Hi!

I have a problem with port mapping (I created a topic for it). In order to find a solution, I switched from Docker Desktop to Docker Engine.
Unfortunately, my user inside the Docker container has no file permissions in bound volumes, when I’m using Docker Engine. But when I’m using Docker Desktop, my user inside the Docker container has these file permissions.

Due to the missing file permissions, MariaDB exits with an error and the container stops.

Could somebody help me, getting it to work using Docker Engine, please?

Thank you in advance,
Bernhard

Linux: Ubuntu 24.04.2

Docker Engine (docker --version): Docker version 28.0.2, build 0442a73

docker-compose.yml

# Note: Values have been anonymized.
name: my-project-name
networks:
    database:
    project:
        driver: macvlan
        driver_opts:
            parent: my-network-interface
        ipam:
            config:
                - gateway: 192.168.59.1
                  subnet : 192.168.59.0/24
services:
    mariadb:
        build:
            context: /my/build/context/path
            dockerfile: /my/dockerfile/path
        container_name: my-project-name-mariadb
        entrypoint: /my/entrypoint/path
        env_file: /my/env_file/path
        networks:
            database:
            project:
                ipv4_address: 192.168.59.123
        ports:
            - host_ip: 192.168.59.123
              mode: host
              protocol: tcp
              published: 1234
              target: 1234
        volumes:
            - bind:
                  selinux: Z
              source: ./database
              target: /my/bind/database/target/path
              type: bind
            - bind:
                  create_host_path: true
                  selinux: Z
              source: ./database/data
              target: /my/bind/database/data/target/path
              type: bind
            - bind:
                  create_host_path: true
                  selinux: z
              source: ./log
              target: /my/bind/log/target/path
              type: bind

Dockerfile:

FROM mariadb:latest

SHELL ["/bin/bash", "-ec"]

RUN /bin/bash /path/to/provisioner/sh/provisioner.sh

USER docker: docker

provisioner.sh:

# Create a Docker user.
if [ -z "$APK" ]; then
    groupadd -r docker
    useradd -g docker -m -r -s /bin/bash docker
else
    addgroup -S docker
    adduser -D -G docker -s /bin/bash -S docker
fi

echo "docker ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/docker

# Adapt file permissions for the created docker user.
chown -R docker:docker /home/docker
chown -R docker:docker /tmp/*
chown -R docker:docker /path/to/project/data

entrypoint.sh:

#!/bin/bash

# Initialize project.
cd /path/to/project/data

# Do some stuff with the project data (unrelated to Docker).

# Providing a custom entrypoint overwrites the default entry point of the image. Call it, to get the container to work.
docker-entrypoint.sh mariadbd # Default entry point of container "mariadb:latest".

MariaDB log file:

2025-03-25 10:04:14 0 [Note] Starting MariaDB 11.7.2-MariaDB-ubu2404 source revision 80067a69feaeb5df30abb1bfaf7d4e713ccbf027 server_uid yJhRsRqu9LWL8EuEzXLjcALXXAA= as process 31
2025-03-25 10:04:14 0 [ERROR] mariadbd: Can't create/write to file './ddl_recovery.log' (Errcode: 13 "Permission denied")
2025-03-25 10:04:14 0 [ERROR] DDL_LOG: Failed to create ddl log file: ./ddl_recovery.log
2025-03-25 10:04:14 0 [ERROR] Aborting

It seems you try to set the folder permissions inside the container before switching the user.

But are you sure the container and Docker daemon have the correct permissions on host folders in the first place?

Also note that similar user names inside and outside container are not necessarily the same, make sure they have the same uid/gid. Sonic Docker on host is 1000:1000, make sure to set the same inside your script.

The folder permissions are set during image build. The bound volumes are not bound, yet. I don’t change the permissions in the running container.

They had (and still have) using Docker Desktop. Only when I’m using Docker Engine, the permissions seem to be not right.

I’m aware of that. It wasn’t any problem using Docker Desktop, nor in the technology my Company is currently using. The created user:group should have 1000:1000 using Docker Engine, too. Nevertheless, I will check it to be sure.

Running inside the container, you create docker:docker, do they have 1000:1000?

I did check the user and group IDs and they really weren’t 1000:1000. They were 998:998. I changed the provisioner to nail the IDs down to 1000:1000 and now it’s working. Thank you!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.