artifactory-docker-examples: Postgress, Artifactory, and Nginx all don't have write permission

Following the documentation here to get a docker private registry deployed on containers: https://www.jfrog.com/confluence/display/RTF/Getting+Started+with+Artifactory+as+a+Docker+Registry#GettingStartedwithArtifactoryasaDockerRegistry-UsingDockerCompose-1MinuteSetup.1

After running this command: curl -L 'https://bintray.com/api/v1/content/jfrog/run/art-compose/$latest/art-compose?bt_package=art-compose' | sudo bash

All of my containers are restarting with the following errors:

Postgresql

chmod: changing permissions of ‘/var/lib/postgresql/data’: Permission denied

Artifactory

mkdir: cannot create directory ‘/var/opt/jfrog/artifactory/data’: Permission denied

Nginx

mkdir: cannot create directory ‘/var/opt/jfrog/nginx/conf.d’: Permission denied

All of these directories are the specified volumes in the compose file.

About this issue

Original URL
State: closed
Created 6 years ago
Comments: 20 (7 by maintainers)

Commits related to this issue

Adding SELinux label to the mounted directory - issue #75 — committed to nimerb/artifactory-docker-examples by nimerbb 6 years ago

Most upvoted comments

In the yaml file:

services:
  # See here for env vars: https://github.com/docker-library/docs/tree/master/postgres
  postgresql:
    image: docker.bintray.io/postgres:9.5.2
    container_name: artifactory-postgresql
    networks:
     - artifactory-network
    environment:
     - POSTGRES_DB=artifactory
     # The following must match the DB_USER and DB_PASSWORD values passed to Artifactory
     # Note: values passed by Jenkinsfile
     - POSTGRES_USER=${POSTGRES_USER}
     - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
    volumes:
     - artifactory-postgres-data:/var/lib/postgresql/data:z
    restart: always
    ulimits:
      nproc: 65535
      nofile:
        soft: 32000
        hard: 40000

Remember:

Labeling systems like SELinux require that proper labels are placed on volume content mounted into a container. Without a label, the security system might prevent the processes running inside the container from using the content. By default, Docker does not change the labels set by the OS.

To change a label in the container context, you can add either of two suffixes 😒 or :Z to the volume mount. These suffixes tell Docker to relabel file objects on the shared volumes. The z option tells Docker that two containers share the volume content. As a result, Docker labels the content with a shared content label. Shared volume labels allow all containers to read/write content. The Z option tells Docker to label the content with a private unshared label. Only the current container can use a private volume.

mtdeguzis on Nov 28, 2018

I discovered the issue. The issue was with SELinux on CentOS. You resolve it by changing the volumes line from:

/data/postgresql:/var/lib/postgresql/data to /data/postgresql:/var/lib/postgresql/data:z

wcott on May 25, 2018