Problem deploying Container Instance of PostgreSQL database server mounted on file share

Question

Problem deploying Container Instance of PostgreSQL database server mounted on file share

Pablo Schor 0

I'm creating a PostgreSQL container instance with this command line

az container create --resource-group sofresgroup --name sofpostgres --image sofacr.azurecr.io/postgres:17.4 --ports 5432 --environment-variables POSTGRES_PASSWORD=xxxxxx --azure-file-volume-account-name sofstorageacct --azure-file-volume-account-key xxxxxx--azure-file-volume-share-name soffileshare --azure-file-volume-mount-path /var/lib/postgresql/data --dns-name-label sofpostgres --registry-login-server sofacr.azurecr.io --registry-username sofacr --registry-password xxxxx --restart-policy Never

When I deploy the container, this is what I see in the logs, apparently there's a problem with the ownership of the data directory, how to fix this?

2025-03-01 22:34:17.008 UTC [135] FATAL: data directory "/var/lib/postgresql/data" has wrong ownership

2025-03-01 22:34:17.008 UTC [135] HINT: The server must be started by the user that owns the data directory. child process exited with exit code 1

initdb: removing contents of data directory "/var/lib/postgresql/data" running bootstrap script ...

Venkat V 775 Reputation points Microsoft External Staff

2025-03-03T16:29:47.1933333+00:00
Hi @Pablo Schor

Can you please check if the image is running locally using the command below and share the result screenshot?

docker run -it --rm -e POSTGRES_USER=admin -e POSTGRES_PASSWORD=Welcome@123$ -e POSTGRES_DB=mydatabase venaktacr.azurecr.io/postgres:17.4

The error you encountered above is due to a permission issue. Since ACI does not allow changing ownership (chown) of mounted Azure File Share directories, we must initialize PostgreSQL in a subdirectory (PGDATA) where PostgreSQL can write without permission issues.

Your PostgreSQL container in ACI is failing due to incorrect ownership of/var/lib/postgresql/data, which is mounted as root because it is using Azure File Share.Modify your deployment to set PGDATA to a subdirectory inside:/var/lib/postgresql/data
Pablo Schor 0 Reputation points

2025-03-03T17:16:26.62+00:00

Yes, the container works fine when I run your docker command locally, no issues. I understand that since the azure file share runs under root instead of the postgres user this fails. Question: how can I change the az container create statement to tell Azure to mount the volume with postgres instead of root?

Arko 335 Microsoft External Staff

Hello Pablo Schor,

To deploy PostgreSQL on Azure Container Instance

Create Azure Storage and File Share

az storage account create ` --name "arkstorageacct2025" ` --resource-group "arkorg" ` --location "East US" ` --sku "Standard_LRS"

enter image description here

retrieve your storage account key

$STORAGE_KEY = az storage account keys list `
      --resource-group "arkorg" `
      --account-name "arkstorageacct2025" `
      --query "[0].value" `
      --output tsv
    Write-Host "Storage Key: $STORAGE_KEY"

Create one File Share

az storage share create `
  --name "arkfileshare2025" `
  --account-name "arkstorageacct2025" `
  --account-key $STORAGE_KEY

Push your PostgreSQL image to ACR

az acr login --name "arkacr2025" --username "arkacr2025" --password "abcdefgh"

docker pull postgres:17.4
docker tag postgres:17.4 arkacr2025.azurecr.io/postgres:17.4
docker push arkacr2025.azurecr.io/postgres:17.4

Done. Now you can deploy PostgreSQL on ACI and mount your File Share

az container create `
  --resource-group "arkorg" `
  --name "arkpostgres2025" `
  --image "arkacr2025.azurecr.io/postgres:17.4" `
  --cpu 2 `
  --memory 4 `
  --ports 5432 `
  --environment-variables POSTGRES_PASSWORD="abcdefghijk" `
  --azure-file-volume-account-name "arkstorageacct2025" `
  --azure-file-volume-account-key $STORAGE_KEY `
  --azure-file-volume-share-name "arkfileshare2025" `
  --azure-file-volume-mount-path "/var/lib/postgresql/data" `
  --dns-name-label "arkpostgres2025" `
  --registry-login-server "arkacr2025.azurecr.io" `
  --registry-username "arkacr2025" `
  --registry-password "abcdefghijk" `
  --command-line "sh -c 'chown -R 999:999 /var/lib/postgresql/data && exec docker-entrypoint.sh postgres'"

enter image description here

Pablo Schor 0

Thanks, Arko, I followed the steps, but the container ends with error, see below the container create command result and the log, what could be the problem?

{

"confidentialComputeProperties": null,

"containers": [

{

  "command": [

    "sh",

    "-c",

    "chown -R 999:999 /var/lib/postgresql/data && exec docker-entrypoint.sh postgres"

  ],

  "environmentVariables": [

    {

      "name": "POSTGRES_PASSWORD",

      "secureValue": null,

      "value": "xxxxxx"

    }

  ],

  "image": "sofacr.azurecr.io/postgres:17.4",

  "instanceView": {

    "currentState": {

      "detailStatus": "Error",

      "exitCode": 1,

      "finishTime": "2025-03-04T20:03:42.112000+00:00",

      "startTime": "2025-03-04T20:03:36.981000+00:00",

      "state": "Terminated"

    },

    "events": [

      {

        "count": 1,

        "firstTimestamp": "2025-03-04T20:03:10+00:00",

        "lastTimestamp": "2025-03-04T20:03:10+00:00",

        "message": "pulling image \"sofacr.azurecr.io/postgres@sha256:0140e5f7ee4d04c008696a142a0019a13c7ef1a30d18414ccc0ed4cd1308f25c\"",

        "name": "Pulling",

        "type": "Normal"

      },

      {

        "count": 1,

        "firstTimestamp": "2025-03-04T20:03:21+00:00",

        "lastTimestamp": "2025-03-04T20:03:21+00:00",

        "message": "Successfully pulled image \"sofacr.azurecr.io/postgres@sha256:0140e5f7ee4d04c008696a142a0019a13c7ef1a30d18414ccc0ed4cd1308f25c\"",

        "name": "Pulled",

        "type": "Normal"

      },

      {

        "count": 1,

        "firstTimestamp": "2025-03-04T20:03:36+00:00",

        "lastTimestamp": "2025-03-04T20:03:36+00:00",

        "message": "Started container",

        "name": "Started",

        "type": "Normal"

      },

      {

        "count": 1,

        "firstTimestamp": "2025-03-04T20:03:42+00:00",

        "lastTimestamp": "2025-03-04T20:03:42+00:00",

        "message": "Container sofpostgres terminated with ExitCode 1.",

        "name": "Killing",

        "type": "Normal"

      }

    ],

    "previousState": null,

    "restartCount": 0

  },

  "livenessProbe": null,

  "name": "sofpostgres",

  "ports": [

    {

      "port": 5432,

      "protocol": "TCP"

    }

  ],

  "readinessProbe": null,

  "resources": {

    "limits": null,

    "requests": {

      "cpu": 2.0,

      "gpu": null,

      "memoryInGb": 4.0

    }

  },

  "securityContext": null,

  "volumeMounts": [

    {

      "mountPath": "/var/lib/postgresql/data",

      "name": "azurefile",

      "readOnly": null

    }

  ]

}

],

"diagnostics": null,

"dnsConfig": null,

"encryptionProperties": null,

"extensions": null,

"id": "/subscriptions/222fc2d3-3697-4612-9721-73c28684cc38/resourceGroups/sofresgroup/providers/Microsoft.ContainerInstance/containerGroups/sofpostgres",

"identity": null,

"imageRegistryCredentials": [

{

  "identity": null,

  "identityUrl": null,

  "isDelegatedIdentity": false,

  "password": null,

  "server": "sofacr.azurecr.io",

  "username": "sofacr"

}

],

"initContainers": [],

"instanceView": {

"events": [

  {

    "count": 1,

    "firstTimestamp": "2025-03-04T20:03:36.102000+00:00",

    "lastTimestamp": "2025-03-04T20:03:36.102000+00:00",

    "message": "Successfully mounted Azure File Volume.",

    "name": "SuccessfulMountAzureFileVolume",

    "type": "Normal"

  }

],

"state": "Failed"

},

"ipAddress": {

"autoGeneratedDomainNameLabelScope": "Unsecure",

"dnsNameLabel": "sofpostgres",

"fqdn": "sofpostgres.eastus.azurecontainer.io",

"ip": "20.120.56.210",

"ports": [

  {

    "port": 5432,

    "protocol": "TCP"

  }

],

"type": "Public"

},

"location": "eastus",

"name": "sofpostgres",

"osType": "Linux",

"priority": null,

"provisioningState": "Succeeded",

"resourceGroup": "sofresgroup",

"restartPolicy": "Never",

"sku": "Standard",

"subnetIds": null,

"tags": {},

"type": "Microsoft.ContainerInstance/containerGroups",

"volumes": [

{

  "azureFile": {

    "readOnly": null,

    "shareName": "soffileshare",

    "storageAccountKey": null,

    "storageAccountName": "sofstorageacct"

  },

  "emptyDir": null,

  "gitRepo": null,

  "name": "azurefile",

  "secret": null

}

],

"zones": null

}

The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.

The database cluster will be initialized with locale "en_US.utf8".
The default database encoding has accordingly been set to "UTF8".
The default text search configuration will be set to "english".

Data page checksums are disabled.

fixing permissions on existing directory /var/lib/postgresql/data ... ok
creating subdirectories ... ok
selecting dynamic shared memory implementation ... posix
selecting default "max_connections" ... 25
selecting default "shared_buffers" ... 400kB
selecting default time zone ... Etc/UTC
creating configuration files ... ok
2025-03-04 20:03:38.987 UTC [144] FATAL:  data directory "/var/lib/postgresql/data" has wrong ownership
2025-03-04 20:03:38.987 UTC [144] HINT:  The server must be started by the user that owns the data directory.
child process exited with exit code 1
initdb: removing contents of data directory "/var/lib/postgresql/data"
running bootstrap script ...

Pablo Schor 0

And the container exported template:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "containerGroups_sofpostgres_name": {
            "defaultValue": "sofpostgres",
            "type": "String"
        }
    },
    "variables": {},
    "resources": [
        {
            "type": "Microsoft.ContainerInstance/containerGroups",
            "apiVersion": "2024-10-01-preview",
            "name": "[parameters('containerGroups_sofpostgres_name')]",
            "location": "eastus",
            "properties": {
                "sku": "Standard",
                "containers": [
                    {
                        "name": "[parameters('containerGroups_sofpostgres_name')]",
                        "properties": {
                            "image": "sofacr.azurecr.io/postgres:17.4",
                            "command": [
                                "sh",
                                "-c",
                                "chown -R 999:999 /var/lib/postgresql/data && exec docker-entrypoint.sh postgres"
                            ],
                            "ports": [
                                {
                                    "protocol": "TCP",
                                    "port": 5432
                                }
                            ],
                            "environmentVariables": [
                                {
                                    "name": "POSTGRES_PASSWORD",
                                    "value": "xxxxx"
                                }
                            ],
                            "resources": {
                                "requests": {
                                    "memoryInGB": 4,
                                    "cpu": 2
                                }
                            },
                            "volumeMounts": [
                                {
                                    "name": "azurefile",
                                    "mountPath": "/var/lib/postgresql/data"
                                }
                            ]
                        }
                    }
                ],
                "initContainers": [],
                "imageRegistryCredentials": [
                    {
                        "server": "sofacr.azurecr.io",
                        "username": "sofacr"
                    }
                ],
                "restartPolicy": "Never",
                "ipAddress": {
                    "ports": [
                        {
                            "protocol": "TCP",
                            "port": 5432
                        }
                    ],
                    "type": "Public",
                    "dnsNameLabel": "[parameters('containerGroups_sofpostgres_name')]",
                    "autoGeneratedDomainNameLabelScope": "Unsecure"
                },
                "osType": "Linux",
                "volumes": [
                    {
                        "name": "azurefile",
                        "azureFile": {
                            "shareName": "soffileshare",
                            "storageAccountName": "sofstorageacct"
                        }
                    }
                ]
            }
        }
    ]
}

Arko 335 Microsoft External Staff

Hi Pablo Schor, looks like you are still facing the data directory ownership issue, even after following the correct approach. Kindly ensure that the Azure File Share is mounted with the right UID/GID.

Try with this-


az container create \

  --resource-group "arkorg" \

  --name "arkpostgres2025" \

  --image "arkacr2025.azurecr.io/postgres:17.4" \

  --cpu 2 \

  --memory 4 \

  --ports 5432 \

  --environment-variables POSTGRES_PASSWORD="abcdefghijk" \

  --environment-variables POSTGRES_INITDB_ARGS="--username=postgres --pwfile=/var/lib/postgresql/data/passwordfile" \

  --azure-file-volume-account-name "arkstorageacct2025" \

  --azure-file-volume-account-key $STORAGE_KEY \

  --azure-file-volume-share-name "arkfileshare2025" \

  --azure-file-volume-mount-path "/var/lib/postgresql/data" \

  --dns-name-label "arkpostgres2025" \

  --registry-login-server "arkacr2025.azurecr.io" \

  --registry-username "arkacr2025" \

  --registry-password "abcdefghijk" \

  --command-line "sh -c 'touch /var/lib/postgresql/data/passwordfile && echo \$POSTGRES_PASSWORD > /var/lib/postgresql/data/passwordfile && chmod 600 /var/lib/postgresql/data/passwordfile && exec docker-entrypoint.sh postgres'"

here, POSTGRES_INITDB_ARGS="--username=postgres --pwfile=/var/lib/postgresql/data/passwordfile", will ensure that PostgreSQL doesn’t fail on initialization.

Secondly post creating your file share, in this case (arkfileshare2025), you can mount the file share manually before running PostgreSQL and try writing something inside it just to check. If this fails, then your File Share has incorrect permissions.

1 answer

Your answer

Venkat V 775 Reputation points Microsoft External Staff

2025-03-03T16:29:47.1933333+00:00

Hi @Pablo Schor

Can you please check if the image is running locally using the command below and share the result screenshot?

docker run -it --rm -e POSTGRES_USER=admin -e POSTGRES_PASSWORD=Welcome@123$ -e POSTGRES_DB=mydatabase venaktacr.azurecr.io/postgres:17.4

The error you encountered above is due to a permission issue. Since ACI does not allow changing ownership (chown) of mounted Azure File Share directories, we must initialize PostgreSQL in a subdirectory (PGDATA) where PostgreSQL can write without permission issues.

Your PostgreSQL container in ACI is failing due to incorrect ownership of/var/lib/postgresql/data, which is mounted as root because it is using Azure File Share.Modify your deployment to set PGDATA to a subdirectory inside:/var/lib/postgresql/data
Pablo Schor 0 Reputation points

2025-03-03T17:16:26.62+00:00

Yes, the container works fine when I run your docker command locally, no issues. I understand that since the azure file share runs under root instead of the postgres user this fails. Question: how can I change the az container create statement to tell Azure to mount the volume with postgres instead of root?
Arko 335 Reputation points Microsoft External Staff

2025-03-04T12:39:49.4133333+00:00

Hello Pablo Schor,

To deploy PostgreSQL on Azure Container Instance

Create Azure Storage and File Share

az storage account create ` --name "arkstorageacct2025" ` --resource-group "arkorg" ` --location "East US" ` --sku "Standard_LRS"

retrieve your storage account key

$STORAGE_KEY = az storage account keys list ` --resource-group "arkorg" ` --account-name "arkstorageacct2025" ` --query "[0].value" ` --output tsv Write-Host "Storage Key: $STORAGE_KEY"

Create one File Share

az storage share create ` --name "arkfileshare2025" ` --account-name "arkstorageacct2025" ` --account-key $STORAGE_KEY

Push your PostgreSQL image to ACR

az acr login --name "arkacr2025" --username "arkacr2025" --password "abcdefgh"

docker pull postgres:17.4 docker tag postgres:17.4 arkacr2025.azurecr.io/postgres:17.4 docker push arkacr2025.azurecr.io/postgres:17.4

Done. Now you can deploy PostgreSQL on ACI and mount your File Share

az container create ` --resource-group "arkorg" ` --name "arkpostgres2025" ` --image "arkacr2025.azurecr.io/postgres:17.4" ` --cpu 2 ` --memory 4 ` --ports 5432 ` --environment-variables POSTGRES_PASSWORD="abcdefghijk" ` --azure-file-volume-account-name "arkstorageacct2025" ` --azure-file-volume-account-key $STORAGE_KEY ` --azure-file-volume-share-name "arkfileshare2025" ` --azure-file-volume-mount-path "/var/lib/postgresql/data" ` --dns-name-label "arkpostgres2025" ` --registry-login-server "arkacr2025.azurecr.io" ` --registry-username "arkacr2025" ` --registry-password "abcdefghijk" ` --command-line "sh -c 'chown -R 999:999 /var/lib/postgresql/data && exec docker-entrypoint.sh postgres'"
Pablo Schor 0 Reputation points

2025-03-04T20:27:37.4033333+00:00

And the container exported template:

{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "containerGroups_sofpostgres_name": { "defaultValue": "sofpostgres", "type": "String" } }, "variables": {}, "resources": [ { "type": "Microsoft.ContainerInstance/containerGroups", "apiVersion": "2024-10-01-preview", "name": "[parameters('containerGroups_sofpostgres_name')]", "location": "eastus", "properties": { "sku": "Standard", "containers": [ { "name": "[parameters('containerGroups_sofpostgres_name')]", "properties": { "image": "sofacr.azurecr.io/postgres:17.4", "command": [ "sh", "-c", "chown -R 999:999 /var/lib/postgresql/data && exec docker-entrypoint.sh postgres" ], "ports": [ { "protocol": "TCP", "port": 5432 } ], "environmentVariables": [ { "name": "POSTGRES_PASSWORD", "value": "xxxxx" } ], "resources": { "requests": { "memoryInGB": 4, "cpu": 2 } }, "volumeMounts": [ { "name": "azurefile", "mountPath": "/var/lib/postgresql/data" } ] } } ], "initContainers": [], "imageRegistryCredentials": [ { "server": "sofacr.azurecr.io", "username": "sofacr" } ], "restartPolicy": "Never", "ipAddress": { "ports": [ { "protocol": "TCP", "port": 5432 } ], "type": "Public", "dnsNameLabel": "[parameters('containerGroups_sofpostgres_name')]", "autoGeneratedDomainNameLabelScope": "Unsecure" }, "osType": "Linux", "volumes": [ { "name": "azurefile", "azureFile": { "shareName": "soffileshare", "storageAccountName": "sofstorageacct" } } ] } } ] }
Arko 335 Reputation points Microsoft External Staff

2025-03-10T08:40:39.17+00:00

Hi Pablo Schor, looks like you are still facing the data directory ownership issue, even after following the correct approach. Kindly ensure that the Azure File Share is mounted with the right UID/GID.

Try with this-

az container create \ --resource-group "arkorg" \ --name "arkpostgres2025" \ --image "arkacr2025.azurecr.io/postgres:17.4" \ --cpu 2 \ --memory 4 \ --ports 5432 \ --environment-variables POSTGRES_PASSWORD="abcdefghijk" \ --environment-variables POSTGRES_INITDB_ARGS="--username=postgres --pwfile=/var/lib/postgresql/data/passwordfile" \ --azure-file-volume-account-name "arkstorageacct2025" \ --azure-file-volume-account-key $STORAGE_KEY \ --azure-file-volume-share-name "arkfileshare2025" \ --azure-file-volume-mount-path "/var/lib/postgresql/data" \ --dns-name-label "arkpostgres2025" \ --registry-login-server "arkacr2025.azurecr.io" \ --registry-username "arkacr2025" \ --registry-password "abcdefghijk" \ --command-line "sh -c 'touch /var/lib/postgresql/data/passwordfile && echo \$POSTGRES_PASSWORD > /var/lib/postgresql/data/passwordfile && chmod 600 /var/lib/postgresql/data/passwordfile && exec docker-entrypoint.sh postgres'"

here, POSTGRES_INITDB_ARGS="--username=postgres --pwfile=/var/lib/postgresql/data/passwordfile", will ensure that PostgreSQL doesn’t fail on initialization.

Secondly post creating your file share, in this case (arkfileshare2025), you can mount the file share manually before running PostgreSQL and try writing something inside it just to check. If this fails, then your File Share has incorrect permissions.

Answer 1

Hello, @Pablo Schor !

Why am I running into a wrong ownership / server must be started by the user that owns the data directory error when creating a PostgreSQL container instance with Azure Container Instances?

This is a bit of a gray area as the error you are running into is a PostgreSQL error rather than an ACI error so as a quick disclaimer, I should point out that PostgreSQL is not my area of expertise. Having said that, we did speak with the database team who reminded us that Azure Database for PostgreSQL may be a good solution for this scenario with less overhead. If you are still interested in trying to run this on ACI, I'll do my best to point you in the right direction however it is not recommended.

Encountering wrong ownership / server must be started by the user that owns the data directory is a common PostgreSQL issue that stems from the root folder location requirement which conflicts with the dependency Azure Container Instances (ACI) has on Azure FileShares for their volume mounts.

While there are workarounds, they are not generally advised. I've reached out directly to the ACI team for official guidance regarding PostgreSQL on ACI and will let you know if I learn more.

From Rich Kurtzman's blog, Why you should use Azure Database for PostGreSQL storage:

Azure Container Instances is not a Solution Azure Container Instances (ACI) is a service provided by Microsoft Azure that allows users to easily run containers in the cloud without the need to manage any underlying infrastructure. Unfortunately, you can’t just use Azure Container Instances as a storage option for a PostgreSQL database. PostgreSQL requires the folder in which the volume is mounted to be owned by a different user, not the “root” user. Azure Container Instances must use Azure FileShares as their volume mounts, and these do NOT support the "chown" command for changing ownership. That’s why you can’t simply use Azure Container Instances as a storage option. While you could potentially use Azure Container Instances to host a PostgreSQL database by building a custom container image that includes PostgreSQL, this would not be a recommended production deployment target because you would be responsible for managing the database infrastructure yourself.

From Charles Xu on Stack Overflow:

This is a known error for mounting Azure File Share to Azure Container Instance. Currently, it does not support to change the ownership of the mount point. If you do not want to use other services, then you need to create a script to move the data to the mount point and the mount point should be a new folder that does not exist in the image. For you, the mount point /var/lib/postgresql/data exists in the image and contains the files that Postgresql depends on, then this point cannot be the mount point.

I hope this helps!

Resources:

Share via

Problem deploying Container Instance of PostgreSQL database server mounted on file share

1 answer

Your answer