Permission problem with volumes about docker-ejabberd HOT 9 CLOSED

Possible duplicate of: moby/moby#3124

from docker-ejabberd.

What I understand is that Docker considers 'bind-mounts' as being owned by 'root' user, which would explain why our 'ejabberd' user does not get access to the volume.

from docker-ejabberd.

@rroemhild Would you consider it an option to change the default user to 'root', and ditch the 'ejabberd' user? See: #58

from docker-ejabberd.

Run ejabberd with the root user removes a bit of security. What about change the directory owner:group to the ejabberd id (999) or set read/write permissions for others?

from docker-ejabberd.

Or use a data-container and set the correct ownership:

$ docker create -v /opt/ejabberd/database -v /opt/ejabberd/ssl --name ejabberd-data debian
$ docker run --rm --volumes-from ejabberd-data debian chown -R 999:999 /opt/ejabberd
$ docker run -d --name ejabberd --volumes-from ejabberd-data rroemhild/ejabberd

from docker-ejabberd.

@rroemhild I would rather not work with a data container (although it SHOULD be possible ofcourse), since I want to make sure the data persists in production. Changing directory permissions on the host to a user that only exists in a container seems counter-intuitive. If there would be a way for the non-root user to write a mounted directory on the host, that would work for me too. In the meanwhile, I'm pretty much stuck...

from docker-ejabberd.

Heya. I stumpled over this very sample problem. Since you already use startup scripts, I'd like to suggest something like the following:

We could have a EJABBERD_UID environment variable, possibly preset to 999 in the Dockerfile. On run - as root - perform a

usermod -u $EJABBERD_UID $EJABBERD_USER

to change the ejabberd user's UID on the fly. The permissions on all owned directories and files should be changed automatically. After that, continue on as $EJABBERD_USER.

I assume it might also be possible to install sudo in the dockerfile, add a change-user.sh script that does the above and then configure passwordless sudo access to this file only, removing the need to run as root if that isn't feasible.

from docker-ejabberd.

@sunsided thanks for your contribution You got me on the right track. Can you both review PR #66, please. The container must be started with the -u root option.

from docker-ejabberd.

I merged the PR to master branch. It works for me and I think it addresses this problem by let the user decide to run ejabberd as root but run with ejabberd user by default. Feel free to re-open this issue.

from docker-ejabberd.