docker-compose


docker-compose tmpfs not working


I have a docker-compose file that I'm trying to secure by making the root volumes of the containers it creates read-only.
Relevant parts of docker-compose.yml:
version: '2'
services:
mysql:
image: mariadb:10.1
read_only: true
tmpfs:
- /var/run/mysqld:uid=999,gid=999
- /tmp
volumes:
- mysql:/var/lib/mysql
restart: always
volumes:
mysql:
Trouble is, the tmpfs isn't being created. If I run an instance of the container using docker-compose run --rm mysql /bin/bash, the /var/run/mysqld directory is still read-only despite the tmpfs entry, and any attempt to touch /var/run/mysqld/foo fails. Since this is where MySQL puts its socket and pid file, this causes the whole thing to fail. I'm not sure why the tmpfs entry isn't working in this case.
mysql_1 | 2017-01-27 20:53:45 140515784030144 [Note] mysqld (mysqld 10.1.21-MariaDB-1~jessie) starting as process 1 ...
mysql_1 | 2017-01-27 20:53:45 140515784030144 [Note] InnoDB: Using mutexes to ref count buffer pool pages
mysql_1 | 2017-01-27 20:53:45 140515784030144 [Note] InnoDB: The InnoDB memory heap is disabled
mysql_1 | 2017-01-27 20:53:45 140515784030144 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
mysql_1 | 2017-01-27 20:53:45 140515784030144 [Note] InnoDB: GCC builtin __atomic_thread_fence() is used for memory barrier
mysql_1 | 2017-01-27 20:53:45 140515784030144 [Note] InnoDB: Compressed tables use zlib 1.2.8
mysql_1 | 2017-01-27 20:53:45 140515784030144 [Note] InnoDB: Using Linux native AIO
mysql_1 | 2017-01-27 20:53:45 140515784030144 [Note] InnoDB: Using SSE crc32 instructions
mysql_1 | 2017-01-27 20:53:45 140515784030144 [Note] InnoDB: Initializing buffer pool, size = 256.0M
mysql_1 | 2017-01-27 20:53:45 140515784030144 [Note] InnoDB: Completed initialization of buffer pool
mysql_1 | 2017-01-27 20:53:45 140515784030144 [Note] InnoDB: Highest supported file format is Barracuda.
mysql_1 | 2017-01-27 20:53:48 140515784030144 [Note] InnoDB: 128 rollback segment(s) are active.
mysql_1 | 2017-01-27 20:53:48 140515784030144 [Note] InnoDB: Waiting for purge to start
mysql_1 | 2017-01-27 20:53:48 140515784030144 [Note] InnoDB: Percona XtraDB (http://www.percona.com) 5.6.34-79.1 started; log sequence number 239403989
mysql_1 | 2017-01-27 20:53:48 140515005662976 [Note] InnoDB: Dumping buffer pool(s) not yet started
mysql_1 | 2017-01-27 20:53:48 140515784030144 [Note] Plugin 'FEEDBACK' is disabled.
mysql_1 | 2017-01-27 20:53:49 140515784030144 [Note] Server socket created on IP: '::'.
mysql_1 | 2017-01-27 20:53:49 140515784030144 [ERROR] Can't start server : Bind on unix socket: Read-only file system
mysql_1 | 2017-01-27 20:53:49 140515784030144 [ERROR] Do you already have another mysqld server running on socket: /var/run/mysqld/mysqld.sock ?
mysql_1 | 2017-01-27 20:53:49 140515784030144 [ERROR] Aborting
I can verify the permissions on the directory are correct (and that the UID of the mysql user is 999):
$ ls -la /var/run/mysqld
total 8
drwxrwxrwx 2 mysql mysql 4096 Jan 17 22:14 .
drwxr-xr-x 4 root root 4096 Jan 18 22:55 ..
But I still cannot:
$ touch /var/run/mysqld/foo
touch: cannot touch '/var/run/mysqld/foo': Read-only file system
Even if I run as root.
Any ideas what I'm doing wrong?
As an aside, the /tmp filesystem works fine.

Related Links

Concourse result keeps loading
Docker-compose: AttributeError: 'module' object has no attribute 'ssl'
scaling a service with docker compose
Docker Compose apparently ignores COMPOSE_FILE
Where does Docker install gems on a mac
What is the difference between docker-machine and docker-compose?
Docker Compose port issue. Cannot launch docker project on localhost
Name an image built from running a docker-compose file
Race conditions after changing names in docker-compose.yml
Docker compose - image not found
How to work out the hostname that compose gives containers?
docker-compose restart container if service is dead
Swarm scheduling not working as expected using filters in compose file
issues in buiding Slate with Docker
Invalid type error in Docker Compose
Django cookiecutter with Docker add pip package

Categories

HOME
postgresql
salesforce
locale
display
glsl
mifare
spss
opengl-es
browser-cache
aggregate-functions
osx-yosemite
normals
minimax
google-app-maker
camunda
google-closure-compiler
greensock
ibatis
conditional-formatting
keystone
pushbullet
ecmascript-2017
my.cnf
continuous-fourier
drombler-fx
checkmarx
cqlsh
sphinx4
ios9
arp
qt-designer
unity3d-5
client-server
linkurious
mixed-models
mtm
rexx
superclass
html-entities
weld
npoco
jks
liferay-ide
sharing
ownership
computed-properties
universe
access-violation
diameter-protocol
kik
audiorecord
treelist
code-translation
trendline
clear
dynamics-nav
play-json
edgar
bootstrap-tabs
hexagonal-tiles
httpmodule
ultraedit
skview
gmaps4jsf
esri-arc-engine
mind-manager
apache-pivot
react-os
vundle
time-frequency
visual-c#-express-2010
rails-migrations
ant-contrib
winrun4j
satisfiability
nodeunit
carrier
imaplib
maven-javadoc-plugin
jfilechooser
angularjs-select2
record-locking
qgraphicsscene
google-checkout
symbian3
quit
nserror
optimistic-concurrency
copyfile
code-organization
parallel-python
funambol
lightopenid
jexcelapi
s60
nstoolbar
jquery-attributes
versions
konsole
authkit

Resources

Mobile Apps Dev
Database Users
javascript
java
csharp
php
android
MS Developer
developer works
python
ios
c
html
jquery
RDBMS discuss
Cloud Virtualization
Database Dev&Adm
javascript
java
csharp
php
python
android
jquery
ruby
ios
html
Mobile App
Mobile App
Mobile App