I am quite new to docker and need a bit of help.
seems like my chown, chgrp and chmod commands although not causing errors during the docker build aren’t taking effect and actually aren’t doing anything.
Here’s my dockerfile.
VOLUME /data/db /data/configdb
RUN mkdir -p /data/db /data/configdb &&
chown -R mongodb:mongodb /data/db /data/configdb
USER mongodb:mongodb
RUN touch /data/db/replica.key &&
echo -e 'my key'
>> /data/db/replica.key &&
chown mongodb:mongodb /data/db/replica.key &&
chgrp mongodb /data/db/replica.key &&
chmod 600 /data/db/replica.key
Any ideas or help would be great.
2
Answers
docker run -v /local/path/to/db:/data/db -v /local/path/to/configdb:/data/configdb your-image-name
Remember to replace /local/path/to/db and /local/path/to/configdb with the paths where you want your data to be stored on the host machine.
Problem relation with chown, chgrp and chmod have no effect in your Dockerfile, because they are invoked after the VOLUME command.
I’d suggest you should delete all of these lines from your Dockerfile. Anything that’s in your image can be trivially extracted by anyone who has a copy of the image, either by
docker cp
ing it out or by seeing the key in plain text indocker history
. This generally makes it a bad idea to put any sort of key or credential anywhere in a Dockerfile.When you run the image, you can provide this credential via a Docker bind mount. Using
docker run
, for example:(If you’re using Compose, its
volumes:
option works identically.)It’s possible you’re storing the entire data directory on your host;
-v "$PWD/dbdata:/data/db
; and in that case the./dbdata/replica.key
file would be injected into the container in the same way.This means you need to have the permissions and ownership of the file set up correctly on the host. On native Linux in particular, the numeric owner needs to match what the container is running as. It looks like the
mongo:6.0
image uses user ID 999 by default so that’s the user ID you’d need on the hostMechanically, the file you show will hit two problems. First, the Dockerfile
VOLUME
directive has a side effect of preventing any future changes to theVOLUME
directory in laterRUN
commands, so your subsequentRUN chmod
command has no effect (and if you’re building your imageFROM mongo
, it has the sameVOLUME
line). Second, if you do have a volume mount, the contents of the volume always hide whatever might have been in the image, including any ownership and permission settings. This Dockerfile setup inside the data directory will be ineffective.