root user has no permissions within container #884
Description
Issue seen in pg13
Specifically, when running a CI build in Travis (I think it happening within a Travis build is coincidental, but perhaps not). The postgres image is built using the postgres image with no tag specified. When the container is run, the following error occurs:
db-server | ls: cannot access '/docker-entrypoint-initdb.d/': Operation not permitted
db-server exited with code 2The offending line of code is the following:
postgres/13/bullseye/docker-entrypoint.sh
Line 296 in c3bf1dd
After connecting to the running container (by setting the command to sleep), running ls -al shows the following output:
root@284bdcb22713:/# ls
bin dev etc lib media opt root sbin sys usr
boot docker-entrypoint-initdb.d home lib64 mnt proc run srv tmp var
root@284bdcb22713:/# ls -al
ls: cannot access 'lib64': Operation not permitted
ls: cannot access 'mnt': Operation not permitted
ls: cannot access 'root': Operation not permitted
ls: cannot access '.': Operation not permitted
ls: cannot access 'usr': Operation not permitted
ls: cannot access 'lib': Operation not permitted
ls: cannot access '..': Operation not permitted
ls: cannot access 'run': Operation not permitted
ls: cannot access 'proc': Operation not permitted
ls: cannot access 'boot': Operation not permitted
ls: cannot access 'bin': Operation not permitted
ls: cannot access 'srv': Operation not permitted
ls: cannot access 'opt': Operation not permitted
ls: cannot access 'etc': Operation not permitted
ls: cannot access 'home': Operation not permitted
ls: cannot access 'sbin': Operation not permitted
ls: cannot access 'sys': Operation not permitted
ls: cannot access 'var': Operation not permitted
ls: cannot access 'media': Operation not permitted
ls: cannot access 'dev': Operation not permitted
ls: cannot access 'tmp': Operation not permitted
ls: cannot access '.dockerenv': Operation not permitted
ls: cannot access 'docker-entrypoint-initdb.d': Operation not permitted
total 0
d????????? ? ? ? ? ? .
d????????? ? ? ? ? ? ..
d????????? ? ? ? ? ? bin
d????????? ? ? ? ? ? boot
d????????? ? ? ? ? ? dev
d????????? ? ? ? ? ? docker-entrypoint-initdb.d
-????????? ? ? ? ? ? .dockerenv
d????????? ? ? ? ? ? etc
d????????? ? ? ? ? ? home
d????????? ? ? ? ? ? lib
d????????? ? ? ? ? ? lib64
d????????? ? ? ? ? ? media
d????????? ? ? ? ? ? mnt
d????????? ? ? ? ? ? opt
d????????? ? ? ? ? ? proc
d????????? ? ? ? ? ? root
d????????? ? ? ? ? ? run
d????????? ? ? ? ? ? sbin
d????????? ? ? ? ? ? srv
d????????? ? ? ? ? ? sys
d????????? ? ? ? ? ? tmp
d????????? ? ? ? ? ? usr
d????????? ? ? ? ? ? varI don't understand why the root user has no permissions to anything in the filesystem.
The timing of this issue seems to correspond to the following commit, where the postgres change from buster to bullseye was added to the official libraries in docker:
docker-library/official-images@f21b412
I was able to get around the issue by specifying image: postgres:buster in docker-compose.yml. The root cause is likely still unsolved in the wild.
Here are the relevant sections of our docker-compose.yml:
version: "3"
services:
db:
image: "postgres:buster" # << added "buster" for the workaround
container_name: "db-server"
environment:
POSTGRES_PASSWORD: 'postgres'
POSTGRES_DB: 'my-db'
expose:
- "5432"
ports:
- "5432:5432"
volumes:
- database_data:/var/lib/postgresql/data
...
volumes:
database_data:
driver: local