Volume mapped filebeat.yml permissions from Docker on Windows host

I'm trying to run the official 5.4.3 filebeat docker container via VirtualBox on a Windows host. Rather than creating a custom image, I'm using a volume mapping to pass the filebeat.yml file to the container using the automatically created VirtualBox mount /c/Users which points to C:\Users on my host.

Unfortunately I'm stuck on this error:

Exiting: error loading config file: config file ("filebeat.yml") can only be writable by the owner but the permissions are "-rwxrwxrwx" (to fix the permissions use: 'chmod go-w /usr/share/filebeat/filebeat.yml')

My docker-compose config is:

filebeat:
  image: "docker.elastic.co/beats/filebeat:5.4.3"
  volumes:
   - "/c/Users/Nathan/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro"
   - "/c/Users/Nathan/log:/mnt/log:ro"

I've tried SSH-ing into the machine and running the chmod go-w command but no change. Is this some kind of permission limitation when working with VirtualBox shared folders on a Windows host?

1 Like

I think this is an issue with the shared filesystem since windows uses a DACL for permissions.

Please modify the command you're are using to start the container to include the flag to disable the permission checking.

filebeat:
  image: "docker.elastic.co/beats/filebeat:5.4.3"
  command: filebeat -e -strict.perms=false
  volumes:
   - "/c/Users/Nathan/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro"
   - "/c/Users/Nathan/log:/mnt/log:ro"
2 Likes

Thanks Andrew. How does the command property differ from entrypoint?

At the current time I believe the Elastic Beats images all use CMD rather than ENTRYPOINT. There are some subtle differences in how your override the command that is executed inside the container based on whether the image uses a command or an entrypoint. When the image uses an entrypoint, the command is appended to the entrypoint. When an image uses a command, then specifying a new command completely overwrites the command in the image.

So if our images were to specify an entrypoint (they don't) of metricbeat -e then you could just specify command: -strict.perms=false and it would run metricbeat -e -strict.perms=false inside the container. But because the image uses a CMD in the Dockerfile you need to specify the complete command that you want to run if you need to change it.

2 Likes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.