spring-bootdocker-composedocker-volume

Write access on volume for CNB Docker image

I am working on a spring boot application that should be migrated into a docker container (used to run as a systemd service on a server) The app reads and writes a configurable path on the file system - lets for now assume it is /var/mypath

I built a docker image using the bootBuildImage task from springs gradle plugin. it used what appears to be the default builder image, namely gcr.io/paketo-buildpacks/builder to build the application image.

Consequently, in a docker compose file, I defined a stack, with the (unimportant) mysql db and the spring boot app like this:

version: "3.8"

services:
  backend_db:
    container_name: "backend_db"
    image: "mariadb:latest"
    # ...

  backend_app:
    depends_on:
      - "backend_db"
    container_name: "backend_app"
    image: "myImageName:latest"
    restart: always
    ports:
      - 8080:8080
    volumes:
      - "app:/var/mypath"
    environment:
      # mysql data etc...

volumes:
  db:
  app:

When I start it up with docker-compose up, the spring-boot application does not have write access on /var/mypath. I figured out, that apparently the CNB build makes the spring application run as user cnb. I suppose, the volume is created as root and only root has write access to it.

The manual-chown approach seems suboptimal, since I would have expected to be able to just docker-compose up on a server and be done, instead of manually chowning around but anyways: I have tried to chown the volume to the cnb user from within the container without success:

chown cnb /var/mypath/ chown: changing ownership of '/var/mypath/': Operation not permitted

How can I make sure, that the spring boot application can write the volume?

Solution

  • I managed to chown/chgrp the volume after all - my mistake was that it does not work from within the container (there is no sudo) - but it works from outside using docker exec, specifying the root user:

    docker exec -u 0 -it backend_app chown cnb /var/mypath
docker exec -u 0 -it backend_app chgrp cnb /var/mypath

    User @Stuck also suggested a more elaborate approach by creating another docker-image layer: can `bootBuildImage` create writeable volumes?

    Andy Wilkinson from Spring pointed out that this is a general Docker issue - so if some other solution pops up in the future, I'm glad to update this question.