Skip to content

build: Make /prometheus group writable#16073

Merged
dgl merged 1 commit intoprometheus:mainfrom
dgl:docker-chmod
Mar 7, 2025
Merged

build: Make /prometheus group writable#16073
dgl merged 1 commit intoprometheus:mainfrom
dgl:docker-chmod

Conversation

@dgl
Copy link
Copy Markdown
Member

@dgl dgl commented Feb 25, 2025

As outlined in #3441 this is the minimal change needed to allow changing UID/GID in Docker when combined with a supplementary group. This only helps with volumes managed by Docker, not bind mounted to the host (because Docker doesn't manage permissions / ownership of those, but users have always been able to chown those and this change doesn't impact that).

Manual tests:

$ docker run -it --entrypoint=/bin/sh docker.io/prom/prometheus-linux-amd64:docker-chmod
/prometheus $ id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
/prometheus $ ls -ld /prometheus
drwxrwxr-x    2 nobody   nobody        4096 Feb 25 01:29 /prometheus
/prometheus $

$ docker run -it --entrypoint=/bin/sh prom/prometheus
/prometheus $ id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
/prometheus $ ls -ld /prometheus
drwxr-xr-x    2 nobody   nobody        4096 Feb 17 19:10 /prometheus

$ docker run -it --user 9090:9090 --group-add 65534 docker.io/prom/prometheus-linux-amd64:docker-chmod
[...snip good startup...]
time=2025-02-25T01:33:10.856Z level=INFO source=main.go:1213 msg="Server is ready to receive web requests."
time=2025-02-25T01:33:10.856Z level=INFO source=manager.go:175 msg="Starting rule manager..." component="rule manager"

$ docker run -it --user 9090:9090 --group-add 65534 --mount source=prometheus-db-test1,destination=/prometheus prom/prometheus
[...old image; error...]
time=2025-02-25T01:40:05.492Z level=ERROR source=query_logger.go:113 msg="Error opening query log file" component=activeQueryTracker file=/prometheus/queries.active err="open /prometheus/queries.active: permission denied"
panic: Unable to create mmap-ed active query log

$ docker run -it --user 9090:9090 --group-add 65534 --mount source=prometheus-db-test2,destination=/prometheus docker.io/prom/prometheus-linux-amd64:docker-chmod
[...works...]
time=2025-02-25T01:41:24.553Z level=INFO source=main.go:1213 msg="Server is ready to receive web requests."
time=2025-02-25T01:41:24.553Z level=INFO source=manager.go:175 msg="Starting rule manager..." component="rule manager"

Fixes #3441.

@dgl
Make /prometheus group writable
075e30b 
As outlined in prometheus#3441 this is the minimal change needed to allow
changing UID/GID in Docker when combined with a supplementary group.

Signed-off-by: David Leadbeater <dgl@dgl.cx>
@dgl dgl changed the title Make /prometheus group writable build: Make /prometheus group writable Feb 25, 2025
bwplotka
bwplotka approved these changes Feb 28, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@bwplotka bwplotka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, makes sense to me 👍🏽

@dgl dgl merged commit 7a1add6 into prometheus:main Mar 7, 2025
27 checks passed
@charleskorn charleskorn mentioned this pull request Mar 21, 2025
Merged
@calliecameron calliecameron mentioned this pull request Jun 23, 2025
Closed
@VaibhavOza1997 VaibhavOza1997 mentioned this pull request Jul 10, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bwplotka bwplotka bwplotka approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Prometheus docker container shouldn't run as user nobody

2 participants

@dgl @bwplotka