Mongo user in dockerfile added as default system user uid.

[jamesongithub]

The dockerfile adds mongodb user as system user which in turn creates a user with a uid of 999.

On our host we happen to have another default system user with a uid of 999.

When we run the docker container it gets mapped to this user.

I'm wondering what people have done to get around this. Basically the container has all the rights of the mapped user now.

[yosifkit]

While the mongo user is user 999, it can only access things given to it inside the container.

#81 added the ability to run as an arbitrary user, docker run --user some-other-user-id:some-group-id (up to you to ensure chosen user/group has access to any bind mounted files).

[jamesongithub]

in this case. user 999 can access the container tho right.

i guess we'll go with a random uid then. thanks.

[jamesongithub]

@yosifkit getting this running as another user

17:51:29 2017-05-22T17:51:28.895+0000 I CONTROL  [initandlisten] options: {}
17:51:29 2017-05-22T17:51:28.912+0000 I STORAGE  [initandlisten] exception in initAndListen: 98 Unable to create/open lock file: /data/db/mongod.lock errno:13 Permission denied Is a mongod instance already running?, terminating

i'm not using a host volume

does the startup handle chowning the data directory to the user passed it?

[yosifkit]

It cannot chown. If you start the container with --user to docker run, then it is not root and cannot chown files owned by another user. It seems that #81 did not chmod 777 the directory in the Dockerfile since that would be insecure for database files. So I think if you want to run as a specific user, you have to provide a data directory that it can write to.

We did add some notes for arbitrary users in postgres, but have not added anything for mongo, mysql, mariadb, or percona.

[jamesongithub]

in that case, think id prefer to run it as the user starting the container, however in that case that user needs to exist in the container then

[mangalbhaskar]

Old thread, but posting the solution in case someone finds it useful. Currently, it has different options to get this working, but you need to justify your case. For example, in my case, the data volume is mapped to the mongodb docker container created using official mongodb docker image, it always creates the mongodb user with uid=999 and gid=999, which translates to the following problem.

Problem

• In specific case of Kali Linux (this is what I am using): uid, gid 999 maps to user: systemd-coredump
• /etc/passwd entry: systemd-coredump:x:999:999:systemd Core Dumper:/:/sbin/nologin
• It's may not be the real problem because only the specific user only can edit/modify the data, but not sure about the side effects of using the systemd-coredump user outside the container but which was mapped to mongodb user inside the container

Solution
a) create a mongodb user and group on the host machine
b) pass the user, group, uid, gid as arguments to the official mongodb dockerfile
b) build the image by passing the values to the respective arguments

Details and scripts here

[superstes]

If someone comes across this again:
You can see how to re-build the official docker-image, to use a custom UID/GID, with minimal changes here:

• https://github.com/superstes/docker-mongodb-uid

Greetings

[tianon]

If that's really necessary, wouldn't something like this be simpler?

FROM mongo:6
RUN set -eux; \
	groupmod --gid 1234 mongodb; \
	usermod --uid 1234 mongodb

(At most, then adding chown -R mongodb:mongodb /var/log/mongodb /data/configdb /data/db afterwards 😅)

[superstes]

Could be a simpler solution, yes. Will test it.
Thanks for the feedback.

[superstes]

Tested and added the option + examples to my repo.
Thanks