docker-compose


docker-compose tmpfs not working


I have a docker-compose file that I'm trying to secure by making the root volumes of the containers it creates read-only.
Relevant parts of docker-compose.yml:
version: '2'
services:
mysql:
image: mariadb:10.1
read_only: true
tmpfs:
- /var/run/mysqld:uid=999,gid=999
- /tmp
volumes:
- mysql:/var/lib/mysql
restart: always
volumes:
mysql:
Trouble is, the tmpfs isn't being created. If I run an instance of the container using docker-compose run --rm mysql /bin/bash, the /var/run/mysqld directory is still read-only despite the tmpfs entry, and any attempt to touch /var/run/mysqld/foo fails. Since this is where MySQL puts its socket and pid file, this causes the whole thing to fail. I'm not sure why the tmpfs entry isn't working in this case.
mysql_1 | 2017-01-27 20:53:45 140515784030144 [Note] mysqld (mysqld 10.1.21-MariaDB-1~jessie) starting as process 1 ...
mysql_1 | 2017-01-27 20:53:45 140515784030144 [Note] InnoDB: Using mutexes to ref count buffer pool pages
mysql_1 | 2017-01-27 20:53:45 140515784030144 [Note] InnoDB: The InnoDB memory heap is disabled
mysql_1 | 2017-01-27 20:53:45 140515784030144 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
mysql_1 | 2017-01-27 20:53:45 140515784030144 [Note] InnoDB: GCC builtin __atomic_thread_fence() is used for memory barrier
mysql_1 | 2017-01-27 20:53:45 140515784030144 [Note] InnoDB: Compressed tables use zlib 1.2.8
mysql_1 | 2017-01-27 20:53:45 140515784030144 [Note] InnoDB: Using Linux native AIO
mysql_1 | 2017-01-27 20:53:45 140515784030144 [Note] InnoDB: Using SSE crc32 instructions
mysql_1 | 2017-01-27 20:53:45 140515784030144 [Note] InnoDB: Initializing buffer pool, size = 256.0M
mysql_1 | 2017-01-27 20:53:45 140515784030144 [Note] InnoDB: Completed initialization of buffer pool
mysql_1 | 2017-01-27 20:53:45 140515784030144 [Note] InnoDB: Highest supported file format is Barracuda.
mysql_1 | 2017-01-27 20:53:48 140515784030144 [Note] InnoDB: 128 rollback segment(s) are active.
mysql_1 | 2017-01-27 20:53:48 140515784030144 [Note] InnoDB: Waiting for purge to start
mysql_1 | 2017-01-27 20:53:48 140515784030144 [Note] InnoDB: Percona XtraDB (http://www.percona.com) 5.6.34-79.1 started; log sequence number 239403989
mysql_1 | 2017-01-27 20:53:48 140515005662976 [Note] InnoDB: Dumping buffer pool(s) not yet started
mysql_1 | 2017-01-27 20:53:48 140515784030144 [Note] Plugin 'FEEDBACK' is disabled.
mysql_1 | 2017-01-27 20:53:49 140515784030144 [Note] Server socket created on IP: '::'.
mysql_1 | 2017-01-27 20:53:49 140515784030144 [ERROR] Can't start server : Bind on unix socket: Read-only file system
mysql_1 | 2017-01-27 20:53:49 140515784030144 [ERROR] Do you already have another mysqld server running on socket: /var/run/mysqld/mysqld.sock ?
mysql_1 | 2017-01-27 20:53:49 140515784030144 [ERROR] Aborting
I can verify the permissions on the directory are correct (and that the UID of the mysql user is 999):
$ ls -la /var/run/mysqld
total 8
drwxrwxrwx 2 mysql mysql 4096 Jan 17 22:14 .
drwxr-xr-x 4 root root 4096 Jan 18 22:55 ..
But I still cannot:
$ touch /var/run/mysqld/foo
touch: cannot touch '/var/run/mysqld/foo': Read-only file system
Even if I run as root.
Any ideas what I'm doing wrong?
As an aside, the /tmp filesystem works fine.

Related Links

docker copy container data to volume using compose
Docker-compose ps error
hyperledger-fabric getting-started failed to start cli container
how to make docker-compose pull latest images of certain services
network issue in one docker compose with keycloak and tomcat container
Docker compose, set local volume mapping with version 3
version control of docker-compose.yml
Limit resources in docker-compose v3
Docker compose: using relative service address in environment
Azure Container Service: Update Docker-Compose?
Docker compose: doesnt allow to use constraints if you have a env variable set
How to use visual studio docker function on Windows Home edition?
Passing arguments to docker compose file when using it for swarm
How to run ad hoc docker compose commands in Ansible?
Using custom hostnames for docker local development containers
Changing the network name?

Categories

HOME
grizzly
kendo-ui
redux
snappy
display
grpc
data-modeling
azure-resource-manager
cdn
wavefront
revit-api
dcos
osrm
jetbrains
sha1
openscad
passbook
xforms
ajaxcontroltoolkit
android-navigation-drawer
email-client
my.cnf
setup-project
launchd
git-submodules
osgi-bundle
sphinx4
edirectory
overflow
akamai
ibm-bpm
voyager
apache-falcon
ansible-inventory
android-databinding
stochastic-process
nscollectionview
ngrok
linkurious
ape-phylo
aspnetboilerplate
irr
smooth-streaming
grails-2.0
scrapinghub
amazon-fire-tv
encoder
spring-webflow-2
hdpi
evaluation
ng-class
px4
fluent-nhibernate-mapping
sharpssh
typewriter
codesniffer
trusted-computing
tsc
msiexec
breadcrumbs
alarmmanager
papyrus
x12
mate-desktop
3d-rendering
radar-chart
web-optimization
abstract
wizard
bioconductor
transport
updating
page-flipping
cloud-storage
cyberduck
hexagonal-tiles
eggplant
euro
avd
genome
veeam
nexusdb
pysvn
launcher
report-builder2.0
windows-search
xts
switchpreference
dateadd
traceur
farpoint-spread
kuka-krl
mencoder
myrrix
pudb
auctex
vline
linqdatasource
metapost
nsregularexpression
jquery-1.8
github-archive
erlide
mismatch
n2
hs-err
response-time
onunload
azure-appfabric
large-data-volumes
lts
data-formats

Resources

Mobile Apps Dev
Database Users
javascript
java
csharp
php
android
MS Developer
developer works
python
ios
c
html
jquery
RDBMS discuss
Cloud Virtualization
Database Dev&Adm
javascript
java
csharp
php
python
android
jquery
ruby
ios
html
Mobile App
Mobile App
Mobile App