I'm trying to build a Docker image using a user other than root. My Dockerfile looks like
FROM ruby:2.7.1-alpine3.12
...
# Add user
RUN addgroup --system cetacean && \
adduser --system mobydick --ingroup cetacean --no-create-home
USER mobydick
...
# Copy startup files
COPY --chown=mobydick:cetacean docker/supervisord.conf /etc/supervisor/conf.d/supervisord.conf
COPY --chown=mobydick:cetacean docker/docker-entrypoint.d/* /docker-entrypoint.d/
COPY --chown=mobydick:cetacean docker/docker-entrypoint.sh /docker-entrypoint.sh
But, when I try to start a container I get:
ERROR: for app Cannot start service app: OCI runtime create failed:
container_linux.go:349: starting container process caused "exec:
"/docker-entrypoint.sh": permission denied": unknown
From my understanding, using --chown=mobydick:cetacean when copying the files should set the appropriate permissions.
What am I missing here?
What is the version of docker you are using. This is working only for version v17.09.0-ce and newer as explain here. If your are usin an older version, you can copy then change the permission.
Related
I have a Dockerfile that successfully runs many RUN steps as root. It then successfully adds a user via useradd. I then want to run commands as that user. As far as I understand it, that is the purpose of USER. However, when docker build spins up a container as that USER for the subsequent RUN step, I get the following /dev/stdout permission denied failure:
---> Running in 4b62b45b7405
failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: unable to setup user: chown /dev/stdout: permission denied: unknown
I'm running on a CentOS 7 host.
Here is a minimal example that reproduces the problem on my system:
FROM centos:7
ARG username
RUN useradd \
--home-dir /home/$username \
--gid users \
--shell /bin/bash \
--create-home \
$username
WORKDIR /home/$username
USER $username
# Any RUN command as USER $username seems to fail.
RUN touch /tmp/d
Note that the touch command should be pretty innocuous, and shouldn't even try to write to stdout (I assume). Yet I get the following error when running docker build with this Dockerfile:
╰─➤ docker build --tag deleteme --build-arg username=bneradt .
Sending build context to Docker daemon 2.048kB
Step 1/6 : FROM centos:7
---> eeb6ee3f44bd
Step 2/6 : ARG username
---> Using cache
---> 8959f85f143c
Step 3/6 : RUN useradd --home-dir /home/$username --gid users --shell /bin/bash --create-home $username
---> Using cache
---> 60ede7eea71a
Step 4/6 : WORKDIR /home/$username
---> Using cache
---> 55255db14c51
Step 5/6 : USER $username
---> Using cache
---> 4feac8162035
Step 6/6 : RUN touch /tmp/d
---> Running in 2fdbfdf266e7
failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: unable to setup user: chown /dev/stdout: permission denied: unknown
I seem to be running a recent version of docker (at the time of posting this):
╰─➤ docker --version
Docker version 20.10.17, build 100c701
I assume something simple has to be wrong. Maybe something with my tty permissions on my host? The USER feature seems so basic, so I assume it shouldn't always be broken for any command as it seems to be for my environment. Can someone help me to get this to work?
Work Around
I have currently worked around the issue by putting all of my user-specific commands in a script file called configure_user, COPY'ing that into the container in the Dockerfile, then RUN'ing the script. Thus:
COPY configure_user /tmp
RUN su $username -c "bash /tmp/configure_user $git_username $git_email"
That works around the issue, but is unfortunate. It makes it so that the commands aren't broken down via RUN commands with intervening docker images at each step. I would still prefer a solution to the /dev/stdout permissions issue if anyone knows of one.
I am trying to build a Kafka-Connect image in Docker:
FROM confluentinc/cp-kafka-connect
RUN confluent-hub install --no-prompt wepay/kafka-connect-bigquery:1.6.1
RUN confluent-hub install --no-prompt confluentinc/connect-transforms:latest
RUN mkdir -p /usr/share/landoop-plugins
COPY kafka-connect-redis-1.2.2-2.1.0-all.jar /usr/share/landoop-plugins/
but it runs as appuser
Step 4/4 : RUN id
---> Running in d2094f6336a7
uid=1000(appuser) gid=1000(appuser) groups=1000(appuser)
so if I want for example
RUN mkdir -p /usr/share/landoop-plugins
it stops because of root privilages:
mkdir: cannot create directory '/usr/share/landoop-plugins': Permission denied
The command '/bin/sh -c mkdir -p /usr/share/landoop-plugins' returned a non-zero code: 1
I can add USER root at the beginning of Dockerfile:
Step 3/15 : RUN id
---> Running in 6255e2e7ff81
uid=0(root) gid=0(root) groups=0(root)
but then if I ran the container, I am logged as appuser which causes problems with permissions:
[appuser#connect ~]$.
Actually, in source image
confluentinc/cp-kafka-connect:6.0.0
there is a layer USER appuser so my question is how can I build my image as root and then login as root and do not use appuser user. I've tried and USER root does not help.
Is it somehow connected with groups?
groups
gignac sudo docker
I tried docker build and sudo docker build as well
I do something similar, when I need to create my own plugin to Kafka Connect but I don't exactly do it as root.
Simply I put my jars in a place I have permission to write and just configure the plugins Environment Setting
something like this:
FROM confluentinc/cp-kafka-connect:5.5.2
ENV CONNECT_PLUGIN_PATH='/usr/share/java,/usr/share/confluent-hub-components'
COPY converter/* /usr/share/java/kafka-serde-tools/
COPY format/* /usr/share/java/kafka-connect-storage-common/
would this not work?
For installing packages and troubleshooting, we would require root user. Using version 5.5.3 does the trick wherein the APPUSER is not created and root is loaded by default.
The version can be verified by
http://localhost:8083/connectors
which provides the version details.
Im trying to create dir in docker file and I got error during the build
FROM circleci/openjdk:8-jdk-browsers
#RUN chown newuser /dep
#USER newuser
RUN mkdir /dep
The error is:
mkdir: cannot create directory ‘/dep’: Permission denied`
The command `/bin/sh -c mkdir -p /dep` returned a non-zero code: 1
even if I try only dep .
I try to use chown without success, any idea ?
This image is run with the user circleci, you can check this by adding a whoami to a RUN statement in your Dockerfile. This user has no permission to create folders in /. So, you can either create a folder somewhere where this user has the necessary rights (e.g. /home/circleci/dep), or you just go with sudo mkdir.
I am trying using Docker using Dockerfile.
My Dockerfile as follows, where I am using debian linux system.
FROM debian:jessie
ENV DEBIAN_FRONTEND noninteractive
ARG AIRFLOW_VERSION=1.7.1.3
ENV AIRFLOW_HOME /usr/local/airflow
..
..
COPY script/entrypoint.sh /entrypoint.sh
COPY config/airflow.cfg ${AIRFLOW_HOME}/airflow.cfg
..
..
USER airflow
WORKDIR ${AIRFLOW_HOME}
ENTRYPOINT ["/entrypoint.sh"]
So when I run docker build -t test ., it build without problem.
However, when I run docker run -p 8080:8080 test.
It throws following error:
container_linux.go:247: starting container process caused "exec: \"/entrypoint.sh\": permission denied"
docker: Error response from daemon: oci runtime error: container_linux.go:247: starting container process caused "exec: \"/entrypoint.sh\": permission denied".
What is I am doing wrong ?
You need to change the permission of the bash file by chmod +x entrypoint.sh before calling ENTRYPOINT. So change your code to the following:
USER airflow
WORKDIR ${AIRFLOW_HOME}
RUN chmod +x entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
Rebuild the image and run the container, it should work.
Since COPY copies files including their metadata, you can also simply change the permissions of the file in the host machine (the one building the Docker image):
$ chmod +x entrypoint.sh
Then, when running docker build -t test . the copied file will have the execution permission and docker run -p 8080:8080 test should work.
Obs.: I'm not advocating this as best practice, but still, it works.
In your terminal, run "chmod +x entrypoint.sh"
or if the entrypoint.sh file is in a folder, run "chmod +x folder_name/entrypoint.sh"
I changed the location of the entrypoint in the dockerfolder and rebuild & it worked!
I created a Dockerfile in my root.
FROM ubuntu:12.04
MAINTAINER Bhim Singh <bhim3003#gmail.com>
RUN apt-get y install java
CMD echo hello
then i tried to run this command : sudo docker build -t bhim3003/myjava .
I am recieving this error:
" Error checking context is accessible: 'can't stat '.gvfs''. Please
check permissions and try again."
And docker image is not created. Any suggestions?
I faced the same issue while working with boot2docker on Windows 7. However I was able to build it successfully after moving dockerfile outside home directory.
In my case this issue is occurred because when we call docker build all files searched in working directory and as docker does not run with administrator privilege cannot access to some files and this error generated.
Solution:
Move to directory which all user can accessed (for example: /c)
Create new directory (sep)
Create Dockerfile in new directory
Run build
commands:
$ cd /c
$ mkdir sep
$ cd sep
$ touch Dockerfile
# vi Dockerfile
# docker build -t fahsep/debian