Elasticsearch docker image

Hi,

I'm using docker image of elasticsearch:6.4.0 and trying to add a repo path for backup.

But after I add mounted a named volume, the permission in the cluster containers is not owned by elasticsearch but root.

Here is the code snippet of my yaml file:

  data:
    image: elasticsearch:6.4.0
    configs:
      - source: es-data
        target: /usr/share/elasticsearch/config/elasticsearch.yml
      - source: jvm-options-data
        target: /usr/share/elasticsearch/config/jvm.options
    networks:
      - esnet
    volumes:
      - esdata:/usr/share/elasticsearch/data
      - backup:/usr/share/elasticsearch/backup
volumes:
  esdata:
  backup:

If I check the container, data folder is owned by elasticsearch but not backup folder.

drwxr-xr-x  2 root          root   4096 Dec 16 09:24 backup
drwxrwxr-x  3 elasticsearch root   4096 Mar 12  2019 data

Is there any step I missed?

Try setting the gid and uid for the repository in your docker compose file as per the docker compose file documentation.

Elasticsearch runs as uid 1000 and gid 1000 in the docker container, IIRC.

Hi Magnus,

Thanks for the reply. But I'm wondering why data folder doesn't need to set gid/uid.

Have a look at the analysis in this blog post. Essentially, the startup script inside the docker container ensures that the data directory is owned by elasticsearch. In /usr/local/bin/docker-entrypoint.sh you'll find:

if [[ "$(id -u)" == "0" ]]; then
  # If requested and running as root, mutate the ownership of bind-mounts
  if [[ -n "$TAKE_FILE_OWNERSHIP" ]]; then
    chown -R 1000:0 /usr/share/elasticsearch/{data,logs}
  fi
fi

For your own mounted volumes, I'd use the uid and gid settings in the docker compose file rather than changing this script.

Hi Magnus,

Thanks for your information! I did see that in the script. And actually, I know the reason what the default setting didn't include backup repo because usually you wouldn't put the backup files together with the data. Anyways, thanks a lot!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.