This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Head's Up! These forums are read-only. All users and content have migrated. Please join us at community.neo4j.com.

APOC load - sandbox warning : docker image not loading configuration setting from environment

michaeljquinn
Node Clone

‎09-29-2018 02:45 AM

Have docker-compose file, but getting the sandbox warning from the apoc load when starting neo4j container,
running Vagrant/VirtualBox on windows 10 host, ubuntu 16.04LTS guest (running docker/docker-compose)

from diagnostics looks like the right settings are being loaded?

2018-09-29 09:47:26.054+0000 INFO [o.n.k.i.DiagnosticsManager]  [classpath + loader.0] file:/var/lib/neo4j/lib/neo4j-cypher-3.4.7.jar

2018-09-29 09:47:25.964+0000 INFO [o.n.k.i.DiagnosticsManager] dbms.security.procedures.unrestricted=apoc.\*


2018-09-29 09:47:26.070+0000 INFO [o.n.k.i.DiagnosticsManager]  [classpath + loader.0] file:/plugins/apoc-3.4.0.3-all.jar

here is a debug.log entry thats relevant

2018-09-29 09:26:28.524+0000 WARN [o.n.k.i.p.Procedures] apoc.schema.assert is unavailable because it is sandboxed and has dependencies outside of the sandbox. Sandboxing is controlled by the dbms.security.procedures.unrestricted setting. Only unrestrict procedures you can trust with access to database internals.
2

ie
my env file

NEO4J_VERSION=3.4.7
BOLT_PORT=7687
HTTP_PORT=7474
HTTPS_PORT=6477
NEO4J_DATA=/neo4j/community/data
NEO4J_LOG=/neo4j/community/logs
NEO4J_PLUG=/neo4j/community/plugins
NEO4J_IMPORT=/projects/Neo4j/XXX/Data

my docker-compose file below,

version: '3'
networks:
lan:
services:
core1:
image: neo4j:$NEO4J_VERSION
container_name: neo4j.community
user: "1001:1001"
networks:
- lan
ports:
- $HTTP_PORT:7474
- $HTTPS_PORT:6477
- $BOLT_PORT:7687
volumes:
- $NEO4J_DATA:/data
- $NEO4J_LOG:/logs
- $NEO4J_PLUG:/plugins
- $NEO4J_IMPORT:/import
- $NEO4J_CONF:/conf
environment:
- NEO4J_AUTH=neo4j/password
- NEO4J_dbms_mode=CORE
- NEO4J_ACCEPT_LICENSE_AGREEMENT=yes
- NEO4J_dbms_connector_http_listen__address=:7474
- NEO4J_dbms_connector_https_listen__address=:6477
- NEO4J_dbms_connector_bolt_listen__address=:7687
- NEO4J_dbms_security_procedures_unrestricted=apoc.\* \

Labels:
0 Kudos
Reply
8 REPLIES 8

stefan_armbrust
Neo4j
Neo4j

‎09-29-2018 03:25 AM

quoting in the last options is not correct. When running a container from cmd line, you have to use docker run .... -e NEO4J_dbms_security_procedures_unrestricted=apoc.\\\* ... - so three backslashes before the *. I guess you need the same in docker-compose as well.

0 Kudos
Reply

michaeljquinn
Node Clone

‎09-29-2018 09:17 PM

Sorry All
i did not use </> quoting and it must have stripped out the slashes.

Importantly though the diagnostic logging shows that the env var is being passed
in correctly (IMHO)

2018-09-29 09:47:25.964+0000 INFO [o.n.k.i.DiagnosticsManager] dbms.security.procedures.unrestricted=apoc.\*

version: '3'

networks:
  lan:

services:

  core1:
    image: neo4j:$NEO4J_VERSION
    container_name: neo4j.community
    user: "1001:1001"
    networks:
    - lan
    ports:
    - $HTTP_PORT:7474
    - $HTTPS_PORT:6477
    - $BOLT_PORT:7687
    volumes:
    - $NEO4J_DATA:/data
    - $NEO4J_LOG:/logs
    - $NEO4J_PLUG:/plugins
    - $NEO4J_IMPORT:/import
    - $NEO4J_CONF:/conf
    environment:
    - NEO4J_AUTH=neo4j/password
    - NEO4J_dbms_mode=CORE
    - NEO4J_ACCEPT_LICENSE_AGREEMENT=yes
    - NEO4J_dbms_connector_http_listen__address=:7474
    - NEO4J_dbms_connector_https_listen__address=:6477
    - NEO4J_dbms_connector_bolt_listen__address=:7687
    - NEO4J_dbms_security_procedures_unrestricted=apoc.\\\* \
0 Kudos
Reply

michaeljquinn
Node Clone

‎09-29-2018 11:41 PM

more information - launching with docker instead of docker-compose works fine

#!/bin/sh
#
 # docker run equivalent of the docker compose file
docker run \
    -p 7474:7474 -p 7687:7687 \
    --user "1001:1001" \
    -v /home/int/neo4j/community/data:/data \
    -v /home/int/neo4j/community/plugins:/plugins \
    -v /home/int/neo4j/community/logs:/logs \
    --name neo4j-apoc \
    -e NEO4J_dbms_mode=CORE \
    -e NEO4J_ACCEPT_LICENSE_AGREEMENT=yes \
    -e NEO4J_dbms_connector_http_listen__address=:7474 \
    -e NEO4J_dbms_connector_https_listen__address=:6477 \
    -e NEO4J_dbms_connector_bolt_listen__address=:7687 \
    -e NEO4J_dbms_security_procedures_unrestricted=apoc.\\\* \
    neo4j:latest

corresponding docker-compose file

version: '3'

networks:
  lan:

services:

  neoapoc:
    image: neo4j:latest
    container_name: neo4j-apoc
    user: 1001:1001
    ports:
      - 7474:7474
      - 6477:6477
      - 7687:7687
    volumes:
      - /home/int/neo4j/community/data:/data
      - /home/int/neo4j/community/logs:/logs
      - /home/int/neo4j/community/plugins:/plugins
      - /import:/import
    environment:
      - NEO4J_dbms_mode=CORE
      - NEO4J_ACCEPT_LICENSE_AGREEMENT=yes
      - NEO4J_dbms_connector_http_listen__address=:7474
      - NEO4J_dbms_connector_https_listen__address=:6477
      - NEO4J_dbms_connector_bolt_listen__address=:7687
      - NEO4J_dbms_security_procedures_unrestricted=apoc.\\\*
0 Kudos
Reply

michaeljquinn
Node Clone

‎09-29-2018 11:49 PM

Hi All
Problem solved

Seems like docker-compose does not need the escaping for the setting, so you
must use

 - NEO4J_dbms_security_procedures_unrestricted=apoc.*

in hindsight this makes absolute sense as they are not
command line variables, but are in a "file" and so not
subject to shell shenanigans

please update your doco

thanks for the responses

Reply

elena_kohlwey
Ninja
Ninja
In response to michaeljquinn

‎05-29-2020 01:52 AM

We had the same problem now. However, none of the above solutions seemed to work for us. Maybe because of Neo4j 4.0?

The only solution we found to make it work was putting the apoc method we wanted to use on the unrestricted list as well as putting it on the procedures whitelist:

-e NEO4J_dbms_security_procedures_unrestricted=apoc.<method name>
-e NEO4J_dbms_security_procedures_whitelist=apoc.<method name>

Maybe there is also a better way to do that with Neo4j 4.0?

0 Kudos
Reply

stefan_armbrust
Neo4j
Neo4j
In response to elena_kohlwey

‎05-29-2020 02:11 AM

You need to quote:

-e NEO4J_dbms_security_procedures_unrestricted=apoc.\\\*,bloom.\\\*
0 Kudos
Reply

elena_kohlwey
Ninja
Ninja
In response to stefan_armbrust

‎05-29-2020 02:29 AM

quoting with three backslashes did NOT work for us.

0 Kudos
Reply

stefan_armbrust
Neo4j
Neo4j
In response to elena_kohlwey

‎05-30-2020 01:18 AM

For me (zsh on Linux) it does. You can inspect the log/debug.log file once neo4j is started. There you see what config options finally end up inside neo4j. I typically use docker cp <containerName>:logs/debug.log /tmp/debug.log to get access to it, or use docker exec -it <containerName> /bin/bash.

0 Kudos
Reply
Nodes 2022
Nodes
NODES 2022, Neo4j Online Education Summit

All the sessions of the conference are now available online

Watch replays