docker volume permissions in neo4j

Question

I'm having a bit of bother with the following docker compose setup:

version: '2.4'

services:
  graph_dev:
    image: neo4j:3.5.14-enterprise
    container_name: amlgraph_dev
    user: 100:101
    ports:
      - 7474:7474
      - 7473:7473
      - 7687:7687

    volumes:
      - neo4jbackup:/backup
      - neo4jdata:/data

volumes:
  neo4jbackup:
  neo4jdata:

I would like to run the neo4j-admin command, which must be run as the user 100 (_apt). However, the volume I need to backup to neo4jbackup, is mounted as root and _apt can't write there.

How do I create a volume that _apt can write to? The user _apt:neo4j obviously does not exist on the host. There are no users for which I have root on the docker image.

Answer 1

I can think of two options,

1. run neo4j docker container as a valid LINUX user and group and give that user access to a backup folder. Here is what my script looks like (I don't use compose currently) to run neo4j in docker under the current user

   docker run
   --user "$(id -u):$(id -g)"

Here is an article that covers doing the same thing with compose https://medium.com/faun/set-current-host-user-for-docker-container-4e521cef9ffc

2. (hacky?) but you could run neo4j-admin outside docker, or in another container in a process that does have access to the backup volume? (I hear you want to run it as root?)

but of course I'm wondering why the backup process or db backup would be owned by root (as opposed to owned by a db owner or backup account...) Personally I feel it is best practice to avoid using root account, whenever possible.

Answer 2

I ended up solving this problem by running the command as _apt as required (docker-compose run graph_dev) and the using docker exec -it -u neo4j:neo4j graph_dev /bin/bash to copy the file over to the backup directory. Not elegant but works.