Running MongoDB entrypoint as non-root user

[eldada]

Use case: As a sys admin, I need to run a MongoDB Docker container with a custom "approved" service account. This is company IT policy.

Today, the mongodb Docker container starts up the docker-entrypoint.sh as root and spins up mongod running as mongodb user, which is created at image build time.
Trying to use a custom --user user:group fails as the file system permissions are not good.

$ docker run --rm --name mongo --user 202:202 mongo:3.6.9-stretch
2018-11-19T08:27:39.395+0000 I CONTROL  [initandlisten] MongoDB starting : pid=1 port=27017 dbpath=/data/db 64-bit host=f267c856d149
2018-11-19T08:27:39.396+0000 I CONTROL  [initandlisten] db version v3.6.9
2018-11-19T08:27:39.396+0000 I CONTROL  [initandlisten] git version: 167861a164723168adfaaa866f310cb94010428f
2018-11-19T08:27:39.396+0000 I CONTROL  [initandlisten] OpenSSL version: OpenSSL 1.1.0f  25 May 2017
2018-11-19T08:27:39.396+0000 I CONTROL  [initandlisten] allocator: tcmalloc
2018-11-19T08:27:39.396+0000 I CONTROL  [initandlisten] modules: none
2018-11-19T08:27:39.396+0000 I CONTROL  [initandlisten] build environment:
2018-11-19T08:27:39.396+0000 I CONTROL  [initandlisten]     distmod: debian92
2018-11-19T08:27:39.396+0000 I CONTROL  [initandlisten]     distarch: x86_64
2018-11-19T08:27:39.396+0000 I CONTROL  [initandlisten]     target_arch: x86_64
2018-11-19T08:27:39.396+0000 I CONTROL  [initandlisten] options: { net: { bindIpAll: true } }
2018-11-19T08:27:39.397+0000 I STORAGE  [initandlisten] exception in initAndListen: IllegalOperation: Attempted to create a lock file on a read-only directory: /data/db, terminating
2018-11-19T08:27:39.397+0000 I CONTROL  [initandlisten] now exiting
2018-11-19T08:27:39.397+0000 I CONTROL  [initandlisten] shutting down with code:100

Can you provide instructions or a Dockefile with support for such a requirement?

[wglambert]

You just need to allow permissions for the user in the container, so you could mount the /data/db and give it appropriate permissions, however without a corresponding user in the /etc/passwd you will have a template name. Also for using a name over a UID with --user, mongo wants an entry in the /etc/passwd

$ mkdir db && sudo chown 777 db

$ docker run --rm -dit -v $PWD/db:/data/db -v /etc/passwd:/etc/passwd:ro --user 1000:1001 --name mongo mongo
6c4a4e74b314a2a01893bc0b7405106db3100db37e9ad466772f56f2f88ec2b2

$ echo $UID
1000

$ docker exec -it mongo bash
groups: cannot find name for group ID 1001
rei@6c4a4e74b314:/$ echo $UID
1000

[yosifkit]

@wglambert is correct; we have had arbitrary user support since #81, but then the operator running the container is in charge of providing a data directory that the chosen user can access. The percona, postgres, mariadb, and mysql images have the same issue.

[eldada]

Thanks @wglambert. You are right. I had to set the volume on the host to be writable by the user:group I was using and it worked!

$ mkdir db && sudo chmod 777 db

$ docker run --rm --name mongo -v $(pwd)/db:/data/db --user 202:202 mongo:3.6.9-stretch
2018-11-20T10:11:33.934+0000 I CONTROL  [initandlisten] MongoDB starting : pid=1 port=27017 dbpath=/data/db 64-bit host=26c28438ec0f
2018-11-20T10:11:33.949+0000 I CONTROL  [initandlisten] db version v3.6.9
2018-11-20T10:11:33.949+0000 I CONTROL  [initandlisten] git version: 167861a164723168adfaaa866f310cb94010428f
2018-11-20T10:11:33.949+0000 I CONTROL  [initandlisten] OpenSSL version: OpenSSL 1.1.0f  25 May 2017
2018-11-20T10:11:33.949+0000 I CONTROL  [initandlisten] allocator: tcmalloc
2018-11-20T10:11:33.949+0000 I CONTROL  [initandlisten] modules: none
2018-11-20T10:11:33.949+0000 I CONTROL  [initandlisten] build environment:
2018-11-20T10:11:33.950+0000 I CONTROL  [initandlisten]     distmod: debian92
2018-11-20T10:11:33.950+0000 I CONTROL  [initandlisten]     distarch: x86_64
2018-11-20T10:11:33.950+0000 I CONTROL  [initandlisten]     target_arch: x86_64
2018-11-20T10:11:33.950+0000 I CONTROL  [initandlisten] options: { net: { bindIpAll: true } }
2018-11-20T10:11:33.960+0000 I STORAGE  [initandlisten] wiredtiger_open config: create,cache_size=487M,session_max=20000,eviction=(threads_min=4,threads_max=4),config_base=false,statistics=(fast),cache_cursors=false,compatibility=(release="3.0",require_max="3.0"),log=(enabled=true,archive=true,path=journal,compressor=snappy),file_manager=(close_idle_time=100000),statistics_log=(wait=0),verbose=(recovery_progress),
2018-11-20T10:11:42.091+0000 I STORAGE  [initandlisten] WiredTiger message [1542708702:91595][1:0x7f23665f0600], txn-recover: Set global recovery timestamp: 0
2018-11-20T10:11:42.117+0000 I CONTROL  [initandlisten] 
2018-11-20T10:11:42.117+0000 I CONTROL  [initandlisten] ** WARNING: Access control is not enabled for the database.
2018-11-20T10:11:42.117+0000 I CONTROL  [initandlisten] **          Read and write access to data and configuration is unrestricted.
2018-11-20T10:11:42.117+0000 I CONTROL  [initandlisten] 
2018-11-20T10:11:42.128+0000 I STORAGE  [initandlisten] createCollection: admin.system.version with provided UUID: 4dcc25bf-9e9d-43ea-904a-1fdc2421f8ac
2018-11-20T10:11:42.145+0000 I COMMAND  [initandlisten] setting featureCompatibilityVersion to 3.6
2018-11-20T10:11:42.158+0000 I STORAGE  [initandlisten] createCollection: local.startup_log with generated UUID: 112dfe5f-5c4e-4318-849d-537c7fbbddbe
2018-11-20T10:11:42.180+0000 I FTDC     [initandlisten] Initializing full-time diagnostic data capture with directory '/data/db/diagnostic.data'
2018-11-20T10:11:42.182+0000 I NETWORK  [initandlisten] waiting for connections on port 27017

Thanks for the help. Closing.