Containerizing Cordapp with Docker Image and Docker Compose

Question

When running Corda in docker with external Postgres DB configurations, I get insufficient privileges to access error.

Note: Corda: 4.6 Postgresql: 9.6 Docker engine 20.10.6 Docker-compose: docker-compose version 1.29.1, build c34c88b2

docker-compose.yml file:

version: '3.3'

services:
  partyadb:
    hostname: partyadb
    container_name: partyadb
    image: "postgres:9.6"
    environment:
      POSTGRES_PASSWORD: postgres
      POSTGRES_USER: postgres
      POSTGRES_DB: partyadb
    ports:
    - 5432
  partya:
    hostname: partya
#    image: corda/corda-zulu-java1.8-4.7:RELEASE
    image: corda/corda-zulu-java1.8-4.6:latest
    container_name: partya
    ports:
    - 10006
    - 2223
    command: /bin/bash -c "java -jar /opt/corda/bin/corda.jar run-migration-scripts -f /etc/corda/node.conf --core-schemas --app-schemas && /opt/corda/bin/run-corda"
    volumes:
    - ./partya/node.conf:/etc/corda/node.conf:ro
    - ./partya/certificates:/opt/corda/certificates:ro
    - ./partya/persistence.mv.db:/opt/corda/persistence/persistence.mv.db:rw
    - ./partya/persistence.trace.db:/opt/corda/persistence/persistence.trace.db:rw
#    - ./partya/logs:/opt/corda/logs:rw
    - ./shared/additional-node-infos:/opt/corda/additional-node-infos:rw
    - ./shared/cordapps:/opt/corda/cordapps:rw
    - ./shared/drivers:/opt/corda/drivers:ro
    - ./shared/network-parameters:/opt/corda/network-parameters:rw
    environment:
    - ACCEPT_LICENSE=${ACCEPT_LICENSE}
    depends_on:
      - partyadb

Error:

[ERROR] 12:41:24+0000 [main] internal.NodeStartupLogging. - Exception during node startup. Corda started with insufficient privileges to access /opt/corda/additional-node-infos/nodeInfo-5B........................................47D

Answer 1

I just configure the image to be run as root. This works but may not be safe. Simply add

services:
    cordaNode:
        user: root

to the service configuration.

Ref: How to configure docker-compose.yml to up a container as root

Answer 2

So the error itself describes that it's a permission problem.

I don't know if you crafted this dockerfile yourself, you may want to take a look at generating them with the dockerform task (https://docs.corda.net/docs/corda-os/4.8/generating-a-node.html#use-cordform-and-dockerform-to-create-a-set-of-local-nodes-automatically)

This permission problem could be that you're setting only read / write within the container:

 - ./shared/additional-node-infos:/opt/corda/additional-node-infos:rw

or it could be that you need to change the permissions on the shared folder. Try changing the permissions of shared to 777 and see if that works, then restrict your way back down to permissions you're comfortable with.

Answer 3

The corda/corda-zulu-java1.8-4.6:latest image runs under the user corda, not root. This user has user id 1000, and also is in a group called corda, also with gid 1000:

corda@5bb6f196a682:~$ id -u corda
1000
corda@5bb6f196a682:~$ groups corda
corda : corda
corda@5bb6f196a682:~$ id -G corda
1000

The problem here seems to be that the file you are mounting into the docker container (./shared/additional-node-infos/nodeInfo-5B) does not have permissions setup in such a way as to allow this user to access it. I'm assuming the user needs read and write access. A very simple fix would be to give other read and write access to this file:

$ chmod o+rw ./shared/additional-node-infos/nodeInfo-5B

There are plenty of other ways to manage this kind of permissions issue in docker, but remember that the permissions are based on uid/gid which usually do not map nicely from your host machine into the docker container.