Grafana 5.1.0 docker image - cant handle the permissions

ninjadude · May 10, 2018, 9:01am

hi,
i was using the grafana docker image 4.2.0 everything was fine.
now when trying to use the 5.1.0 image i encounter massive permission errors,
i read the http://docs.grafana.org/installation/docker/#migration-from-a-previous-version-of-the-docker-container-to-5-1-or-later chapter several times and could not find a best practice workflow yet,

lets even say that i want to create the entire environment from scratch, every storage mount i use has a permission error.
how can i share any directory with the host ?
i tried logging in with user 104, and with the id -u workaround, nothing helps.

please help…

thanks.

lgram · May 10, 2018, 9:23am

Hi,

We need some details to be able to help you. If you could describe your setup or even share your docker-compose file if that is how you run the container (please be careful to remove any secrets).

ninjadude · May 10, 2018, 10:12am

hi,
i don’t currently use the composer , my run command is :

docker run (OPTIONAL --user root) -p 3000:3000 --name=grafana -v /home/new-grafana/grafana/etc/provisioning:/etc/grafana/provisioning -v /home/new-grafana/grafana/var/lib:/var/lib/grafana -v /home/new-grafana/grafana/var/log:/var/log/grafana -v /home/new-grafana/grafana/home_dash_files:/home/dash_files grafana/grafana:5.1.0

with this setup, the container will fail to start with message:
logger=sqlstore error=“Sqlstore::Migration failed err: unable to open database file\n”

the issue is that no matter what volume i share , if i go inside the container , i cant even ls to that dir with error message :permission denied"

any more info i forgot ?

lgram · May 10, 2018, 10:23am

Could you run ls -ltra in each of the folders that your map into the grafana container to find who is the owner of the files? (/home/new-grafana/grafana/etc/provisioning and so on)

Hopefully all those files are owned by the same user. If they are you should be able to boot the grafana container as that user to get it working. If they are different you may have to change some permissions.

The user running grafana inside of the container (472 by default) needs access to and subpaths/files:

/var/lib/grafana (read/write)
/etc/grafana (read)
/var/log/grafana (read/write, not used by default)

ninjadude · May 10, 2018, 10:36am

hi, as you can see they are all owned by root

and i tried using --user root and even id -u, still no permissions.

and i also tried chmod -p 777 /home/new-grafana , and still the container cannot read the folders.
i also tried chown -R 472 /home/new-grafana and changed the owner of all folder tree to 472 (grafana user id inside the container) , and still …

this is really strange
any more ideas ?

thanks
David.

lgram · May 10, 2018, 4:13pm

That setup should work, nothing out of the ordinary as long as you use --user root with docker run. My best guess would be that it is related to your Docker installation or your OS, or perhaps a combination thereof. What version of Docker are you running? Any specific security setups related to your centos install?

ninjadude · May 10, 2018, 8:42pm

Hi. Nothing special. Latest docker from yum install on cents 7 on official minimal iso

dcech · May 11, 2018, 1:32pm

The . at the end of the permission column in your ls output indicates that there are SELinux ACLs on those folders, that seems like a potential cause for your problems.

jangaraj · May 11, 2018, 2:43pm

IMHO you need this:

$ ls -latr host-data-folder
 total 392 
 drwxrwxrwt. 33 root root   4096 May 11 15:32 ..
 drwxr-xr-x.  2  472  472      6 May 11 15:38 plugins
 -rw-r--r--.  1  472  472 393216 May 11 15:38 grafana.db
 drwxrwxrwx.  3 root root     37 May 11 15:38 .

ninjadude · May 13, 2018, 6:34am

how can i disable them ? or what should i do to fix this ?

ninjadude · May 13, 2018, 6:35am

didn’t understand what are you suggestion me to do ?

lgram · May 18, 2018, 12:07pm

I don’t think there’s anyone here that knows SELinux well enough to help you unfortunately. You will have to figure out how to setup the permissions yourself. Alternatively you could probably just use docker volumes for persistant file storage instead of host bindings. I would presume that those wouldnt be affected by SELinux ACLs but I could be wrong.

ninjadude · May 22, 2018, 2:40pm

can i just disable selinux ?
and the seccomp ?

lgram · May 22, 2018, 2:52pm

Probably. You will have to read up on selinux I’m afraid.

ninjadude · May 23, 2018, 2:09pm

found out what was the problem

i used yum install docker on that machine,
instead of yum install docker-ce.

this version is using different security or whatever, now it works, thanks.

lgram · May 23, 2018, 3:05pm

I’m glad to hear you got it figure out. Thanks for sharing the solution with us, will come in handy in the future!

Topic		Replies	Views
New Docker Install with persistent storage, Permission problem Configuration docker , permissions	16	86464	August 9, 2022
Grafana container using bind mounts not working Grafana docker	8	2665	May 15, 2018
Can't start grafana container anymore permission issue Configuration	1	357	March 31, 2023
Make persistant volume in Docker	2	2210	October 7, 2022
Upgraded from 4.3 to 5.3.2 and getting database issues, PLEASE HELP Grafana	1	1293	November 9, 2018

Grafana 5.1.0 docker image - cant handle the permissions

Related topics