Can user privilege of docker container impact permission of host machine on mounted volume in docker-compose.yml?

Question

I have docker-compose.yml as below，

version: '2'
services:
  mysql:
    image: centos/mysql-56-centos7:latest
    restart: always
    container_name: mysql
    environment:
       - MYSQL_ROOT_PASSWORD=111111
    volumes:
      - /etc/localtime:/etc/localtime
      - /data/mysql:/var/lib/mysql/data
    ports:
      - 3306:3306

centos/mysql-56-centos7 is a image from Docker Hub. I use docker-compose up to start the container, but it always fail, the cause is:

Can't create test file /var/lib/mysql/data/cdef45a5817c.lower-test

full info:

    Creating network "mysql_default" with the default driver
    Creating mysql ... ^M
    ^[[1A^[[2K^MCreating mysql ... ^[[32mdone^[[0m^M^[[1BAttaching to mysql
    ^[[36mmysql    |^[[0m => sourcing 20-validate-variables.sh ...
    ^[[36mmysql    |^[[0m => sourcing 25-validate-replication-variables.sh ...
    ^[[36mmysql    |^[[0m => sourcing 30-base-config.sh ...
    ^[[36mmysql    |^[[0m ---> 16:39:17     Processing basic MySQL configuration files ...
    ^[[36mmysql    |^[[0m => sourcing 60-replication-config.sh ...
    ^[[36mmysql    |^[[0m => sourcing 70-s2i-config.sh ...
    ^[[36mmysql    |^[[0m ---> 16:39:17     Processing additional arbitrary  MySQL configuration provided by s2i ...
    ^[[36mmysql    |^[[0m => sourcing 40-paas.cnf ...
    ^[[36mmysql    |^[[0m => sourcing 50-my-tuning.cnf ...
    ^[[36mmysql    |^[[0m ---> 16:39:17     Initializing database ...
    ^[[36mmysql    |^[[0m ---> 16:39:17     Running mysql_install_db --rpm --datadir=/var/lib/mysql/data
    ^[[36mmysql    |^[[0m 2020-01-10 16:39:17 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details).
    ^[[36mmysql    |^[[0m 2020-01-10 16:39:17 0 [Note] Ignoring --secure-file-priv value as server is running with --bootstrap.
    ^[[36mmysql    |^[[0m 2020-01-10 16:39:17 0 [Note] /opt/rh/rh-mysql56/root/usr/libexec/mysqld (mysqld 5.6.38) starting as process 30 ...
    ^[[36mmysql    |^[[0m 2020-01-10 16:39:17 30 [Warning] Can't create test file /var/lib/mysql/data/a5d11f4146dd.lower-test
    ^[[36mmysql    |^[[0m 2020-01-10 16:39:17 30 [Warning] Can't create test file /var/lib/mysql/data/a5d11f4146dd.lower-test
    ^[[36mmysql    |^[[0m 2020-01-10 16:39:17 30 [Note] InnoDB: Using atomics to ref count buffer pool pages
    ^[[36mmysql    |^[[0m 2020-01-10 16:39:17 30 [Note] InnoDB: The InnoDB memory heap is disabled
    ^[[36mmysql    |^[[0m 2020-01-10 16:39:17 30 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
    ^[[36mmysql    |^[[0m 2020-01-10 16:39:17 30 [Note] InnoDB: Memory barrier is not used
    ^[[36mmysql    |^[[0m 2020-01-10 16:39:17 30 [Note] InnoDB: Compressed tables use zlib 1.2.7
    ^[[36mmysql    |^[[0m 2020-01-10 16:39:17 30 [Note] InnoDB: Using Linux native AIO
    ^[[36mmysql    |^[[0m 2020-01-10 16:39:17 30 [Note] InnoDB: Using CPU crc32 instructions
    ^[[36mmysql    |^[[0m 2020-01-10 16:39:17 30 [Note] InnoDB: Initializing buffer pool, size = 32.0M
    ^[[36mmysql    |^[[0m 2020-01-10 16:39:17 30 [Note] InnoDB: Completed initialization of buffer pool
    ^[[36mmysql    |^[[0m 2020-01-10 16:39:17 7f1048c42840  InnoDB: Operating system error number 13 in a file operation.
    ^[[36mmysql    |^[[0m InnoDB: The error means mysqld does not have the access rights to
    ^[[36mmysql    |^[[0m InnoDB: the directory.
    ^[[36mmysql    |^[[0m 2020-01-10 16:39:17 7f1048c42840  InnoDB: Operating system error number 13 in a file operation.
    ^[[36mmysql    |^[[0m InnoDB: The error means mysqld does not have the access rights to
    ^[[36mmysql    |^[[0m InnoDB: the directory.
    ^[[36mmysql    |^[[0m 2020-01-10 16:39:17 30 [ERROR] InnoDB: Creating or opening ./ibdata1 failed!
    ^[[36mmysql    |^[[0m 2020-01-10 16:39:17 30 [ERROR] InnoDB: Could not open or create the system tablespace. If you tried to add new data files to the system tablespace, and it failed here, you should now edit innodb_data_file_path in my.cnf back to what it was, and remove the new ibdata files InnoDB created in this failed attempt. InnoDB only wrote those files full of zeros, but did not yet use them in any way. But be careful: do not remove old data files which contain your precious data!
    ^[[36mmysql    |^[[0m 2020-01-10 16:39:17 30 [ERROR] Plugin 'InnoDB' init function returned error.
    ^[[36mmysql    |^[[0m 2020-01-10 16:39:17 30 [ERROR] Plugin 'InnoDB' registration as a STORAGE ENGINE failed.
    ^[[36mmysql    |^[[0m 2020-01-10 16:39:17 30 [ERROR] Unknown/unsupported storage engine: InnoDB
    ^[[36mmysql    |^[[0m 2020-01-10 16:39:17 30 [ERROR] Aborting
    ^[[36mmysql    |^[[0m
    ^[[36mmysql    |^[[0m 2020-01-10 16:39:17 30 [Note] Binlog end
    ^[[36mmysql    |^[[0m 2020-01-10 16:39:17 30 [Note] /opt/rh/rh-mysql56/root/usr/libexec/mysqld: Shutdown complete

If I remove this line /data/mysql:/var/lib/mysql/data from docker-compose.yml, the container can be started normally.

I run docker-compose up with root privilege on host machine, how can there be permission problem? I don't know with what user privilege the MySQL process is started within the docker container, but how can that impact the permission of host machine?

other information:

on the host machine, it seems selinux is not enabled

# getenforce
Disabled

I chmod the mysql folder, so

# ls -l /data
total 0
drwxrwxrwx 2 root root 6 Jan  9 15:28 mysql

mtak · Accepted Answer · 2020-01-10 09:01:57Z

0

Looks like the MySQL user inside the Docker container does not have permissions to write to the /data/mysql directory on the host filesystem. This has nothing to do with you running docker compose as root. The mysql daemon is started as themysql user inside the container, hence it has those privileges.

To fix this issue, change the ownership of the /data/mysql directory on the host filesystem:

sudo chown -R 27 /data/mysql

27 is the numeric UID of the mysql user inside the Docker container. Use the number instead of the mysql name, as the UID might be different for the mysql user on the host filesystem, but the actual permissions are checked by UID number.

Don't make a directory rwx or 777 unless there is a very good reason to do so

answered Jan 10, 2020 at 9:01

mtak

17k2 gold badges55 silver badges64 bronze badges

thx, but the solution does't work, still the same issue
– lily
Commented Jan 10, 2020 at 10:42
BTW, how do you know the UID is 27?
– lily
Commented Jan 10, 2020 at 10:55
I started the docker container and checked the UID of the mysqld process.
– mtak
Commented Jan 13, 2020 at 13:18

Add a comment |

Stack Exchange Network

Can user privilege of docker container impact permission of host machine on mounted volume in docker-compose.yml?

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged
linux
centos
mysql
docker
docker-compose
.

Hot Network Questions

Can user privilege of docker container impact permission of host machine on mounted volume in docker-compose.yml?

1 Answer 1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged linuxcentosmysqldockerdocker-compose.

Related

Hot Network Questions

Not the answer you're looking for? Browse other questions tagged
linux
centos
mysql
docker
docker-compose
.