APOC load - sandbox warning : docker image not loading configuration setting from environment

apoc

(Michaeljquinn) #1

Have docker-compose file, but getting the sandbox warning from the apoc load when starting neo4j container,
running Vagrant/VirtualBox on windows 10 host, ubuntu 16.04LTS guest (running docker/docker-compose)

from diagnostics looks like the right settings are being loaded?

2018-09-29 09:47:26.054+0000 INFO [o.n.k.i.DiagnosticsManager]  [classpath + loader.0] file:/var/lib/neo4j/lib/neo4j-cypher-3.4.7.jar

2018-09-29 09:47:25.964+0000 INFO [o.n.k.i.DiagnosticsManager] dbms.security.procedures.unrestricted=apoc.\*


2018-09-29 09:47:26.070+0000 INFO [o.n.k.i.DiagnosticsManager]  [classpath + loader.0] file:/plugins/apoc-3.4.0.3-all.jar

here is a debug.log entry thats relevant

2018-09-29 09:26:28.524+0000 WARN [o.n.k.i.p.Procedures] apoc.schema.assert is unavailable because it is sandboxed and has dependencies outside of the sandbox. Sandboxing is controlled by the dbms.security.procedures.unrestricted setting. Only unrestrict procedures you can trust with access to database internals.
2

ie
my env file

NEO4J_VERSION=3.4.7
BOLT_PORT=7687
HTTP_PORT=7474
HTTPS_PORT=6477
NEO4J_DATA=/neo4j/community/data
NEO4J_LOG=/neo4j/community/logs
NEO4J_PLUG=/neo4j/community/plugins
NEO4J_IMPORT=/projects/Neo4j/XXX/Data

my docker-compose file below,

version: '3'
networks:
lan:
services:
core1:
image: neo4j:$NEO4J_VERSION
container_name: neo4j.community
user: "1001:1001"
networks:
- lan
ports:
- $HTTP_PORT:7474
- $HTTPS_PORT:6477
- $BOLT_PORT:7687
volumes:
- $NEO4J_DATA:/data
- $NEO4J_LOG:/logs
- $NEO4J_PLUG:/plugins
- $NEO4J_IMPORT:/import
- $NEO4J_CONF:/conf
environment:
- NEO4J_AUTH=neo4j/password
- NEO4J_dbms_mode=CORE
- NEO4J_ACCEPT_LICENSE_AGREEMENT=yes
- NEO4J_dbms_connector_http_listen__address=:7474
- NEO4J_dbms_connector_https_listen__address=:6477
- NEO4J_dbms_connector_bolt_listen__address=:7687
- NEO4J_dbms_security_procedures_unrestricted=apoc.\* \


(Stefan Armbruster) #2

quoting in the last options is not correct. When running a container from cmd line, you have to use docker run .... -e NEO4J_dbms_security_procedures_unrestricted=apoc.\\\* ... - so three backslashes before the *. I guess you need the same in docker-compose as well.


(Michaeljquinn) #3

Sorry All
i did not use </> quoting and it must have stripped out the slashes.

Importantly though the diagnostic logging shows that the env var is being passed
in correctly (IMHO)

2018-09-29 09:47:25.964+0000 INFO [o.n.k.i.DiagnosticsManager] dbms.security.procedures.unrestricted=apoc.\*
version: '3'

networks:
  lan:

services:

  core1:
    image: neo4j:$NEO4J_VERSION
    container_name: neo4j.community
    user: "1001:1001"
    networks:
    - lan
    ports:
    - $HTTP_PORT:7474
    - $HTTPS_PORT:6477
    - $BOLT_PORT:7687
    volumes:
    - $NEO4J_DATA:/data
    - $NEO4J_LOG:/logs
    - $NEO4J_PLUG:/plugins
    - $NEO4J_IMPORT:/import
    - $NEO4J_CONF:/conf
    environment:
    - NEO4J_AUTH=neo4j/password
    - NEO4J_dbms_mode=CORE
    - NEO4J_ACCEPT_LICENSE_AGREEMENT=yes
    - NEO4J_dbms_connector_http_listen__address=:7474
    - NEO4J_dbms_connector_https_listen__address=:6477
    - NEO4J_dbms_connector_bolt_listen__address=:7687
    - NEO4J_dbms_security_procedures_unrestricted=apoc.\\\* \

(Michaeljquinn) #4

more information - launching with docker instead of docker-compose works fine

#!/bin/sh
#
 # docker run equivalent of the docker compose file
docker run \
    -p 7474:7474 -p 7687:7687 \
    --user "1001:1001" \
    -v /home/int/neo4j/community/data:/data \
    -v /home/int/neo4j/community/plugins:/plugins \
    -v /home/int/neo4j/community/logs:/logs \
    --name neo4j-apoc \
    -e NEO4J_dbms_mode=CORE \
    -e NEO4J_ACCEPT_LICENSE_AGREEMENT=yes \
    -e NEO4J_dbms_connector_http_listen__address=:7474 \
    -e NEO4J_dbms_connector_https_listen__address=:6477 \
    -e NEO4J_dbms_connector_bolt_listen__address=:7687 \
    -e NEO4J_dbms_security_procedures_unrestricted=apoc.\\\* \
    neo4j:latest

corresponding docker-compose file

version: '3'

networks:
  lan:

services:

  neoapoc:
    image: neo4j:latest
    container_name: neo4j-apoc
    user: 1001:1001
    ports:
      - 7474:7474
      - 6477:6477
      - 7687:7687
    volumes:
      - /home/int/neo4j/community/data:/data
      - /home/int/neo4j/community/logs:/logs
      - /home/int/neo4j/community/plugins:/plugins
      - /import:/import
    environment:
      - NEO4J_dbms_mode=CORE
      - NEO4J_ACCEPT_LICENSE_AGREEMENT=yes
      - NEO4J_dbms_connector_http_listen__address=:7474
      - NEO4J_dbms_connector_https_listen__address=:6477
      - NEO4J_dbms_connector_bolt_listen__address=:7687
      - NEO4J_dbms_security_procedures_unrestricted=apoc.\\\*

(Michaeljquinn) #5

Hi All
Problem solved

Seems like docker-compose does not need the escaping for the setting, so you
must use

 - NEO4J_dbms_security_procedures_unrestricted=apoc.*

in hindsight this makes absolute sense as they are not
command line variables, but are in a "file" and so not
subject to shell shenanigans

please update your doco

thanks for the responses