Permissions are reset after config write

Question

Permissions are reset after config write

defcon84 opened this issue 2 years ago · comments

Every time Redis saves the config to disk, it resets the permissions of the file.
Initial situation:

root@dckr03:/srv/docker/redis7# ls -l
-rwxrwxrwx  1 lxd   docker  286 Feb 22 13:07 redis-server-1.conf

Then whenever I get a CONFIG REWRITE executed with success in the logs, it saves a new config file (via a temp file).

root@dckr03:/srv/docker/redis7# ls -l
-rw------- 1 lxd docker 258 Feb 22 13:10 redis-server-1.conf

Same happens for the sentinel configs.
It does not happen with redis:4.
Any idea on how to keep the same permissions on the files?

docker-compose config:

  redis7-server-1:
    container_name: "redis7-server-1"
    image: redis:7.0.8
    ports:
      - 7379:7379
    volumes:
      - /srv/docker/redis7:/usr/local/etc/redis
    command: redis-server /usr/local/etc/redis/redis-server-1.conf
    restart: unless-stopped

redis server config:

bind 0.0.0.0
port 7379
protected-mode no

loglevel notice
syslog-enabled yes

# Generated by CONFIG REWRITE
dir "/data"

save 3600 1
save 300 100
save 60 10000
latency-tracking-info-percentiles 50 99 99.9
user default on nopass sanitize-payload ~* &* +@all

replicaof 192.168.5.42 7379

Tianon Gravi · Answer 1 · Thu Feb 23 2023 04:05:40 GMT+0800 (China Standard Time)

This is probably due to the umask we set in our entrypoint:

https://github.com/docker-library/redis/blob/66ae35c69d6390be8a886198bc9f5eaf93d726c4/docker-entrypoint.sh#L16-L22

If you don't want this behavior, you should be able to bypass our entrypoint and run as non-root / modify permissions directly yourself (since it doesn't handle much more than that). 👍

Filip · Answer 2 · Thu Feb 23 2023 16:48:59 GMT+0800 (China Standard Time)

Ok I have created this file:

#!/bin/sh
set -e

# first arg is `-f` or `--some-option`
# or first arg is `something.conf`
if [ "${1#-}" != "$1" ] || [ "${1%.conf}" != "$1" ]; then
	set -- redis-server "$@"
fi

# allow the container to be started with `--user`
if [ "$1" = 'redis-server' -a "$(id -u)" = '0' ]; then
	find . \! -user redis -exec chown redis '{}' +
	exec gosu redis "$0" "$@"
fi

exec "$@"

I have tried to override the entrypoint with:
entrypoint: /usr/local/etc/redis/docker-entrypoint.sh
But get the exception:
exec /usr/local/etc/redis/docker-entrypoint.sh: no such file or directory

I've also tried to add the file as a volume:
- /srv/docker/redis7/docker-entrypoint.sh:/usr/local/bin/docker-entrypoint.sh:ro
Then I get this:
exec /usr/local/bin/docker-entrypoint.sh: no such file or directory

What am I doing wrong?

Tianon Gravi · Answer 3 · Sat Feb 25 2023 03:38:33 GMT+0800 (China Standard Time)

Your local file probably needs to be executable (chmod +x).

(For further help debugging your deployment, I'd suggest a dedicated support forum, such as the Docker Community Slack, Server Fault, Unix & Linux, or Stack Overflow. 🙇)