Files in docker-entrypoint-initdb.d do not get executed on Windows images

[rycornell]

According to the documentation,

When a container is started for the first time it will execute files with extensions .sh and .js that are found in /docker-entrypoint-initdb.d

This does not seem to be the case for Windows images. Are there plans to add this functionality to the Windows images?

[tianon]

Yeah, this is an unfortunate design limitation of Windows containers. On Linux, we have the exec system call (and a Bash instruction by the same name which implements it) that allows us to completely replace our current running process by another. This is what allows us to run an ENTRYPOINT script which performs some initialization logic, then replaces itself with mongod directly (so that Docker can track the mongod process properly). On Windows, no such interface exists, which means that in order to even begin to replicate this behavior, we'd have to implement a process monitor as well to sit between Docker and mongod for the lifetime of the session (all for some simple initialization behavior, which is kind of a heavy toll).

[rycornell]

Thanks for the detailed response!

[prokhorovn]

I'm not familiar with mongodb initialization approach under the hood, but it seems like on linux containers it is done in following style:
docker-entrypoint.sh as entrypoint holds all the logic

• mongod process starts on 20017
• root user created (with credentials in documented environment variables)
• initialization js/sh scripts running
• real mongod process starts on configured port

What about defining some windows shell script (e.g. ps) which will do this initialization for windows containers? Like this:
docker-entrypoint.ps holds the logic

• start mongod
• create root user
• run init scripts
• stop mongod
• run mongod with arguments passed to entrypoint

Does it make sense?

[tianon]

The key bit on Linux is that we can end with exec (a shell built-in), which replaces our shell script with mongod such that mongod becomes PID 1 and signal handling, etc work properly.

Windows does not have equivalent functionality, so either cmd or powershell would stay resident and mess with signal handling to the daemon process.

[prokhorovn]

@tianon thank you, I see your point. In this case - is it possible to make mongo in linux container to omit phase of cheking chmod permissions (400) for key file? Because if you are running linux mongo containers on Windows host OS - it is impossible to set chmod on mounted file. This two problems together (lack of init of win-containers + forced chmod check on lin-containers) make impossible enabling keyfile-auth for mongo on windows hosts.
If we are using keyfile+windows container - we are not able to setup root user automatically (and this causes pain when automating cluster deployment).
If we are unsing keyfile+linux container - we are not able to set chmod and start the container.
Passing some flag (e.g. --suppress-kfile-400-check) seems to work here...

[yosifkit]

@npiskunov, permissions check on keyfiles is not in our docker entrypoint script; that is just what MongoDB itself does. You could use Docker secrets, rather than COPY or a bind mount (-v) so that you can control the mode of the resulting key file in the container (https://docs.docker.com/compose/compose-file/#secrets).

[prokhorovn]

@yosifkit, thank you for reply. Sure, checking file mode is a mongod process limitation, not docker image.

I've tried to use docker-compose secret to put keyfile in container, but mongo process requires this file to be in mode 400 and owned by 999:999. gid,uid and mode options of compose-file are available only with docker stack, but not with docker compose. (Here is the issue docker/compose#4994)
So, that the only option is mounting key-file in container. And this returns us to first issue with windows host OS (impossible to set chmod);
All this issues make usage of authentication in mongo sharded cluster backed with containers, near impossible when deploying linux containers on widnows host OS... But passing special flag in mongod process may help still...

[dbouffioux]

Is there any solution for Windows containers to run a db init script directly in docker-compose file ?

[dmbarry86]

@dbouffioux I am wondering the exact same thing and have been struggling with it all day. Did you find any answer?