docker-neo4j: Using host mounted directory for /logs prevents Neo4j startup with permission error

This fails:

docker run -it -e NEO4J_AUTH=none --network=host -v /vol/logs:/logs neo4j:3.3

this succeeds:

docker run -it -e NEO4J_AUTH=none --network=host -v /vol/data:/data neo4j:3.3

Error message:

# docker run -it -e NEO4J_AUTH=none --network=host -v /vol/logs:/logs --privileged neo4j:3.3
Active database: graph.db
Directories in use:
  home:         /var/lib/neo4j
  config:       /var/lib/neo4j/conf
  logs:         /logs
  plugins:      /var/lib/neo4j/plugins
  import:       /var/lib/neo4j/import
  data:         /var/lib/neo4j/data
  certificates: /var/lib/neo4j/certificates
  run:          /var/lib/neo4j/run
Starting Neo4j.
2018-04-03 21:52:02.914+0000 WARN  Unknown config option: causal_clustering.discovery_listen_address
2018-04-03 21:52:02.925+0000 WARN  Unknown config option: causal_clustering.raft_advertised_address
2018-04-03 21:52:02.926+0000 WARN  Unknown config option: causal_clustering.raft_listen_address
2018-04-03 21:52:02.927+0000 WARN  Unknown config option: ha.host.coordination
2018-04-03 21:52:02.929+0000 WARN  Unknown config option: causal_clustering.transaction_advertised_address
2018-04-03 21:52:02.930+0000 WARN  Unknown config option: causal_clustering.discovery_advertised_address
2018-04-03 21:52:02.934+0000 WARN  Unknown config option: ha.host.data
2018-04-03 21:52:02.934+0000 WARN  Unknown config option: causal_clustering.transaction_listen_address
2018-04-03 21:52:03.030+0000 INFO  ======== Neo4j 3.3.4 ========
2018-04-03 21:52:03.230+0000 INFO  Starting...
2018-04-03 21:52:03.380+0000 ERROR Failed to start Neo4j: Starting Neo4j failed: Component 'org.neo4j.server.database.LifecycleManagingDatabase@2fd66ad3' was successfully initialized, but failed to start. Please see the attached cause exception "/logs/debug.log (Permission denied)". Starting Neo4j failed: Component 'org.neo4j.server.database.LifecycleManagingDatabase@2fd66ad3' was successfully initialized, but failed to start. Please see the attached cause exception "/logs/debug.log (Permission denied)".
org.neo4j.server.ServerStartupException: Starting Neo4j failed: Component 'org.neo4j.server.database.LifecycleManagingDatabase@2fd66ad3' was successfully initialized, but failed to start. Please see the attached cause exception "/logs/debug.log (Permission denied)".
        at org.neo4j.server.exception.ServerStartupErrors.translateToServerStartupError(ServerStartupErrors.java:68)
        at org.neo4j.server.AbstractNeoServer.start(AbstractNeoServer.java:220)
        at org.neo4j.server.ServerBootstrapper.start(ServerBootstrapper.java:111)
        at org.neo4j.server.ServerBootstrapper.start(ServerBootstrapper.java:79)
        at org.neo4j.server.CommunityEntryPoint.main(CommunityEntryPoint.java:32)
Caused by: org.neo4j.kernel.lifecycle.LifecycleException: Component 'org.neo4j.server.database.LifecycleManagingDatabase@2fd66ad3' was successfully initialized, but failed to start. Please see the attached cause exception "/logs/debug.log (Permission denied)".
        at org.neo4j.kernel.lifecycle.LifeSupport$LifecycleInstance.start(LifeSupport.java:466)
        at org.neo4j.kernel.lifecycle.LifeSupport.start(LifeSupport.java:107)
        at org.neo4j.server.AbstractNeoServer.start(AbstractNeoServer.java:212)
        ... 3 more
Caused by: java.lang.RuntimeException: java.io.FileNotFoundException: /logs/debug.log (Permission denied)
        at org.neo4j.kernel.impl.factory.PlatformModule.createLogService(PlatformModule.java:301)
        at org.neo4j.kernel.impl.factory.PlatformModule.<init>(PlatformModule.java:161)
        at org.neo4j.kernel.impl.factory.GraphDatabaseFacadeFactory.createPlatform(GraphDatabaseFacadeFactory.java:244)
        at org.neo4j.kernel.impl.factory.GraphDatabaseFacadeFactory.initFacade(GraphDatabaseFacadeFactory.java:158)
        at org.neo4j.kernel.impl.factory.GraphDatabaseFacadeFactory.newFacade(GraphDatabaseFacadeFactory.java:126)
        at org.neo4j.server.CommunityNeoServer.lambda$static$0(CommunityNeoServer.java:58)
        at org.neo4j.server.database.LifecycleManagingDatabase.start(LifecycleManagingDatabase.java:88)
        at org.neo4j.kernel.lifecycle.LifeSupport$LifecycleInstance.start(LifeSupport.java:445)
        ... 5 more
Caused by: java.io.FileNotFoundException: /logs/debug.log (Permission denied)
        at java.io.FileOutputStream.open0(Native Method)
        at java.io.FileOutputStream.open(FileOutputStream.java:270)
        at java.io.FileOutputStream.<init>(FileOutputStream.java:213)
        at org.neo4j.io.fs.DefaultFileSystemAbstraction.openAsOutputStream(DefaultFileSystemAbstraction.java:76)
        at org.neo4j.io.file.Files.createOrOpenAsOuputStream(Files.java:51)
        at org.neo4j.logging.RotatingFileOutputStreamSupplier.openOutputFile(RotatingFileOutputStreamSupplier.java:336)
        at org.neo4j.logging.RotatingFileOutputStreamSupplier.<init>(RotatingFileOutputStreamSupplier.java:135)
        at org.neo4j.logging.RotatingFileOutputStreamSupplier.<init>(RotatingFileOutputStreamSupplier.java:119)
        at org.neo4j.kernel.impl.logging.StoreLogService.<init>(StoreLogService.java:180)
        at org.neo4j.kernel.impl.logging.StoreLogService.<init>(StoreLogService.java:44)
        at org.neo4j.kernel.impl.logging.StoreLogService$Builder.build(StoreLogService.java:124)
        at org.neo4j.kernel.impl.factory.PlatformModule.createLogService(PlatformModule.java:297)
        ... 12 more
2018-04-03 21:52:03.400+0000 INFO  Neo4j Server shutdown initiated by request

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Reactions: 18
  • Comments: 33 (5 by maintainers)

Commits related to this issue

Most upvoted comments

The workaround from @bsccrod - setting NEO4J_dbms_logs_debug_path - does not work for me for version 3.4.5. The official documentation is still wrong. I can have an external data folder, but I cannot expose config or logs.

This issue is still ongoing.

Why is the interface changing so much? We have to tweak our scripts continuously to keep up with the developments here. Whack-a-mole. Please don’t break userspace on a regular basis. If it’s really necessary, please document it well.

+18
OleMussmann on Aug 9, 2018

Recently we have made changes to Dockerfile to make sure neo4j running in docker is run as user neo4j instead of root for security reasons. see neo4j issue

We suggest that you specify which user to run as by invoking docker with the --user argument as suggested in the docs here

+18
praveenag on May 29, 2018

@praveenag Why was this issue closed? A workaround is not a solution, obviously. At the very least update the documentation with instructions on how to properly use the image. It is not obvious at all how one would go about using this image with Docker-compose and Docker swarm where setting the user is not possible.

+11
mjmare on Jul 6, 2018

@praveenag I don’t understand why you closed this issue. Your documentation is incorrect. Neither of the options (with or without the user parameter) provided actually starts the process.

+11
lilianaziolek on May 29, 2018

When upgrading to 3.3.5, I had to remove the logs mount from docker-compose. I made no other changes and things worked as expected.

Before:

neo4j:
    image: "neo4j:3.3.5"
    volumes:
      - neo4j_data:/data
      - neo4j_logs:/logs

After:

neo4j:
    image: "neo4j:3.3.5"
    volumes:
      - neo4j_data:/data
+7
panthershark on May 8, 2018

The documentation from https://neo4j.com/docs/operations-manual/current/installation/docker/ is plain wrong for the latest version. For some reason the exposing of log and conf seem to be deprecated. Why? This is not documented. At least I can’t find it.

The log and conf folders are not symlinked to / anymore. You can still expose them, but you have to set the right owner for the external folder yourself. data works as usual.

Example with shell script, tested and works. The container sets the wrong permissions (700 instead of 755) though, so you have to read/write with sudo rights.

[...]
sudo mkdir -p [local folder]/data
sudo mkdir -p [local folder]/logs
sudo mkdir -p [local folder]/conf
sudo chown systemd-timesync:systemd-journal [local folder]/logs
sudo chown systemd-timesync:systemd-journal [local folder]/conf

sudo docker run \
     --publish=$HTML:7474 --publish=$BOLT:7687 \
     --volume=[local folder]/logs:/var/lib/neo4j/logs \
     --volume=[local folder]/conf:/var/lib/neo4j/conf \
     --volume=[local folder]/data:/data \
     neo4j

The docker compose could look something like this. No idea how to set the right permissions this way, so most likely it won’t work verbatim.

neo4j:
    image: "neo4j"
    volumes:
      - neo4j_data:/data
      - neo4j_logs:/var/lib/neo4j/logs
      - neo4j_conf:/var/lib/neo4j/conf
+5
OleMussmann on May 18, 2018

@lilianaziolek Nice catch! I just tried it, and sure enough, simply bypassing the default mapping for the /data directory did the trick. The container no longer changes the ownership.

For reference, I used:

–volume /usr/neo4j/data:/neodata -e NEO4J_dbms_directories_data=/neodata

+3
bsccrod on Jun 18, 2018

I’m having same problem, also stopped working as of 3.3.3 - I thought there was something wrong with my setup! Shame it’s still not fixed for 3.4.0. Thanks @OleMussmann for the workaround!

+1
lilianaziolek on May 21, 2018

Same problem when attempting to upgrade from 3.3.3 to 3.3.4.

Using following command:

docker run \
  --publish=7474:7474 \
  --publish=7687:7687 \
  --volume=/home/project/conf:/conf \
  --volume=/home/project/data:/data \
  --volume=/home/project/logs:/logs \
  neo4j:3.3.X
+1
beho on Apr 13, 2018
Read more comments on GitHub
← docker-neo4j: Unable to start neo4j docker image 3.5.17 - Plugin jar file: /var/lib/neo4j/plugins/apoc-3.5.0.9-all.jar corrupted.
graph-data-science-client: streamNodeProperty() doesn't work with gds.run_cypher() as I guess →