following output:

root@284bdcb22713:/# ls
bin   dev                         etc   lib    media  opt   root  sbin  sys  usr
boot  docker-entrypoint-initdb.d  home  lib64  mnt    proc  run   srv   tmp  var
root@284bdcb22713:/# ls -al
ls: cannot access 'lib64': Operation not permitted
ls: cannot access 'mnt': Operation not permitted
ls: cannot access 'root': Operation not permitted
ls: cannot access '.': Operation not permitted
ls: cannot access 'usr': Operation not permitted
ls: cannot access 'lib': Operation not permitted
ls: cannot access '..': Operation not permitted
ls: cannot access 'run': Operation not permitted
ls: cannot access 'proc': Operation not permitted
ls: cannot access 'boot': Operation not permitted
ls: cannot access 'bin': Operation not permitted
ls: cannot access 'srv': Operation not permitted
ls: cannot access 'opt': Operation not permitted
ls: cannot access 'etc': Operation not permitted
ls: cannot access 'home': Operation not permitted
ls: cannot access 'sbin': Operation not permitted
ls: cannot access 'sys': Operation not permitted
ls: cannot access 'var': Operation not permitted
ls: cannot access 'media': Operation not permitted
ls: cannot access 'dev': Operation not permitted
ls: cannot access 'tmp': Operation not permitted
ls: cannot access '.dockerenv': Operation not permitted
ls: cannot access 'docker-entrypoint-initdb.d': Operation not permitted
total 0
d????????? ? ? ? ?            ? .
d????????? ? ? ? ?            ? ..
d????????? ? ? ? ?            ? bin
d????????? ? ? ? ?            ? boot
d????????? ? ? ? ?            ? dev
d????????? ? ? ? ?            ? docker-entrypoint-initdb.d
-????????? ? ? ? ?            ? .dockerenv
d????????? ? ? ? ?            ? etc
d????????? ? ? ? ?            ? home
d????????? ? ? ? ?            ? lib
d????????? ? ? ? ?            ? lib64
d????????? ? ? ? ?            ? media
d????????? ? ? ? ?            ? mnt
d????????? ? ? ? ?            ? opt
d????????? ? ? ? ?            ? proc
d????????? ? ? ? ?            ? root
d????????? ? ? ? ?            ? run
d????????? ? ? ? ?            ? sbin
d????????? ? ? ? ?            ? srv
d????????? ? ? ? ?            ? sys
d????????? ? ? ? ?            ? tmp
d????????? ? ? ? ?            ? usr
d????????? ? ? ? ?            ? var

I don't understand why the root user has no permissions to anything in the filesystem.

The timing of this issue seems to correspond to the following commit, where the postgres change from buster to bullseye was added to the official libraries in docker:
docker-library/official-images@f21b412

I was able to get around the issue by specifying image: postgres:buster in docker-compose.yml. The root cause is likely still unsolved in the wild.

Here are the relevant sections of our docker-compose.yml:

version: "3"
services:
  db:
    image: "postgres:buster"  # << added "buster" for the workaround
    container_name: "db-server"
    environment:
      POSTGRES_PASSWORD: 'postgres'
      POSTGRES_DB: 'my-db'
    expose:
      - "5432"
    ports:
      - "5432:5432"
    volumes:
      - database_data:/var/lib/postgresql/data
...
volumes:
  database_data:
    driver: local
@wglambert wglambert added the question Usability question, not directly related to an error with the image label Sep 24, 2021
@wglambert
Copy link

docker-library/openjdk#465

you'll need to update Docker, runc, and likely libseccomp on your host.

See also docker-library/php#1192

@tianon tianon mentioned this issue Sep 28, 2021
Closed
@tianon
Copy link
Member

tianon commented Sep 28, 2021

Another workaround would be to add -buster to your image reference, but beware that the buster-based images are no longer maintained (so you won't be getting any image updates if you do so).

@alexjpm
Copy link

alexjpm commented Sep 29, 2021
edited
Loading

Upping the docker version fixed this for me

    steps:
      - checkout
      - setup_remote_docker:
          version: 20.10.6

@wglambert wglambert mentioned this issue Sep 29, 2021
Closed
@srus
Copy link

srus commented Sep 29, 2021
edited
Loading

I got the same issue (cannot access '/docker-entrypoint-initdb.d/': Operation not permitted) trying to run the official Postgres 13.4 image (postgres:13.4) on Docker 17. Problem solved after upgrading Docker to the latest version (20.10.7).

@wglambert wglambert mentioned this issue Oct 4, 2021
Closed
guggero added a commit to guggero/lnd that referenced this issue Oct 5, 2021
@guggero
multi: fix Postgres on Travis
1774934 
Fixes the docker build that was caused by
docker-library/postgres#884.
Using the alpine and version 13 image avoids the problem introduced
with postgres 14 and debian bullseye.
@serut serut mentioned this issue Oct 6, 2021
Open
@ghost ghost mentioned this issue Nov 2, 2021
Closed
@cuu508 cuu508 mentioned this issue Jan 7, 2022
Closed
@mvanorder mvanorder mentioned this issue Jun 19, 2022
Closed
hurngchunlee added a commit to Donders-Institute/data-streamer that referenced this issue Sep 28, 2022
@hurngchunlee
use alpine version of postgresql
758ff3e 
- see docker-library/postgres#884
@lyutian
Copy link

lyutian commented Jun 1, 2023

docker-library/openjdk#465

you'll need to update Docker, runc, and likely libseccomp on your host.

See also docker-library/php#1192

My docker version is 20.10.20, but still has this issue.

The magic comes out after upgrading the libseccomp from 2.3.1-3.el7 to 2.3.1-4.el7

matheusd pushed a commit to matheusd/dcrlnd that referenced this issue Feb 12, 2024
@guggero @matheusd
multi: fix Postgres on Travis
ea7ef4a 
Fixes the docker build that was caused by
docker-library/postgres#884.
Using the alpine and version 13 image avoids the problem introduced
with postgres 14 and debian bullseye.
matheusd pushed a commit to matheusd/dcrlnd that referenced this issue Feb 22, 2024
@guggero @matheusd
multi: fix Postgres on Travis
b83803e 
Fixes the docker build that was caused by
docker-library/postgres#884.
Using the alpine and version 13 image avoids the problem introduced
with postgres 14 and debian bullseye.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Usability question, not directly related to an error with the image
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@srus @tianon @lyutian @alecraso @wglambert @alexjpm