Skip to content

/prometheus

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FR: chown the /prometheus for docker containers before start #3485

Closed
hsmade opened this Issue Nov 16, 2017 · 5 comments

Comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
5 participants
@hsmade @brancz @hairyhenderson @brian-brazil @jpalczewski
@hsmade
Copy link

hsmade commented Nov 16, 2017

When using the docker image for prometheus, you'd want to volume mount /prometheus so that the data can be re-used when restarting the container. Problem is, that docker will create the path on the host as root. When using a scheduler like nomad and using a persistent disk for /prometheus, the same thing happens.

This is a problem as prometheus runs as nobody, and thus doesn't have access to the path that is created by root.

I propose to use a wrapper script as entrypoint that does a chown -R nobody: /prometheus and then starts prometheus as user nobody.
@brancz

This comment has been minimized.

Sign in to view
Copy link
Member

brancz commented Nov 16, 2017

I would argue this is a responsibility of your environment. For example in Kubernetes you can set all of this information using the SecurityContext of a Pod.
@hsmade

This comment has been minimized.

Sign in to view
Copy link
Author

hsmade commented Nov 17, 2017

You are right, of course. But then k8s is about the only one, I think (maybe mesos as well?).
It's just a bit cumbersome having this issue with plain docker, and having to wrap this image into another one with entrypoint, etc.
@hairyhenderson

This comment has been minimized.

Sign in to view
Copy link
Contributor

hairyhenderson commented Nov 19, 2017

@hsmade I think the main reason you're seeing this behaviour is because you're bind-mounting a volume. When using a named volume instead (created with docker volume create or some other means), the mount-point will continue to be owned by nobody and prometheus will be able to write to the directory as expected.

For example:

$ docker volume create foo
foo
$ docker run -it --rm --entrypoint=/bin/sh -v foo:/prometheus prom/prometheus:v2.0.0   
/prometheus $ touch hello_world
/prometheus $ ls -alh
total 8
drwxr-xr-x    2 nobody   nogroup     4.0K Nov 19 03:56 .
drwxr-xr-x    1 root     root        4.0K Nov 19 03:56 ..
-rw-r--r--    1 nobody   nogroup        0 Nov 19 03:56 hello_world
/prometheus $
@brian-brazil

This comment has been minimized.

Sign in to view
Copy link
Member

brian-brazil commented Dec 8, 2017

Sounds like this is resolved, please let us know if that's not the case.

@brian-brazil brian-brazil closed this Dec 8, 2017

@jpalczewski

This comment has been minimized.

Sign in to view
Copy link

jpalczewski commented Sep 27, 2018

In

Docker version 18.06.1-ce, build e68fc7a215 
docker-compose version 1.22.0, build unknown
prom/prometheus v2.4.2

It might be again the case: I got

prometheus_1       | level=error ts=2018-09-27T08:39:34.455471782Z caller=main.go:617 err="opening storage failed: lock DB directory: open /prometheus-data/lock: permission denied"

When I mounted volume from alpine container it seems like it where mounted as root:root.

Applicable fragments from docker-compose:

prometheus: 
    image: prom/prometheus
    command: --config.file=/prometheus-config/prometheus.yml --storage.tsdb.path=/prometheus-data
    volumes: 
      - ./config/prometheus:/prometheus-config
      - prometheus_data:/prometheus-data
(...)
volumes:
  prometheus_data:

@lock lock bot locked and limited conversation to collaborators Mar 26, 2019

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.