host user running docker requires UID of 1000 for elasticsearch

[nilsnolde]

there's some bug reports around that already, e.g. #214 (AccessDenied, the container can't write into the $DATA_DIR/elasticsearch directory)

the problem seems to me that the ES container internally has the elasticsearch user with UID/GID 1000 doing all the operations. while my DATA_DIR is owned by the same user I run docker with and happens to have UID/GID 1003. so the container can't create any data/directories inside DATA_DIR with its 775 permission bits.

urgh, this is a mess with docker user management.. been there a few times.. essentially, IMO there's no fool-proof way that'll work in all situations without at least one root command. so maybe the way it works right now is the best we can do..

for now I'll make the DATA_DIR 777. no idea what else to try (made my local docker user part of group 1000, but then pelias elastic start changes the permissions back to 1003/1003).

[nilsnolde]

actually all docker containers require a UID of 1000 it seems, not that it matters much

[missinglink]

Yeah for sure, permissions inside permissions, can be a nightmare.

I thought I'd fixed this last year, we haven't had many reports recently. How it's supposed to work is that the pelias command detects your UID automatically so you shouldn't have to do anything.

[nilsnolde]

can't see much in the pelias commands other than the deprecated DOCKER_USER.

the pelias command detects your UID automatically so you shouldn't have to do anything.

but how would that work even? it detects your UID but it can't take that for the docker-internal user, that would have to be decided in the image building when creating the user. we could change the permissions with the pelias command to 1000:1000 but not without sudo. (also would be strange, my data dir would then be owned by the host user overpass :D).

I think everyone got lucky so far, always having run this with the machine's first user:)

[nilsnolde]

I had a similar use case before and had to change our valhalla image to accommodate for that:
https://github.com/gis-ops/docker-valhalla/blob/a503d556a75661a644c25b16fa82eafa89b3f963/Dockerfile#L44-L50

definitely not arguing that's an option for your docker recipes, it's also a total nightmare.

[missinglink]

You can specify the docker user at runtime too

[nilsnolde]

huh.. let me research hahah 😅

[missinglink]

• https://github.com/pelias/docker/blob/master/lib/env.sh
• https://github.com/pelias/docker/blob/master/projects/planet/docker-compose.yml#L115

[nilsnolde]

ah right, totally forgot about that..

I guess that's what DOCKER_USER was for?

[nilsnolde]

https://github.com/pelias/docker/blob/master/lib/env.sh

thanks!! didn't find that! yes, that should definitely do it. I'll just quietly close this issue and admit my idiot mistake of not using the provided docker-compose.yml..

[missinglink]

Haha all good, permissions are the most common issue we get, I might spend some more time on the pelias system check command to see if it can detect issues like this automatically.