create a symlink in an unprivileged container error - docker

I'm running K8s deployment and trying to harden the security of one of my pod and because of that I started using the following docker image:
nginxinc/nginx-unprivileged:alpine
The problem is that I need to create a symlink and cannot get it done.
Here is the structure of my dockerfile
FROM nginxinc/nginx-unprivileged:alpine
ARG name
ARG ver
USER root
COPY ./outbox/${name}-${ver}.tgz ./
COPY ./nginx.conf /etc/nginx/nginx.conf
COPY ./mime.types /etc/nginx/mime.types
COPY ./about.md ./
RUN mv /${name}-${ver}.tgz /usr/share/nginx/html
WORKDIR /usr/share/nginx/html
RUN tar -zxf ${name}-${ver}.tgz \
&& mv ngdist/* . \
&& mv /about.md ./assets \
&& rm -fr ngdist web-ui-${ver}.tgz \
&& mkdir -p /tmp/reports
RUN chown -R 1001 /usr/share/nginx/html/
COPY ./entrypoint.sh.${name} /bin/entrypoint.sh
RUN chown 1001 /bin/entrypoint.sh
USER 1001
EXPOSE 8080
CMD [ "/bin/entrypoint.sh" ]
and here my entrypoint.sh
#!/bin/sh
ln -s /tmp/reports /usr/share/nginx/html/reports
and here is my container in the pod deployment yaml file
containers:
- name: web-ui
image: "myimage"
imagePullPolicy: Always
ports:
- containerPort: 8080
name: web-ui
volumeMounts:
- name: myvolume
mountPath: /tmp/reports
I tried to set the entrypoint under the root execution but that did not help either, the error i'm getting is this:
Error: failed to start container "web-ui": Error response from daemon:
OCI runtime create failed: container_linux.go:380: starting container
process caused: exec: "/bin/entrypoint.sh": permission denied: unknown

Like other Linux commands, a Docker container's main CMD can't run if the program it names isn't executable.
Most source-control systems will track whether or not a file is executable, and Docker COPY will preserve that permission bit. So the best way to address this is to make the scripts executable on the host:
chmod +x entrypoint.sh.*
git add entrypoint.sh.*
git commit -m 'make entrypoint scripts executable'
docker-compose build
docker-compose up -d
If that's not an option, you can fix this up in the Dockerfile too.
COPY ./entrypoint.sh.${name} /bin/entrypoint.sh
RUN chmod 0755 /bin/entrypoint.sh
Like other things in /bin, the script should usually be owned by root, executable by everyone, and writable only by its owner; you do not generally want the application to have the ability to overwrite its own code.

Related

Why my bind mounts don't actually bind some files?

I've got some Python app which used bind mounts to mount code into container, so I don't have to build container on each code change, like this:
app:
volumes:
- type: bind
source: ./findface
target: /app/findface
And it was working fine. But now I also want to bind my startup script, which is invoked from Dockerfile:
app:
volumes:
- type: bind
source: ./findface
target: /app/findface
- type: bind
source: ./startup.sh
target: /app
And this one just doesn't bind. There is an actual file in the host filesystem, but when I build the container it can't find it:
Step 7/8 : RUN chmod +x startup.sh
---> Running in ecaae384b6e5
chmod: cannot access 'startup.sh': No such file or directory
ERROR: Service 'app' failed to build: The command '/bin/sh -c chmod +x startup.sh' returned a non-zero code: 1
What am I doing wrong?
Dockerfile itself:
FROM jjanzic/docker-python3-opencv:latest
ENV PYTHONUNBUFFERED=1
RUN pip install --no-cache-dir gunicorn[eventlet]
WORKDIR /app
COPY ./requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt
RUN chmod +x startup.sh
CMD "./startup.sh"
Base on your comment, then you do not need set permission at build stage as the file is not exist at build time, if you do not want to copy at build stage, set permission on the host to make executable and then bind with docker run command or as per the yml config that you mentioned.
CMD "/app/startup.sh"
for example
docker run -it --rm -v $PWD/startup.sh:/app/startup.sh my_image

Docker build "no such file or directory" error

RUN adduser -D appUser
RUN mkdir /usr/share/app
RUN mkdir /logs
ADD Function/target/foo.jar /usr/share/app
WORKDIR /usr/share/app
RUN chown -R appUser /usr/share/app
RUN chown -R appUser /logs
USER appUser
EXPOSE 8080
ENTRYPOINT ["java", "-jar", "foo.jar"]`
I've got this weird issue I can't seem to work my head around.
My root folder contains two directories, (both with subdirectories) 'Demo/Dockerfile' and 'Function/target/foo.jar'
I have a copy command in my Dockerfile that reads
COPY Function/target/foo.bar /usr/share/app
but when I run docker build -f Demo/Dockerfile from the root folder, I get an error
stat /var/lib/docker/tmp/docker-builder238823934/Function/target/foo.jar: no such file or directory
I find this a bit strange because when I edit the copy command to read COPY /target/foo.bar /usr/share/app and then I cd into the Function directory and run
docker build -f ../Demo/Dockerfile
it builds successfully, or if I edit the Dockerfile to read COPY foo.bar /usr/share/app and then cd into the target directory and run docker build -f ../../Demo/Dockerfile, this also works.
Is there an explanation for this sort of behavior?
This is what my dockerignore file looks like
!**/Dockerfile
!DockerServiceDescription/**
!Function/target/*.war
!server.xml
!tomcat-users.xml
Docker uses context directory and children only and does not allow using any files outside for security reasons.
You should show context directory to docker using '.' or so:
cd myproject
docker build -f Demo/Dockerfile .

docker nginx container doesn't contain nginx?

I have a laravel project that runs on a single docker container.
I use docker-composer.yml to configure the container. I use nginx:latest base image in my Dockerfile. For some reason when I tried to launch my project with command docker-compose up I got this error:
web_1 | 2019-05-10 15:51:14,035 INFO spawnerr: can't find command '/usr/sbin/nginx'
web_1 | 2019-05-10 15:51:15,037 INFO spawnerr: can't find command '/usr/sbin/nginx'
web_1 | 2019-05-10 15:51:17,040 INFO spawnerr: can't find command '/usr/sbin/nginx'
web_1 | 2019-05-10 15:51:20,050 INFO spawnerr: can't find command '/usr/sbin/nginx'
web_1 | 2019-05-10 15:51:20,050 INFO gave up: nginx entered FATAL state, too many start retries too quickly
I was suprised so I took a look inside the container with docker exec -ti mycontainername bash and I couldn't find nginx anywhere. I tried with nginx -v,
whereis nginx , cd /etc/nginx <-- directory didn't exist.
So i tried to create a simple container, which containts only nginx. I should theoretically be able to go to localhost:80 and see the Nginx welcome message, right?
docker run --rm -d -p 80:80 --name my-nginx nginx
well there was no message and when I took a look inside the container
docker exec my-nginx I couldn't find nginx anywhere, but if I ran the command apt-get nginx it showed that nginx is already the latest version.
FULL DOCKER-COMPOSE.YML
version: '1'
services:
web:
build:
context: ./
# dockerfile: web.dockerfile
working_dir: /var/www/html
# volumes_from:
# - app
ports:
- 8080:80
volumes:
- ./:/var/www/html
- /var/run/docker.sock:/var/run/docker.sock
environment:
full Dockerfile:
FROM nginx:latest
RUN apt-get update && apt-get install -y php-gd
RUN apt-get -y install php7.2-zip
#COPY app /var/www/html/app
#COPY artisan /var/www/html/app/artisan
#COPY bootstrap /var/www/html/bootstrap
#COPY config /var/www/html/config
#COPY database /var/www/html/database
#COPY public /var/www/html/public
#COPY resources /var/www/html/resources
#COPY routes /var/www/html/routes
#COPY storage /var/www/html/storage
#COPY vendor /var/www/html/vendor
#COPY artisan /var/www/html/artisan
#COPY composer.json /var/www/html/composer.json
COPY entrypointcust.sh /entrypointcust.sh
RUN chmod +x /entrypointcust.sh
EXPOSE 80
WORKDIR /var/www/html/old
# Add crontab file in the cron directory
ADD cron /etc/cron.d/appcron
# Give execution rights on the cron job
RUN chmod 0644 /etc/cron.d/appcron
RUN /usr/bin/crontab /etc/cron.d/appcron
# Create the log file to be able to run tail
#RUN touch /var/log/cron.log
#RUN touch /var/www/html/storage/logs/laravel.log
#RUN chown -R www-data:www-data /var/www/html
#RUN chmod -R 777 /var/www/html/storage
ENTRYPOINT ["/bin/bash", "-c", "/entrypointcust.sh"]
What am I missing?

Openshift Nginx permission problem [nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)]

I am currently running into a problem trying to set up nginx:alpine in Openshift.
My build runs just fine but I am not able to deploy with permission being denied with the following error
2019/01/25 06:30:54 [emerg] 1#1: mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
nginx: [emerg] mkdir() "/var/cache/nginx/client_temp" failed (13: Permission denied)
Now I know Openshift is a bit tricky when it comes to permissions as the container is running without root privilidges and the UID is gerenated on runetime which means it's not available in /etc/passwd. But the user is part of the group root. Now how this is supposed to be handled is being described here
https://docs.openshift.com/container-platform/3.3/creating_images/guidelines.html#openshift-container-platform-specific-guidelines
I even went further and made the whole /var completely accessible (777) for testing purposes but I still get the error. This is what my Dockerfile looks like
Dockerfile
FROM nginx:alpine
#Configure proxy settings
ENV HTTP_PROXY=http://my.proxy:port
ENV HTTPS_PROXY=http://my.proxy:port
ENV HTTP_PROXY_AUTH=basic:*:username:password
WORKDIR /app
COPY . .
# Install node.js
RUN apk update && \
apk add nodejs npm python make curl g++
# Build Application
RUN npm install
RUN ./node_modules/#angular/cli/bin/ng build
COPY ./dist/my-app /usr/share/nginx/html
# Configure NGINX
COPY ./openshift/nginx/nginx.conf /etc/nginx/nginx.conf
COPY ./openshift/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf
RUN chgrp -R root /var/cache/nginx /var/run /var/log/nginx && \
chmod -R 777 /var
RUN sed -i.bak 's/^user/#user/' /etc/nginx/nginx.conf
EXPOSE 8080
It's funny that this approach just seems to effekt the alpine version of nginx. nginx:latest (based on debian I think) has no issues and the way to set it up described here
https://torstenwalter.de/openshift/nginx/2017/08/04/nginx-on-openshift.html
works. (but i am having some other issues with that build so I switched to alpine)
Any ideas why this is still not working?
I was using openshift, with limited permissions, so I fixed this problem by using the following nginx image (rather than nginx:latest)
FROM nginxinc/nginx-unprivileged
To resolve this. I think the Problem in this Dockerfile was that I used the COPY command to move my build and that did not exist. So here is my working
Dockerfile
FROM nginx:alpine
LABEL maintainer="ReliefMelone"
WORKDIR /app
COPY . .
# Install node.js
RUN apk update && \
apk add nodejs npm python make curl g++
# Build Application
RUN npm install
RUN ./node_modules/#angular/cli/bin/ng build --configuration=${BUILD_CONFIG}
RUN cp -r ./dist/. /usr/share/nginx/html
# Configure NGINX
COPY ./openshift/nginx/nginx.conf /etc/nginx/nginx.conf
COPY ./openshift/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf
RUN chgrp -R root /var/cache/nginx /var/run /var/log/nginx && \
chmod -R 770 /var/cache/nginx /var/run /var/log/nginx
EXPOSE 8080
CMD ["nginx", "-g", "daemon off;"]
Note that under the Build Application section I now do
RUN cp -r ./dist/. /usr/share/nginx/html
instead of
COPY ./dist/my-app /usr/share/nginx/html
The copy will not work as I previously ran the ng build inside of the container the dist will only exist in the container as well, so I need to execute the copy command inside of that container
Had the same error on my nginx:alpine Dockerfile
There is already a user called nginx in the nginx:alpine image. My guess is that it's cleaner to use it to run nginx.
Here is how I resolved it:
Set the owner of /var/cache/nginx to nginx (user 101, group 101)
Create a /var/run/nginx.pid and set the owner to nginx as well
Copy all the files to the image using --chown=nginx:nginx
FROM nginx:alpine
RUN touch /var/run/nginx.pid && \
chown -R nginx:nginx /var/cache/nginx /var/run/nginx.pid
USER nginx
COPY --chown=nginx:nginx my/html/files /usr/share/nginx/html
COPY --chown=nginx:nginx config/myapp/default.conf /etc/nginx/conf.d/default.conf
...
If you're here because you failed to deploy an example helm chart (e.g: helm create mychart), do just like #quasipolynomial suggested but instead change your deployment file pull the right image.
i.e
containters:
- image: nginxinc/nginx-unprivileged
more info on the official unprivileged image: https://github.com/nginxinc/docker-nginx-unprivileged
You may change the folder using the nginx.conf file. You can read more information in the section Running nginx as a non-root user.
May or may not be a step in the right direction (especially helpful for those who came here looking for general help on the [emerg] mkdir() ... failed error).
This solution counts from Builing nginx from source.
It took me about seven hours to realize the solution is directly related to the prefix path set in compiling nginx.
This is where my configuration throws off nginx (as a very brief example), compiled from this nginx source:
sudo ./auto/configure \
--prefix=/usr/local/nginx \
--http-client-body-temp-path=/tmp/nginx/client-body-temp \
--http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp
Without realizing it, I was setting the prefix to /usr/local/nginx but setting the client body temp path & fastcgi temp path to a directory inside /tmp/nginx.
It's basically breaking nginx's ability to access the correct files, because the temp paths are not correlated to the prefix path.
So I fixed it by (again, super simple configure as an example):
sudo ./auto/configure \
--prefix=/usr/local/nginx \
--http-client-body-temp-path=/usr/local/nginx/client_body_temp \
--http-fastcgi-temp-path=/usr/local/nginx/fastcgi_temp \
Further simplified:
sudo ./auto/configure \
--prefix=/usr/local/nginx \
--http-client-body-temp-path=/client_body_temp \
--http-fastcgi-temp-path=/fastcgi_temp \
Again, not guaranteed to work, but definitely a step in the right direction.
run the below command to fix the above issue. The anyuid security context constraint required.
oc adm policy add-scc-to-user anyuid system:serviceaccount:<NAMESPACE>:default

Error: Starting container process caused "exec: \"/docker-entrypoint.sh\": permission denied"

I'm trying to build docker-compose, but I'm getting this error:
ERROR: for indicaaquicombrold_mysqld_1 Cannot start service mysqld:
oci runtime error: container_linux.go:247: starting container process
caused "exec: \"/docker-entrypoint.sh\": permission denied"
ERROR: for mysqld Cannot start service mysqld: oci runtime error:
container_linux.go:247: starting container process caused "exec:
\"/docker-entrypoint.sh\": permission denied"
ERROR: Encountered errors while bringing up the project.
docker-compose.yml
version: '3'
services:
php:
build:
context: ./docker/php
image: indicaaqui.com.br:tag
volumes:
- ./src:/var/www/html/
- ./config/apache-config.conf:/etc/apache2/sites-enabled/000-default.conf
ports:
- "80:80"
- "443:443"
mysqld:
build:
context: ./docker/mysql
environment:
- MYSQL_DATABASE=db_indicaaqui
- MYSQL_USER=indicaqui
- MYSQL_PASSWORD=secret
- MYSQL_ROOT_PASSWORD=docker
volumes:
- ./config/docker-entrypoint.sh:/docker-entrypoint.sh
- ./database/db_indicaaqui.sql:/docker-entrypoint-initdb.d/db_indicaaqui.sql
Dockerfile (php)
FROM php:5.6-apache
MAINTAINER Limup <limup#outlook.com>
CMD [ "php" ]
RUN docker-php-ext-install pdo_mysql
# Enable apache mods.
# RUN a2enmod php5.6
RUN a2enmod rewrite
# Expose apache.
EXPOSE 80
EXPOSE 443
# Use the default production configuration
# RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini"
RUN mv "$PHP_INI_DIR/php.ini-development" "$PHP_INI_DIR/php.ini"
# Override with custom opcache settings
# COPY ./../../config/php.ini $PHP_INI_DIR/conf.d/
# Manually set up the apache environment variables
ENV APACHE_RUN_USER www-data
ENV APACHE_RUN_GROUP www-data
ENV APACHE_LOG_DIR /var/log/apache2
ENV APACHE_LOCK_DIR /var/lock/apache2
ENV APACHE_PID_FILE /var/run/apache2.pid
# Update the PHP.ini file, enable <? ?> tags and quieten logging.
RUN sed -i "s/short_open_tag = Off/short_open_tag = On/" "$PHP_INI_DIR/php.ini"
RUN sed -i "s/error_reporting = .*$/error_reporting = E_ERROR | E_WARNING | E_PARSE/" "$PHP_INI_DIR/php.ini"
RUN a2dissite 000-default.conf
RUN chmod -R 777 /etc/apache2/sites-enabled/
WORKDIR /var/www/html/
# By default start up apache in the foreground, override with /bin/bash for interative.
CMD ["/usr/sbin/apache2ctl", "-D", "FOREGROUND"]
Dockerfile (Mysql)
FROM mariadb:latest
RUN chmod -R 777 /docker-entrypoint.sh
ENTRYPOINT ["/docker-entrypoint.sh"]
EXPOSE 3306
CMD ["mysqld"]
Please, help me solve this problem!
Any ideas?
That is most likely a Linux file permission issue on config/docker-entrypoint.sh. If your host is Linux/Mac, you can run:
chmod 755 config/docker-entrypoint.sh
For more on linux permissions, here's a helpful article: https://www.linux.com/learn/understanding-linux-file-permissions
First, you need to copy entrypoint.sh file into other directory instead of same your source code (Eg. /home/entrypoint.sh), then grant permission to execute entrypoint script:
RUN ["chmod", "+x", "/home/entrypoint.sh"]
Solution
ENV USER root
ENV WORK_DIR_PATH /home
RUN mkdir -p $WORK_DIR_PATH && chown -R $USER:$USER $WORK_DIR_PATH
WORKDIR $WORK_DIR_PATH
Info
The USER instruction sets the user name (or UID) and optionally the user group (or GID) to use when running the image and for any RUN, CMD and ENTRYPOINT instructions that follow it in the Dockerfile.
The WORKDIR instruction sets the working directory for any RUN, CMD, ENTRYPOINT, COPY and ADD instructions that follow it in the Dockerfile. If the WORKDIR doesn’t exist, it will be created even if it’s not used in any subsequent Dockerfile instruction.
Links
chown command
docker builder reference
A pretty common solution if nothing works is to re-install Docker.. That's what ended up working for me after trying for like 5 hours everything under the sun in terms of permissions etc.

Resources