having trouble with setting file permissions on a file created on a volume on docker container

user2841861
June 30, 2023
205 views
1 vote
2 Answers

I am quite new to docker and need a bit of help.
seems like my chown, chgrp and chmod commands although not causing errors during the docker build aren’t taking effect and actually aren’t doing anything.

Here’s my dockerfile.

VOLUME /data/db /data/configdb

RUN mkdir -p /data/db /data/configdb && 
  chown -R mongodb:mongodb /data/db /data/configdb

USER mongodb:mongodb

RUN  touch /data/db/replica.key && 
  echo -e 'my key'
      >> /data/db/replica.key && 
      chown mongodb:mongodb /data/db/replica.key && 
      chgrp mongodb /data/db/replica.key && 
      chmod 600 /data/db/replica.key

Any ideas or help would be great.

Answers

- NonameNoSurname
- June 30, 2023 at 3:23 pm
- 0 votes
0
```
RUN mkdir -p /data/db /data/configdb 
    && chown -R mongodb:mongodb /data/db /data/configdb

USER mongodb:mongodb

RUN touch /data/db/replica.key 
    && echo -e 'my key' >> /data/db/replica.key 
    && chown mongodb:mongodb /data/db/replica.key 
    && chgrp mongodb /data/db/replica.key 
    && chmod 600 /data/db/replica.key
```
docker run -v /local/path/to/db:/data/db -v /local/path/to/configdb:/data/configdb your-image-name

Remember to replace /local/path/to/db and /local/path/to/configdb with the paths where you want your data to be stored on the host machine.

Problem relation with chown, chgrp and chmod have no effect in your Dockerfile, because they are invoked after the VOLUME command.
Login or Signup to reply.

- DavidMaze
- June 30, 2023 at 3:52 pm
- 0 votes
0
I’d suggest you should delete all of these lines from your Dockerfile. Anything that’s in your image can be trivially extracted by anyone who has a copy of the image, either by docker cping it out or by seeing the key in plain text in docker history. This generally makes it a bad idea to put any sort of key or credential anywhere in a Dockerfile.

When you run the image, you can provide this credential via a Docker bind mount. Using docker run, for example:
```
docker run 
  -v "$PWD/replica.key:/data/db/replica.key" 
  ... 
  mongo
```
(If you’re using Compose, its volumes: option works identically.)

It’s possible you’re storing the entire data directory on your host; -v "$PWD/dbdata:/data/db; and in that case the ./dbdata/replica.key file would be injected into the container in the same way.

This means you need to have the permissions and ownership of the file set up correctly on the host. On native Linux in particular, the numeric owner needs to match what the container is running as. It looks like the mongo:6.0 image uses user ID 999 by default so that’s the user ID you’d need on the host
```
# on the host
mkdir mongo-data
echo -e 'my key' > mongo-data/replica.key
sudo chown -R 999 mongo-data
sudo chmod 0600 mongo-data/replica.key

sudo docker run 
  -v "$PWD/mongo-data:/data/db" 
  ... 
  mongo:6.0
```
Mechanically, the file you show will hit two problems. First, the Dockerfile VOLUME directive has a side effect of preventing any future changes to the VOLUME directory in later RUN commands, so your subsequent RUN chmod command has no effect (and if you’re building your image FROM mongo, it has the same VOLUME line). Second, if you do have a volume mount, the contents of the volume always hide whatever might have been in the image, including any ownership and permission settings. This Dockerfile setup inside the data directory will be ineffective.
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.