Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Redis permission denied while opening dump.rdb

I am using official redis image with sidekiq on dockers.

Following are yml configurations for redis image:

redis:
  build: .
  dockerfile: Dockerfile-redis
  ports:
    - '6379:6379'
  volumes:
    - 'redis:/var/lib/redis'

sidekiq:
  build: .
  command: bundle exec sidekiq
  links:
    - db
    - redis
  volumes:
    - .:/app
  env_file:
    - .env

Following is the code of my Dockerfile-redis:

FROM redis
COPY redis.conf /usr/local/etc/redis/redis.conf
CMD [ "redis-server", "/usr/local/etc/redis/redis.conf" ]

When I build the images everything works fine but after sometime docker-compose logs shows the following permission error:

redis_1          | 98:C 22 Jan 2019 18:40:10.098 # Failed opening the RDB file dump.rdb (in server root dir /var/lib/redis) for saving: Permission denied
redis_1          | 1:M 22 Jan 2019 18:40:10.203 # Background saving error

I have tried many solutions but I am still getting this error in logs. Everytime permission is denied for redis to open dump.rdb file. I have also followed this solution and done follwoing changes in my Dockerfile-redis to give root permission to redis

USER root
CMD chown -R root:root /var/lib/redis/
CMD chown 777 /var/lib/redis/
CMD chown 777 /var/lib/redis/dump.rdb

I have tried 755 for dir and 644 for dbfilename but it didn't worked for me. I also tried the above configurations of Dockerfile-redis with redis user but still I am getting the same permission denied error for opening dump.rdb file.

I don't know what I am doing wrong here. Please help me with this

like image 493
Rails Developer Avatar asked Dec 24 '22 01:12

Rails Developer


2 Answers

After an hour of inactivity Redis will try to dump the memory db to disk.

Redis from the official redis image tries to write the .rdb file in the containers /data folder, which is rather unfortunate, as it is a root-owned folder and it is a non-persistent location too (data written there will disappear if your container/pod crashes).

So after an hour of inactivity, if you have run your redis container as a non-root user (e.g. docker run -u 1007 rather than default docker run -u 0), you will get a nicely detailed error msg in your log (see docker logs redis):

1:M 29 Jun 2019 21:11:22.014 * 1 changes in 3600 seconds. Saving...
1:M 29 Jun 2019 21:11:22.015 * Background saving started by pid 499
499:C 29 Jun 2019 21:11:22.015 # Failed opening the RDB file dump.rdb (in server root dir /data) for saving: Permission denied
1:M 29 Jun 2019 21:11:22.115 # Background saving error

So what you need to do is to map container's /data folder to an external location (where the non-root user, here: 1007, has write access), e.g:

docker run --rm -d --name redis -p 6379:6379 -u 1007 -v /tmp:/data redis
like image 133
mirekphd Avatar answered Dec 28 '22 07:12

mirekphd


It seems that the official redis image is using an applicative user to run the redis-server and not root(which is a security best practice) regardless of USER definition - I extracted this from the image's entrypoint shell script:

# allow the container to be started with `--user`
if [ "$1" = 'redis-server' -a "$(id -u)" = '0' ]; then
    find . \! -user redis -exec chown redis '{}' +
    exec gosu redis "$0" "$@"
fi

when mounting a volume to a container, it is owned by the root user, it will override the default directory in the image's layer along with previous permissions.

It seems that the redis image intentions were not to expose the '/var/lib/redis' dir as a volume, instead they offer mounting to '/data/' for persistence:

If persistence is enabled, data is stored in the VOLUME /data, which can be used with --volumes-from some-volume-container or -v /docker/host/dir:/data (see docs.docker volumes).

For more about Redis Persistence, see http://redis.io/topics/persistence.

like image 31
0e1val Avatar answered Dec 28 '22 05:12

0e1val