NEO4J_AUTH doesn't take effect about docker-neo4j HOT 23 CLOSED

Hello @danielsilva. I'm afraid that I can't reproduce this.

I've created a new image based on neo4j/neo4j:2.3.0 that sets the auth environment variable, as you did. It successfully sets the password and exposes the instance from the host.

One possible explanation for the problem you saw is that setting the password takes a little time because we have to start and stop the server: the only way to set the password is through the API. During that initial start/stop we bind to localhost, so the server is not misleadingly available temporarily.

That suggests that if you were to wait a bit longer (or retry until you get a response), your request might succeed.

But I can't explain the logs that you see. Here is my session where I try to reproduce your problem:

> docker pull neo4j/neo4j:2.3.0
2.3.0: Pulling from neo4j/neo4j
<snip>
Digest: sha256:811d5fc101ba3d5f90c4a89a1e94d72757af1a6b1826355c653885ff036b4908
Status: Downloaded newer image for neo4j/neo4j:2.3.0
> cat >>Dockerfile
FROM neo4j/neo4j:2.3.0
ENV NEO4J_AUTH=neo4j/123456
> docker .
Sending build context to Docker daemon 2.048 kB
Step 0 : FROM neo4j/neo4j:2.3.0
 ---> 8c2fb76180a0
Step 1 : ENV NEO4J_AUTH neo4j/123456
 ---> Running in 25faafd330ac
 ---> 9afc57bdb120
Removing intermediate container 25faafd330ac
Successfully built 9afc57bdb120
> docker run --detach --publish=7474:7474 9afc57bdb120
171111bcdeef0aaa14cc63c87b0cc7c771afa8e83406fbb21e9beee0306a619d
> docker logs 171111bcdeef0aaa14cc63c87b0cc7c771afa8e83406fbb21e9beee0306a619d
Starting Neo4j Server...process [134]... waiting for server to be ready..... OK.
http://localhost:7474/ is ready.
Stopping Neo4j Server [134].... done
Starting Neo4j Server console-mode...
11:49:48.006 [main] DEBUG i.n.u.i.l.InternalLoggerFactory - Using SLF4J as the default logging framework
2015-11-06 11:49:50.520+0000 INFO  Successfully started database
2015-11-06 11:49:50.545+0000 INFO  Starting HTTP on port 7474 (4 threads available)
2015-11-06 11:49:50.726+0000 INFO  Enabling HTTPS on port 7473
2015-11-06 11:49:50.785+0000 INFO  Mounting static content at /webadmin
2015-11-06 11:49:50.825+0000 INFO  Mounting static content at /browser
2015-11-06 11:49:51.739+0000 INFO  Remote interface ready and available at http://0.0.0.0:7474/

You can see that the server starts, bound to localhost:7474, stops and then starts again bound to 0.0.0.0:7474.

from docker-neo4j.

My bug looks slightly different as there are no visible logs and Neo4j won't even start any time I define an overriding environment variable with docker run.

from docker-neo4j.

@fbiville I have tried this on a Linux box (Ubuntu 15.04) with Docker 1.8.2:

> docker run --detach --publish=7474:7474 --volume=$HOME/neo4j-data:/tmp --env=NEO4J_AUTH=neo4j/foobar neo4j/neo4j
ab478bdf1dc6e4f3778934fca9c5cb88f1a450892256b7dd41cdfe7a343fa895
> docker logs ab478bdf1dc6e4f3778934fca9c5cb88f1a450892256b7dd41cdfe7a343fa895
Starting Neo4j Server...process [137]... waiting for server to be ready..... OK.
http://localhost:7474/ is ready.
Stopping Neo4j Server [137]....Starting Neo4j Server console-mode...
2015-11-13 09:50:11.723+0000 INFO  Successfully started database
2015-11-13 09:50:11.745+0000 INFO  Starting HTTP on port 7474 (4 threads available)
2015-11-13 09:50:11.979+0000 INFO  Enabling HTTPS on port 7473
2015-11-13 09:50:12.047+0000 INFO  Mounting static content at /webadmin
2015-11-13 09:50:12.105+0000 INFO  Mounting static content at /browser
2015-11-13 09:50:12.839+0000 INFO  Remote interface ready and available at http://0.0.0.0:7474/
> curl http://neo4j:foobar@localhost:7474/db/data/
{
  "extensions" : { },
  "node" : "http://localhost:7474/db/data/node",
  "node_index" : "http://localhost:7474/db/data/index/node",
  "relationship_index" : "http://localhost:7474/db/data/index/relationship",
  "extensions_info" : "http://localhost:7474/db/data/ext",
  "relationship_types" : "http://localhost:7474/db/data/relationship/types",
  "batch" : "http://localhost:7474/db/data/batch",
  "cypher" : "http://localhost:7474/db/data/cypher",
  "indexes" : "http://localhost:7474/db/data/schema/index",
  "constraints" : "http://localhost:7474/db/data/schema/constraint",
  "transaction" : "http://localhost:7474/db/data/transaction",
  "node_labels" : "http://localhost:7474/db/data/labels",
  "neo4j_version" : "2.3.1"
}

Can you tell me what you see if you do exactly the same thing?

from docker-neo4j.

@fbiville And I've now checked this with Docker 1.9.0 and got the same results.

from docker-neo4j.

Unfortunately, here is what I get:

➜  ~  docker run --detach --publish=7474:7474 --volume=$HOME/neo4j-data:/tmp --env=NEO4J_AUTH=neo4j/foobar neo4j/neo4j
5959e224d34ea35b18b6d7370099de101669511e9343ef1781ae8bbe274daf10
➜  ~  docker logs --follow 5959e224d34ea35b18b6d7370099de101669511e9343ef1781ae8bbe274daf10
# nothing shows up, I Ctrl+C
➜  ~  curl http://neo4j:foobar@localhost:7474/db/data/
curl: (56) Recv failure: Connection reset by peer

from docker-neo4j.

➜  ~  docker -v
Docker version 1.9.0, build 76d6bc9

from docker-neo4j.

I managed to reproduce it when trying to set NEO4J_AUTH

Example docker-compose.yml file

neo4j:
    image: neo4j/neo4j
    entrypoint: /bin/bash -x /docker-entrypoint.sh
    command: neo4j
    ports:
        - "7474:7474"
    volumes:
        - ./data:/data
    environment:
        - NEO4J_HEAP_MEMORY=2048
        - NEO4J_CACHE_MEMORY=1G
        - NEO4J_AUTH=neo4j/neo

Log resulting from this run:

Creating neo4j_neo4j_1
Attaching to neo4j_neo4j_1
neo4j_1 | + '[' neo4j == neo4j ']'
neo4j_1 | + '[' -d /conf ']'
neo4j_1 | + setting keep_logical_logs '100M size' neo4j.properties
neo4j_1 | + setting=keep_logical_logs
neo4j_1 | + value='100M size'
neo4j_1 | + file=neo4j.properties
neo4j_1 | + '[' -n '100M size' ']'
neo4j_1 | + sed --in-place 's|.*keep_logical_logs=.*|keep_logical_logs=100M size|' conf/neo4j.properties
neo4j_1 | + setting dbms.pagecache.memory 4G neo4j.properties
neo4j_1 | + setting=dbms.pagecache.memory
neo4j_1 | + value=4G
neo4j_1 | + file=neo4j.properties
neo4j_1 | + '[' -n 4G ']'
neo4j_1 | + sed --in-place 's|.*dbms.pagecache.memory=.*|dbms.pagecache.memory=1G|' conf/neo4j.properties
neo4j_1 | + setting wrapper.java.additional=-Dneo4j.ext.udc.source docker neo4j-wrapper.conf
neo4j_1 | + setting=wrapper.java.additional=-Dneo4j.ext.udc.source
neo4j_1 | + value=docker
neo4j_1 | + file=neo4j-wrapper.conf
neo4j_1 | + '[' -n docker ']'
neo4j_1 | + sed --in-place 's|.*wrapper.java.additional=-Dneo4j.ext.udc.source=.*|wrapper.java.additional=-Dneo4j.ext.udc.source=docker|' conf/neo4j-wrapper.conf
neo4j_1 | + setting wrapper.java.initmemory 2048 neo4j-wrapper.conf
neo4j_1 | + setting=wrapper.java.initmemory
neo4j_1 | + value=2048
neo4j_1 | + file=neo4j-wrapper.conf
neo4j_1 | + '[' -n 2048 ']'
neo4j_1 | + sed --in-place 's|.*wrapper.java.initmemory=.*|wrapper.java.initmemory=2048|' conf/neo4j-wrapper.conf
neo4j_1 | + setting wrapper.java.maxmemory 2048 neo4j-wrapper.conf
neo4j_1 | + setting=wrapper.java.maxmemory
neo4j_1 | + value=2048
neo4j_1 | + file=neo4j-wrapper.conf
neo4j_1 | + '[' -n 2048 ']'
neo4j_1 | + sed --in-place 's|.*wrapper.java.maxmemory=.*|wrapper.java.maxmemory=2048|' conf/neo4j-wrapper.conf
neo4j_1 | + setting org.neo4j.server.thirdparty_jaxrs_classes '' neo4j-server.properties
neo4j_1 | + setting=org.neo4j.server.thirdparty_jaxrs_classes
neo4j_1 | + value=
neo4j_1 | + file=neo4j-server.properties
neo4j_1 | + '[' -n '' ']'
neo4j_1 | + '[' neo4j/neo == none ']'
neo4j_1 | + [[ neo4j/neo == neo4j/* ]]
neo4j_1 | + password=neo
neo4j_1 | + bin/neo4j start

It seems the issue is bin/neo4j start is running in foreground and not allowing the rest of the script to be executed (like changing the password and restart the service)

from docker-neo4j.

@bivas I haven't used docker-compose, but that doesn't look right to me. Why are you providing bin/neo4j start as a command? The default command is neo4j, which will start the server; I don't think you'll need to provide a command at all if that's what you are trying to achieve. (Or specify the entrypoint, I think.)

from docker-neo4j.

@fbiville Are you running on Linux or OSX?

from docker-neo4j.

I override the entrypoint so I can add the debug flag. This is a common
practice to debug containers.

The command might be wrong, but even the container is calling 'neo4j' which
triggers the first "if" statement.

This is just a way to show what's wrong with the entrypoint script.

Eliran Bivas
On Nov 16, 2015 18:47, "Ben Butler-Cole" [email protected] wrote:

@bivas https://github.com/bivas I haven't used docker-compose, but that
doesn't look right to me. Why are you providing bin/neo4j start as a
command? The default command is neo4j, which will start the server; I
don't think you'll need to provide a command at all if that's what you are
trying to achieve. (Or specify the entrypoint, I think.)

—
Reply to this email directly or view it on GitHub
#16 (comment).

from docker-neo4j.

@bivas Thanks for the quick response. The entrypoint override is a good idea.

I've just tried your docker-compose.yml with command: neo4j (and the memory config removed because my system didn't have enough for those settings) and it worked fine. Can you try that, please?

from docker-neo4j.

Can you please add the memory settings just with lower values?
I tried it with latest docker and docker-compose versions. Still hangs at
the same line (bin/neo4j start).

from docker-neo4j.

@bivas Yes, I've now tried it with the memory settings and still can't see any problem. Have you tried it with command: neo4j?

from docker-neo4j.

@benbc i tried it several times - hangs every time; same location
I've tested with tags

• neo4j/neo4j:latest (image ID: edd19eb4421b)
• neo4j/neo4j:2.3.0 (image ID: 255313be2662)
• neo4j:latest (image ID: f9511d2c10be)

Which tag are you using? (maybe on your workstation the latest tag refer to an unpublished artifact)
Docker Engine version 1.9.0
Docker Compose version 1.5.0

from docker-neo4j.

@bivas What platform are you running on?

from docker-neo4j.

@benbc Linux Mint
3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:30:00 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
24 Cores 32GB RAM

from docker-neo4j.

Hello @benbc,

Unfortunately I was unable to make it work. If I configure NEO4J_AUTH the docker container is bound to localhost:7474, if I don't configure NEO4J_AUTH it's bound to 0.0.0.0:7474

I am also using Linux Mint.

Thanks for helping.

from docker-neo4j.

@benbc sorry for the late reply: when I run on Mac -> no problem, when I run on Linux (Mint) -> I cannot start Neo4j container with auth envvar

from docker-neo4j.

We have identified the problem, and are working on a solution.

For reasons, we currently make use of the lsof command to ensure that the server is running and accepting connections on a given port so the password can be changed. In the default configuration of Linux Mint with AppArmor installed, docker does not have the access it needs for lsof to work the way we expect it to. Linux Mint with AppArmor, is currently the only known default configuration that exhibits this behaviour.

We will be providing a more concrete, long term solution for this as soon as possible, but in the meantime, you can work around this issue by running docker with --privileged=true. Note that this is not considered a permanent solution, but rather as a temporary workaround while we work out the best configuration for using Neo4j in docker with AppArmor.

from docker-neo4j.

Alright, @srbaker thanks for the tip!

from docker-neo4j.

Commit 80db437 updates the documentation for the current best known fix.

from docker-neo4j.

Can you specify the CAP to add instead of running in privileged mode?

from docker-neo4j.

Unfortunately, cap-add does not work. I'm not certain of the exact details, but ptrace is being disabled at a level lower than cap-add enables it. :(

from docker-neo4j.