Incompatible permissions tracking 2022-latest (from 2022-CU10-ubuntu-22.04 to 2022-CU11-ubuntu-22.04)

[hlindqvist]

Updating container to current 2022-latest (going from 2022-CU10-ubuntu-22.04 to 2022-CU11-ubuntu-22.04) yields this error:

/opt/mssql/bin/sqlservr: Error: The system directory [/.system] could not be created. File: LinuxDirectory.cpp:420 [Status: 0xC0000022 Access Denied errno = 0xD(13) Permission denied]

Reverting to 2022-CU10-ubuntu-22.04 allows it to run again.

I assume that the /.system reference really is relative to /var/opt/mssql, not using the completely wrong directory?

There's appears to be some permission problem going from CU10 to CU11. Below are some observations regarding filesystem permissions:

Looking inside the container with its volume at /var/opt/mssql under CU10, one can see:

mssql@2a3b0c53b240:/var/opt/mssql$ id mssql
uid=10001(mssql) gid=0(root) groups=0(root)
mssql@2a3b0c53b240:/var/opt/mssql$ ls -la
total 24
drwxrwx--- 6 root  root 4096 Mar 13  2023 .
drwxr-xr-x 1 root  root 4096 Oct 31 03:21 ..
drwxr-xr-x 5 mssql root 4096 Mar 13  2023 .system
...

Looking inside a brand new CU11 container one can see:

mssql@99fe6cfa744f:/$ id mssql
uid=10001(mssql) gid=10001(mssql) groups=10001(mssql)
mssql@99fe6cfa744f:/$ ls -lnd /var/opt/mssql/
drwxrwx--- 2 0 10001 4096 Nov 16 16:04 /var/opt/mssql/
mssql@99fe6cfa744f:/$

It appears that permissions have changed from mssql:root to root:mssql and now g+w permissions are set if starting from scratch with CU11. However if this group permission is needed with how CU11 runs(?), it seems some migration step is missing in CU11?

[noahjahn]

Yeah, definitely seems like a migration step is missing.

The permissions can be fixed by recursively changing the group of /var/opt/mssql to mssql. Something like:
docker compose run --rm --user=root --entrypoint=chgrp database -R mssql /var/opt/mssql worked for my team.

If you're not using docker compose, you'll need to specify the volume mount to /var/opt/mssql that you're using.