chmod: changing permissions of 'var/lib/postgresql/data': Permission denied

[pueffl]

I have slightly extended the official postgres Image in the following way (only the COPY is really important, to do some stuff to use SonarQube with Postgres):

Version: 1.0.0

FROM postgres:9.5
MAINTAINER Wolfgang Grossinger "wolfgang.grossinger@gmail.com"
COPY sonarqube.sql /docker-entrypoint-initdb.d
RUN localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
ENV LANG en_US.utf8
ENV POSTGRES_PASSWORD=postgres
ENV POSTGRES_USER=postgres
RUN chmod 777 /var/lib/postgresql/data

After building the image I try to start it with the following command:

sudo docker run --name postgres_sonar -p 5432:5432 -v /data:/var/lib/postgresql/data wogro/postgres_sonar

I get the following error message:

chmod: changing permissions of ‘/var/lib/postgresql/data’: Permission denied

I don't know what the reason is (probably it's me), but it is something i would never expect from an official image (I just would expect that mounting a volume works :-))

[mrozekkk]

Hi,
Today I run official postgres:9.5 image without any changes under kubernetes and I got the same problem:
# kubectl logs my_pod -p
chmod: changing permissions of ‘/var/lib/postgresql/data’: Permission denied

edited:
Probably I have some clue -
chcon -Rt svirt_sandbox_file_t /path/to/volume
solves my problem - selinux issue

[yosifkit]

If you are using MacOSX or Windows with the Vbox shared folders, then this is a duplicate of #28

[sergio1990]

Hey, guys!
I have the same issue with running postgres on OSX.

docker run \
  --name my-postgres \
  -e POSTGRES_USER=admin \
  -e POSTGRES_PASSWORD=password \
  -e POSTGRES_DB=some_db_dev \
  -v $PG_LOCAL_DATA:/var/lib/postgresql/data \
  -d postgres:9.5.1

My output is the following:

* Starting PostgreSQL
The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.

The database cluster will be initialized with locale "en_US.utf8".
The default database encoding has accordingly been set to "UTF8".
The default text search configuration will be set to "english".

Data page checksums are enabled.

fixing permissions on existing directory /var/lib/postgresql/data ... ok
initdb: could not create directory "/var/lib/postgresql/data/pg_xlog": Permission denied
initdb: removing contents of data directory "/var/lib/postgresql/data"

Versions of docker, docker-machine, virtualbox and boot2docker are:

docker-machine version 0.6.0, build e27fb87
Docker version 1.10.2, build c3959b1
VirtualBox Version 5.0.16 r105871
boot2docker 1.10.3

I saw many publications about this topic but the most of them are outdated. I had tried do the same solution as for mysql but it did not help.

Maybe somebody can updated me: does some solution exist to run postgres container with data volumes through docker-machine?

Thanks!

[caioariede]

Any workarounds for this?

[relaxdiego]

I'm experiencing the same error when trying to run the latest image on OpenShift Enterprise. The error occurs whether the container has or does not have a mounted volume:

chmod: changing permissions of ‘/var/lib/postgresql/data’: Permission denied

[fcurvat]

Hi,

Found this for solving the chmod issue:
http://stackoverflow.com/questions/24288616/permission-denied-on-accessing-host-directory-in-docker

Check here too for the selinux security issue :
https://docs.docker.com/engine/tutorials/dockervolumes/#/volume-labels

I fixed my docker-compose file by adding a :z at the end of the volume command
volumes: - /media/dataDemo/db:/var/lib/postgresql/data:z

Hope it will help.

[collinpeters]

I'm noticing that the /var/lib/postgresql/data group permission is root. That doesn't seem correct to me.

[yosifkit]

@collinpeters, it looks like we only chown to the user in the entrypoint.

[thiagoh]

any news about this issue?

[gcarter-comcast]

My issue appears like that of @sergio1990 except that I am using "Docker for Mac" instead of "Docker Toolbox". I resolved my case by changing ownership of the host file system to be used by the PostgresQL container to the $USER who will run that container. In doing so it appeared that the container relies upon the credentials cache resulting from the ownership change: sudo chown -R $USER $POSTGRESQLFS then docker run.

[marcofranssen]

I have been trying to apply the :z and :Z options in my kubernetes deployment configuration. However it fails with following error.

Failed to start container with docker id b323b283a475 with error: Error response from daemon: {"message":"SELinux relabeling of /var/lib/kubelet/pods/13a57233-0b02-11e7-bb55-0050560107db/volumes/kubernetes.io~nfs/sonar-data is not allowed: \"operation not supported\""}
Error syncing pod, skipping: failed to "StartContainer" for "sonar-postgres" with RunContainerError: "runContainer: Error response from daemon: {\"message\":\"SELinux relabeling of /var/lib/kubelet/pods/13a57233-0b02-11e7-bb55-0050560107db/volumes/kubernetes.io~nfs/sonar-data is not allowed: \\\"operation not supported\\\"\"}"
Back-off restarting failed docker container

Note that I have tried the mountPath with both :z and :Z in the following configuration. Without these it fails with the chown error mentioned by you guys.

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: sonar-postgres
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: sonar-postgres
        tier: backend
    spec:
      containers:
        - name: sonar-postgres
          image: postgres:9.6
          resources:
            requests:
              cpu: 100m
              memory: 100Mi
          env:
            - name: POSTGRES_USER
              valueFrom:
                secretKeyRef:
                  name: sonar-postgres
                  key: user
            - name: POSTGRES_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: sonar-postgres
                  key: password
          ports:
            - name: postgresport
              containerPort: 5432
          volumeMounts:
            - name: sonar-postgres-data
              mountPath: /var/lib/postgresql/data:z
      volumes:
        - name: sonar-postgres-data
          persistentVolumeClaim:
            claimName: sonar-postgres
---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: sonar-postgres
  labels:
    app: sonar
    tier: backend
spec:
  capacity:
    storage: 500Mi
  accessModes:
    - ReadWriteMany
  nfs:
    server: x.x.x.x
    path: /kubernetes/volumes/sonar/postgres
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: sonar-postgres
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 500Mi

[vchepeli]

@marcofranssen have same issue with kubernetes deployment. :z does not help really. Have you tried to fix this?

[SpenceSellers]

For anyone still experiencing this (I am, using Docker for Windows. This is my first google result for the permissions error), I discovered a workaround that works for my case (I'm using it for an end-to-end test so I don't need to persist data, unsure how this workaround interacts with volumes).

All I'm doing is setting the PGDATA environment variable to a path that's not in /var, which seems to have fewer permissions issues for whatever reason. After that, postgres starts fine.

docker run -e PGDATA=mypgdata postgres

[yucigou]

FYI:

You can't have your db in /var/lib/postgres/data/whatever.

Change that path by /var/lib/postgres/whatever and it will work.

See https://stackoverflow.com/questions/50916801/kubernetes-pod-which-encapsulates-db-is-crashing

[shewless]

I want to update this issue because I think people are still hitting it via google. I don't think you should add "no_root_squash" to your exports. The answer is in https://hub.docker.com/_/postgres.

PGDATA: This optional variable can be used to define another location - like a subdirectory - for the database files. The default is /var/lib/postgresql/data, but if the data volume you're using is a filesystem mountpoint (like with GCE persistent disks), Postgres initdb recommends a subdirectory (for example /var/lib/postgresql/data/pgdata ) be created to contain the data.

So if you set the environment variable PGDATA to /var/lib/postgresql/data/pgdata and your mountPath stays as /var/lib/postgresql/data then all is well.

Your container will mount /var/lib/postgresql/data and create the pgdata directory. All of the chown operations will work because it's not trying to chown the base directory (which is the nfs mount).

[Asgoret]

@shewless don't work in OKD 3.11 with psql 11

[banguyen93]

For anyone still get this issue. I get the "permission deined" while mapping volume in docker using kubernestes. I tried so many ways to fix this like "chmod , chown ..." , but nothing works.
Then i mount the directory under my user path on the host machine and anything works perfectly . Hope this workaround can help someone.

[dhpalan]

I received this error message

fixing permissions on existing directory /var/lib/postgresql/data ... initdb: could not change permissions of directory "/var/lib/postgresql/data": Operation not permitted

Reason: Mount path of my volume and PGDATA was both set to /var/lib/postgresql/data
Obviously, postgres was trying to chown the volume mount path for which postgres user 999 did not have permissions.

When i changed PGDATA to /var/lib/postgresql/data/mydata the issue was resolved.
Just followed the recommendation from https://hub.docker.com/_/postgres for PGDATA

The default is /var/lib/postgresql/data, but if the data volume you're using is a filesystem mountpoint (like with GCE persistent disks), Postgres initdb recommends a subdirectory (for example /var/lib/postgresql/data/pgdata ) be created to contain the data.

[shukriadams]

On the off-chance that someone else is struggling with this ... I'm running inside Vagrant, and I had endless problems mounting postgres with a data volume explicitly set. Turns out it's Vagrant.

[junwei-wang]

Still experiencing errors while using Docker Desktop for MacOS for PostgreSQL.

The compose file looks like

version: "3.7"

services:
  db:
    image: postgres:12
    environment:
      POSTGRES_PASSWORD: password
      POSTGRES_DB: db
      PGDATA: /var/lib/postgresql/data/pgdata
    volumes:
      - /home/docker/volumes/db:/var/lib/postgresql/data
    networks:
      - backend
    ports:
      - 5432:5432
    deploy:
      placement:
        constraints: [node.role == manager]

Notice /home/docker/volumes is a folder shared from the host of docker machine and /home/docker/volumes/db is a empty folder already exist before mounted.

The error reports:

wbc_db.1.dzbprm4atz26@wbc-manager    | The files belonging to this database system will be owned by user "postgres".
wbc_db.1.dzbprm4atz26@wbc-manager    | This user must also own the server process.
wbc_db.1.dzbprm4atz26@wbc-manager    |
wbc_db.1.dzbprm4atz26@wbc-manager    | The database cluster will be initialized with locale "en_US.utf8".
wbc_db.1.dzbprm4atz26@wbc-manager    | The default database encoding has accordingly been set to "UTF8".
wbc_db.1.dzbprm4atz26@wbc-manager    | The default text search configuration will be set to "english".
wbc_db.1.dzbprm4atz26@wbc-manager    |
wbc_db.1.dzbprm4atz26@wbc-manager    | Data page checksums are disabled.
wbc_db.1.dzbprm4atz26@wbc-manager    |
wbc_db.1.dzbprm4atz26@wbc-manager    | fixing permissions on existing directory /var/lib/postgresql/data/pgdata ... ok
wbc_db.1.dzbprm4atz26@wbc-manager    | initdb: error: could not create directory "/var/lib/postgresql/data/pgdata/pg_wal": Permission denied
wbc_db.1.dzbprm4atz26@wbc-manager    | initdb: removing contents of data directory "/var/lib/postgresql/data/pgdata"
wbc_db.1.x70r9no7asev@wbc-manager    | The files belonging to this database system will be owned by user "postgres".
wbc_db.1.x70r9no7asev@wbc-manager    | This user must also own the server process.
wbc_db.1.x70r9no7asev@wbc-manager    |
wbc_db.1.x70r9no7asev@wbc-manager    | The database cluster will be initialized with locale "en_US.utf8".
wbc_db.1.x70r9no7asev@wbc-manager    | The default database encoding has accordingly been set to "UTF8".
wbc_db.1.x70r9no7asev@wbc-manager    | The default text search configuration will be set to "english".
wbc_db.1.x70r9no7asev@wbc-manager    |
wbc_db.1.x70r9no7asev@wbc-manager    | Data page checksums are disabled.
wbc_db.1.x70r9no7asev@wbc-manager    |
wbc_db.1.x70r9no7asev@wbc-manager    | fixing permissions on existing directory /var/lib/postgresql/data/pgdata ... ok
wbc_db.1.x70r9no7asev@wbc-manager    | initdb: error: could not create directory "/var/lib/postgresql/data/pgdata/pg_wal": Permission denied
wbc_db.1.x70r9no7asev@wbc-manager    | initdb: removing contents of data directory "/var/lib/postgresql/data/pgdata"

Looking forward to your many helps.

[junwei-wang]

On the off-chance that someone else is struggling with this ... I'm running inside Vagrant, and I had endless problems mounting postgres with a data volume explicitly set. Turns out it's Vagrant.

@shukriadams Could you please explicitly explain what you did to fix?

[junwei-wang]

@Dhanabalan89 Could you please post your docker command?

[FatihRMert]

Hi, i had got the same error
i solved this way:
added PG_DATA environment to docker-compose.yaml file

environment: PGDATA: /var/lib/pg_data
the other configurations your choice

[tianon]

@FatihMert1 PG_DATA is not a variable that's actually used by anything in the image -- I think you meant PGDATA?

[felipecaldas]

Hi, i had got the same error i solved this way: added PG_DATA environment to docker-compose.yaml file

environment: PG_DATA: /var/lib/pg_data the other configurations your choice

This got it to work in my WSL2 environment. But obviously, it should have been PGDATA.
Here's my yaml:

db:
    container_name: pg_container
    build:
      context: ./postgres
      dockerfile: $PWD/postgres/postgresql_dockerfile
    restart: always
    environment:
      POSTGRES_USER: postgres
      POSTGRES_PASSWORD: root
      POSTGRES_DB: mydb
      PGDATA: /var/lib/pg_data
    ports:
      - "5433:5432"
    volumes:
      - ./postgres/data:/var/lib/postgresql/data

[FatihRMert]

@FatihMert1 PG_DATA is not a variable that's actually used by anything in the image -- I think you meant PGDATA?

ohh yes, its my fault, that's actually PGDATA, thank you for comment

[JosersRu]

This got it to work in my WSL2 environment. But obviously, it should have been PGDATA.

But in your yaml - in a env PGDATA there is a different path, unlike the connected volume - and volume created empty, i think it work because pginit work not correct with volume connectend in windows (I used WSL too)

[yosifkit]

  db:
    container_name: pg_container
    build:
      context: ./postgres
      dockerfile: $PWD/postgres/postgresql_dockerfile
    environment:
      PGDATA: /var/lib/pg_data
    volumes:
      - ./postgres/data:/var/lib/postgresql/data

(focused yaml from #116 (comment) above)

☝️ Just a quick word of caution. Although I don't know what is happening in the used Dockerfile, if this is based upon any of the postgres images, then the data would not be persistent. Since the data would be stored in /var/lib/pg_data, but the volume mounted to the host is /var/lib/postgresql/data.

[yathindrak]

On macos changing the PGDATA to /var/lib/pg_data fixed the issue as well
.

[abvijaykumar]

http://stackoverflow.com/questions/24288616/permission-denied-on-accessing-host-directory-in-docker

This worked for me..GREAT..ur rockstar

[101x4]

Using 'mountPath: /var/lib/postgresql/data:z' in k8s yaml made it create a path of '/var/lib/postgresql/data:z', instead of 'mountPath: /var/lib/postgresql/data' with right permissions.

[tianon]

Re: k8s mounts and selinux labels: https://stackoverflow.com/a/51026623/433558

[NEoKhajitt]

tried few suggestions I saw in this thread.
In my case it seems to bug some bug in WSL2.0 ( I have no clue how to prove it) but I can explain what happens.
In my environment I have Windows 10 Enterprise, Version: 22H2, Build:19045.2251
I have Ubuntu 20.04 LTS on WSL 2.0

I have a directory in my C drive called data so "C:\data"
This directory is mounted in WSL as "/data" but you can access it on "/mnt/c/data" and i tend to work in WSL on this Windows based directory, which overall in WSL2.0 seems like a bad idea.
If i have any data transfer intensive work I get strange error (i have none on record at the moment) but usually something like a file not found, or i can for instance nano a docker-compose.yml file and it will show new file (but i know there is data in it and i can list it) when i run wsl --shutdown and reopen wsl, all seems fine for a bit.

But what i found with this exact erros "[chmod: changing permissions of 'var/lib/postgresql/data': Permission denied]" in my postgres compose mounted the pgdata to a directory and not a volume map (which for this test i wanted to do that) to no avail, and as soon as i moved the docker-compose-data directory i tried to mount posgres into, to eg. my wsl user home directory "~/" and i ran docker compose up the db init script ran with no errors till completion.

[YassinHajaj]

What worked for me

First get the user you use to run the docker compose

echo "Current user id is"
user=$(id -u)
echo $user
echo "Current group id is"
group=$(id -g)
echo $group

Now copy paste those values inside of the docker compose.
For example, if you got user=50 and group=80, it should look like this

user: 50:80

A lot of solutions proposed hereabove are not persisting data in the volume, which is not really useful.

[redplane]

I'm using docker-windows(wsl2) and I was trying to start a postgresql container. I also encountered chmod: changing permissions of var/lib/postgresql/data: Permission denied

The following fixed the problem for me: here's my original docker-compose.yml

services:
  postgresdb:
    image: postgres:13.3-buster
    user: postgres
    container_name: postgresdb-cdw
    ports:..........

and here's my modified docker-compose.yml that fixed my problem

services:
  postgresdb:
    image: postgres:13.3-buster
    user: ${POSTGRES_UID}:${POSTGRES_GID}
    container_name: postgresdb-cdw
    ports:....................

In my docker-compose.yml, after I changed user: postgres into user: ${POSTGRES_UID}:${POSTGRES_GID} the container started successfully

Nice
I have tried many solutions but only yours works.

[acpopper]

For me, with my docker-compose.yml file having:

volumes:
       - pgdata:/var/lib/postgresql/data

I was just missing the

volumes:
  pgdata:

Section/volume definition at the end.

Don't know if this is a very case-speciffic solution, but just leaving it here if it is useful for someone

[ZhouXing19]

Hitting the same error still. I'm following the instruction for PGDATA from https://hub.docker.com/_/postgres to try mounting my local dir (${PWD/mount}) to the $PGDATA path on the container:

❯ docker run -d \                 
        --name some-postgres \
        -e POSTGRES_PASSWORD=mysecretpassword \
        -e PGDATA=/var/lib/postgresql/data/pgdata \
        -v "${PWD}/mount:/var/lib/postgresql/data" \
        postgres
fc351129b480a4a7b84d5b9eebcf0b7ec05845d72da9febf4a15818b55498c83
docker: Error response from daemon: error while creating mount source path '/Users/janexing/my_path/tmp/mount': chown /Users/janexing/my_path/tmp/mount: permission denied.

❯ ls -la                
total 0
drwxrwxrwx@  3 janexing  staff    96 Dec  7 14:57 .
drwxr-xr-x  48 janexing  staff  1536 Dec  7 14:32 ..
drwxr-xr-x@  2 janexing  staff    64 Dec  7 14:57 mount

❯ chmod 777 ./mount

❯ ls -la           
total 0
drwxrwxrwx@  3 janexing  staff    96 Dec  7 15:00 .
drwxr-xr-x  48 janexing  staff  1536 Dec  7 14:32 ..
drwxrwxrwx@  3 janexing  staff    96 Dec  7 15:01 mount

❯ docker run -d \                 
        --name some-postgres \
        -e POSTGRES_PASSWORD=mysecretpassword \
        -e PGDATA=/var/lib/postgresql/data/pgdata \
        -v "${PWD}/mount:/var/lib/postgresql/data" \
        postgres

❯ docker logs some-postgres -f
chown: changing ownership of '/var/lib/postgresql/data/pgdata': Permission denied

Oddly, if I try to bind /tmp/some_folder with -v "/tmp/some_folder:/var/lib/postgresql/data", the container can be successfully started without error. However, I can't actually access the local /tmp/some_folder, or it was created somewhere else?

❯ ls /tmp | grep some_folder 
(base) 

OS: MacOS 13.6.1 (22G313)
Docker server: 23.0.6
Docker client: 24.0.6-rd
Postgres docker image: fbd1be2cbb1f

[tianon]

I would suggest setting the UID/GID of the container to match the one on your host (--user 1000:1000 or whatever your host UID/GID is).

[belei-bohdan]

I encountered the following error as well:

chmod: changing permissions of '/var/lib/postgresql/data': Operation not permitted

In my case, I resolved it by fixing the volume path from:

volumes:
  - "./pg-data/:/var/lib/postgresql/data"

to:

volumes:
  - "/pg-data/:/var/lib/postgresql/data"

I'm sharing this here in case it might help someone else.

[gslopez]

I made it work for mac + minikube with this

minikube setup

# it doesn't work without the --uid and --gid params
$ minikube mount ./my-app/postgres-data:/postgres-data --uid=999 --gid=999

yml

apiVersion: v1
kind: PersistentVolume
metadata:
  name: postgres-pv
spec:
  accessModes:
    - ReadWriteOnce
  capacity:
    storage: 10Gi
  hostPath:
    path: /postgres-data
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: postgres-pvc
spec:
  accessModes:
    - ReadWriteOnce
  volumeName: postgres-pv
  storageClassName: ""
  resources:
    requests:
      storage: 10Gi
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: postgres
spec:
  serviceName: postgres
  replicas: 1
  selector:
    matchLabels:
      app: postgres
  template:
    metadata:
      labels:
        app: postgres
    spec:
      containers:
        - name: postgres
          image: postgres:16
          imagePullPolicy: "IfNotPresent"
          ports:
            - containerPort: 5432
          resources:
            limits:
              memory: "512Mi"
              cpu: "500m"
            requests:
              memory: "64Mi"
              cpu: "500m"
          env:
            - name: POSTGRES_USER
              valueFrom:
                secretKeyRef:
                  name: postgres-secret
                  key: POSTGRES_USER
            - name: POSTGRES_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: postgres-secret
                  key: POSTGRES_PASSWORD
            - name: PGDATA
              value: /var/lib/postgresql/data/pgdata
          volumeMounts:
            - name: postgres-data
              mountPath: /var/lib/postgresql/data
      volumes:
        - name: postgres-data
          persistentVolumeClaim:
            claimName: postgres-pvc

[tantweiler]

FYI:

You can't have your db in /var/lib/postgres/data/whatever.

Change that path by /var/lib/postgres/whatever and it will work.

See https://stackoverflow.com/questions/50916801/kubernetes-pod-which-encapsulates-db-is-crashing

Unfortunately that didn't work for me as well:

chown: changing ownership of '/var/lib/postgresql/timotest': Permission denied
chown: changing ownership of '/var/lib/postgresql/timotest/pgdata': Permission denied
chown: changing ownership of '/var/lib/postgresql/timotest/data': Permission denied