Error: Starting container process caused "exec: \"/docker-entrypoint.sh\": permission denied" - docker

I'm trying to build docker-compose, but I'm getting this error:
ERROR: for indicaaquicombrold_mysqld_1 Cannot start service mysqld:
oci runtime error: container_linux.go:247: starting container process
caused "exec: \"/docker-entrypoint.sh\": permission denied"
ERROR: for mysqld Cannot start service mysqld: oci runtime error:
container_linux.go:247: starting container process caused "exec:
\"/docker-entrypoint.sh\": permission denied"
ERROR: Encountered errors while bringing up the project.
docker-compose.yml
version: '3'
services:
php:
build:
context: ./docker/php
image: indicaaqui.com.br:tag
volumes:
- ./src:/var/www/html/
- ./config/apache-config.conf:/etc/apache2/sites-enabled/000-default.conf
ports:
- "80:80"
- "443:443"
mysqld:
build:
context: ./docker/mysql
environment:
- MYSQL_DATABASE=db_indicaaqui
- MYSQL_USER=indicaqui
- MYSQL_PASSWORD=secret
- MYSQL_ROOT_PASSWORD=docker
volumes:
- ./config/docker-entrypoint.sh:/docker-entrypoint.sh
- ./database/db_indicaaqui.sql:/docker-entrypoint-initdb.d/db_indicaaqui.sql
Dockerfile (php)
FROM php:5.6-apache
MAINTAINER Limup <limup#outlook.com>
CMD [ "php" ]
RUN docker-php-ext-install pdo_mysql
# Enable apache mods.
# RUN a2enmod php5.6
RUN a2enmod rewrite
# Expose apache.
EXPOSE 80
EXPOSE 443
# Use the default production configuration
# RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini"
RUN mv "$PHP_INI_DIR/php.ini-development" "$PHP_INI_DIR/php.ini"
# Override with custom opcache settings
# COPY ./../../config/php.ini $PHP_INI_DIR/conf.d/
# Manually set up the apache environment variables
ENV APACHE_RUN_USER www-data
ENV APACHE_RUN_GROUP www-data
ENV APACHE_LOG_DIR /var/log/apache2
ENV APACHE_LOCK_DIR /var/lock/apache2
ENV APACHE_PID_FILE /var/run/apache2.pid
# Update the PHP.ini file, enable <? ?> tags and quieten logging.
RUN sed -i "s/short_open_tag = Off/short_open_tag = On/" "$PHP_INI_DIR/php.ini"
RUN sed -i "s/error_reporting = .*$/error_reporting = E_ERROR | E_WARNING | E_PARSE/" "$PHP_INI_DIR/php.ini"
RUN a2dissite 000-default.conf
RUN chmod -R 777 /etc/apache2/sites-enabled/
WORKDIR /var/www/html/
# By default start up apache in the foreground, override with /bin/bash for interative.
CMD ["/usr/sbin/apache2ctl", "-D", "FOREGROUND"]
Dockerfile (Mysql)
FROM mariadb:latest
RUN chmod -R 777 /docker-entrypoint.sh
ENTRYPOINT ["/docker-entrypoint.sh"]
EXPOSE 3306
CMD ["mysqld"]
Please, help me solve this problem!
Any ideas?

That is most likely a Linux file permission issue on config/docker-entrypoint.sh. If your host is Linux/Mac, you can run:
chmod 755 config/docker-entrypoint.sh
For more on linux permissions, here's a helpful article: https://www.linux.com/learn/understanding-linux-file-permissions

First, you need to copy entrypoint.sh file into other directory instead of same your source code (Eg. /home/entrypoint.sh), then grant permission to execute entrypoint script:
RUN ["chmod", "+x", "/home/entrypoint.sh"]

Solution
ENV USER root
ENV WORK_DIR_PATH /home
RUN mkdir -p $WORK_DIR_PATH && chown -R $USER:$USER $WORK_DIR_PATH
WORKDIR $WORK_DIR_PATH
Info
The USER instruction sets the user name (or UID) and optionally the user group (or GID) to use when running the image and for any RUN, CMD and ENTRYPOINT instructions that follow it in the Dockerfile.
The WORKDIR instruction sets the working directory for any RUN, CMD, ENTRYPOINT, COPY and ADD instructions that follow it in the Dockerfile. If the WORKDIR doesn’t exist, it will be created even if it’s not used in any subsequent Dockerfile instruction.
Links
chown command
docker builder reference

A pretty common solution if nothing works is to re-install Docker.. That's what ended up working for me after trying for like 5 hours everything under the sun in terms of permissions etc.

Related

create a symlink in an unprivileged container error

I'm running K8s deployment and trying to harden the security of one of my pod and because of that I started using the following docker image:
nginxinc/nginx-unprivileged:alpine
The problem is that I need to create a symlink and cannot get it done.
Here is the structure of my dockerfile
FROM nginxinc/nginx-unprivileged:alpine
ARG name
ARG ver
USER root
COPY ./outbox/${name}-${ver}.tgz ./
COPY ./nginx.conf /etc/nginx/nginx.conf
COPY ./mime.types /etc/nginx/mime.types
COPY ./about.md ./
RUN mv /${name}-${ver}.tgz /usr/share/nginx/html
WORKDIR /usr/share/nginx/html
RUN tar -zxf ${name}-${ver}.tgz \
&& mv ngdist/* . \
&& mv /about.md ./assets \
&& rm -fr ngdist web-ui-${ver}.tgz \
&& mkdir -p /tmp/reports
RUN chown -R 1001 /usr/share/nginx/html/
COPY ./entrypoint.sh.${name} /bin/entrypoint.sh
RUN chown 1001 /bin/entrypoint.sh
USER 1001
EXPOSE 8080
CMD [ "/bin/entrypoint.sh" ]
and here my entrypoint.sh
#!/bin/sh
ln -s /tmp/reports /usr/share/nginx/html/reports
and here is my container in the pod deployment yaml file
containers:
- name: web-ui
image: "myimage"
imagePullPolicy: Always
ports:
- containerPort: 8080
name: web-ui
volumeMounts:
- name: myvolume
mountPath: /tmp/reports
I tried to set the entrypoint under the root execution but that did not help either, the error i'm getting is this:
Error: failed to start container "web-ui": Error response from daemon:
OCI runtime create failed: container_linux.go:380: starting container
process caused: exec: "/bin/entrypoint.sh": permission denied: unknown
Like other Linux commands, a Docker container's main CMD can't run if the program it names isn't executable.
Most source-control systems will track whether or not a file is executable, and Docker COPY will preserve that permission bit. So the best way to address this is to make the scripts executable on the host:
chmod +x entrypoint.sh.*
git add entrypoint.sh.*
git commit -m 'make entrypoint scripts executable'
docker-compose build
docker-compose up -d
If that's not an option, you can fix this up in the Dockerfile too.
COPY ./entrypoint.sh.${name} /bin/entrypoint.sh
RUN chmod 0755 /bin/entrypoint.sh
Like other things in /bin, the script should usually be owned by root, executable by everyone, and writable only by its owner; you do not generally want the application to have the ability to overwrite its own code.

Docker context on remote server “Error response from daemon: invalid volume specification”

I am using docker context to deploy my local container to my debian webserver. I use Docker Desktop for Windows on Windows 10. The app is written using Flask.
At some point I tried “docker-compose up --build” after “docker context use remote” and I was getting the following error:
Error response from daemon: invalid volume specification: ‘C:\Users\user\fin:/fin:rw’
Locally everything works fine when I try to deploy it to the production server the error pops up.
The Dockerfile looks like the following:
FROM python:3.8-slim-buster
ENV INSTALL_PATH /app
RUN mkdir -p $INSTALL_PATH
WORKDIR $INSTALL_PATH
ENV PATH="/home/user/.local/bin:${PATH}"
COPY . ./
# set environment variables
ENV PYTHONDONTWRITEBYTECODE 1
ENV PYTHONUNBUFFERED 1
RUN useradd -ms /bin/bash user && chown -R user $INSTALL_PATH
USER user
COPY requirements.txt requirements.txt
RUN pip install -r requirements.txt
RUN pip install --upgrade pip
CMD gunicorn -c "python:config.gunicorn" "fin.app:create_app()"
while an excerpt of the docker-compose.yml look like the following:
version: '3.8'
services:
flask-app:
container_name: flask-app
restart: always
build: .
command: >
gunicorn -c "python:config.gunicorn" "fin.app:create_app()"
environment:
PYTHONUNBUFFERED: 'true'
volumes:
- '.:/fin'
ports:
- 8000:8000
env_file:
- '.env'
In the .env file the option
COMPOSE_CONVERT_WINDOWS_PATHS=1 is set.
At some point I tried the same procedure using WSL2 with Ubuntu installed, which led to the following message:
Error response from daemon: create \\wsl.localhost\Ubuntu-20.04\home\user\fin: "\\\\wsl.localhost\\Ubuntu-20.04\\home\\user\\fin" includes invalid characters for a local volume name, only "[a-zA-Z0-9][a-zA-Z0-9_.-]" are allowed. If you intended to pass a host directory, use absolute path
Based on this message I changed the Dockerfile to:
FROM python:3.8-slim-buster
ENV INSTALL_PATH=/usr/src/app
RUN mkdir -p $INSTALL_PATH
WORKDIR $INSTALL_PATH
ENV PATH=/home/user/.local/bin:${PATH}
COPY . /usr/src/app/
# set environment variables
ENV PYTHONDONTWRITEBYTECODE=1
ENV PYTHONUNBUFFERED=1
#ENV COMPOSE_CONVERT_WINDOWS_PATHS=1
RUN useradd -ms /bin/bash user && chown -R user $INSTALL_PATH
USER user
COPY requirements.txt /usr/src/app/requirements.txt
RUN pip install -r requirements.txt
RUN pip install --upgrade pip
CMD gunicorn -c "python:config.gunicorn" "fin.app:create_app()"
But still the error remains, and I have to clue how to solve it.
Thank you in advance for your help.
You are getting invalid volume specification: ‘C:\Users\user\fin:/fin:rw’ in your production environment is because, the host path C:\Users\user\fin isn't available. You can remove it when you are deploying or change it to an absolute path which is available in your production environment as below.
volumes:
- '/root:/fin:rw'
where /root is a directory available in my production environment.
/path:/path/in/container mounts the host directory, /path at the /path/in/container
path:/path/in/container creates a volume named path with no relationship to the host.
Note the slash at the beginning. if / is present it will be considered as a host directory, else it will be considered as a volume
use this (without quotes and with a slash so it knows you mean this folder):
volumes:
- ./:/fin

Docker - Permission denied # rb_sysopen - Image installation path overwriting a volume - changes not reflected

Trying to sort this permission error on Ubuntu, when trying to run my containers using dockerfile and docker-compose.yml
Exiting
/usr/local/bundle/gems/rack-2.2.3/lib/rack/server.rb:433:in `initialize': Permission denied # rb_sysopen - /home/api/limpar/current/tmp/pids/server.pid (Errno::EACCES)
Dockerfile
FROM ruby:2.7.1
ENV LANG C.UTF-8
ENV NODE_VERSION 12
ENV NODE_ENV production
ENV INSTALL_PATH /home/api/limpar/current
.
(...)
RUN mkdir -p $INSTALL_PATH
WORKDIR $INSTALL_PATH
COPY Gemfile Gemfile.lock ./
RUN gem install bundler
RUN bundle install
COPY . $INSTALL_PATH
RUN rm -rf tmp
RUN useradd -Ms /bin/bash api -u 1001
RUN chown -R api:api /home/api /usr/local/bundle
USER api
EXPOSE 3000
CMD rails server -p 3000 -b 0.0.0.0
docker-compose.yml
api:
container_name: limpar-api
image: limpar-api
build: .
command: bundle exec rails s -p 3000 -b '0.0.0.0'
env_file:
- .env
volumes:
- ./:/home/api/limpar/current
ports:
- "3000:3000"
depends_on:
- db
- redis
networks:
- limpar_network
docker build runs with no failures. Dockerfile instal_path overwrites a volume location on docker-compose file. By changing the volume name on my docker-compose.yml file,
I am able to fix the permission errors.
However, the local changes on my code no longer get reflected, meaning I have to rebuild everytime I change anything.
Any missing points on Dockerfile, regarding user permissions?
Thanks in advance
Adding
USER root
to Docker file, RUN chown... fixed the permission issues, and allowed me to keep same path on dockerfile and docker-compose volume, solving the local code changes not reflecting.

Why isn't the USER declared in my Dockerfile reflected in the ENTRYPOINT script?

I am trying to fix some tests we're running on Jenkins with Docker, but the script that the ENTRYPOINT in my Dockerfile points to keeps running as root, even though I set the USER in the Dockerfile. This works fine on my local machine but not when running on our Jenkins box.
I've tried running su within my entrypoint script to make sure that the rest of the script run as the correct user, but they still run as root.
So my Dockerfile looks like this:
FROM python:3.6
RUN apt-get update && apt-get install -y gettext libgettextpo-dev
ARG DOCKER_UID # set to 2000 in docker-compose file
ARG ENV=prod
ENV ENV=${ENV}
ARG WORKERS=2
ENV WORKERS=${WORKERS}
RUN useradd -u ${DOCKER_UID} -ms /bin/bash app
RUN chmod -R 777 /home/app
ENV PYTHONUNBUFFERED 1
ADD . /code
WORKDIR /code
RUN chown -R app:app /code
RUN mkdir /platform
RUN chown -R app:app /platform
RUN pip install --upgrade pip
RUN whoami # outputs `root`
USER app
RUN whoami # outputs `app`
RUN .docker/deploy/install_requirements.sh $ENV # runs as `app`
EXPOSE 8000
ENTRYPOINT [".docker/deploy/start.sh", "$ENV"]
and my start.sh looks like:
#!/bin/bash
ENV=$1
echo "USER"
echo `whoami`
echo Running migrations...
python manage.py migrate
mkdir -p static
chmod -R 0755 static
cd /code/
if [ "$ENV" == "performance-dev" ];
then
/home/app/.local/bin/uwsgi --ini .docker/deploy/uwsgi.ini -p 4 --uid app
else
/home/app/.local/bin/uwsgi --ini .docker/deploy/uwsgi.ini --uid app
fi
but the
echo "USER"
echo `whoami`
outputs:
USER
root
which causes commands later in the script the fail as they're the wrong user.
I'd except the output to be
USER
app
and my understanding is that this issue is typically resolved by setting the USER command in the Dockerfile, but I do that and it looks like it is switching user when running the Dockerfile itself.
Edit
The issue was with my docker-compose configuration. My docker-compose config looks like:
version: '3'
services:
service:
user: "${DOCKER_UID}:${DOCKER_UID}"
build:
context: .
dockerfile: .docker/Dockerfile
args:
- ENV=prod
- DOCKER_UID=2000
DOCKER_UID is a variable set on my local machine but not on the Jenkins box, so I set it to 2000 in the override file
The issue I was having, as David Maze pointed out in the comments, was that I was setting the user when actually building the container, via my docker-compose file. I had set the user param to ${DOCKER_UID}, which was never actually set anywhere, so it was defaulting to an empty string. Setting it to 2000 fixed my issue.

docker nginx container doesn't contain nginx?

I have a laravel project that runs on a single docker container.
I use docker-composer.yml to configure the container. I use nginx:latest base image in my Dockerfile. For some reason when I tried to launch my project with command docker-compose up I got this error:
web_1 | 2019-05-10 15:51:14,035 INFO spawnerr: can't find command '/usr/sbin/nginx'
web_1 | 2019-05-10 15:51:15,037 INFO spawnerr: can't find command '/usr/sbin/nginx'
web_1 | 2019-05-10 15:51:17,040 INFO spawnerr: can't find command '/usr/sbin/nginx'
web_1 | 2019-05-10 15:51:20,050 INFO spawnerr: can't find command '/usr/sbin/nginx'
web_1 | 2019-05-10 15:51:20,050 INFO gave up: nginx entered FATAL state, too many start retries too quickly
I was suprised so I took a look inside the container with docker exec -ti mycontainername bash and I couldn't find nginx anywhere. I tried with nginx -v,
whereis nginx , cd /etc/nginx <-- directory didn't exist.
So i tried to create a simple container, which containts only nginx. I should theoretically be able to go to localhost:80 and see the Nginx welcome message, right?
docker run --rm -d -p 80:80 --name my-nginx nginx
well there was no message and when I took a look inside the container
docker exec my-nginx I couldn't find nginx anywhere, but if I ran the command apt-get nginx it showed that nginx is already the latest version.
FULL DOCKER-COMPOSE.YML
version: '1'
services:
web:
build:
context: ./
# dockerfile: web.dockerfile
working_dir: /var/www/html
# volumes_from:
# - app
ports:
- 8080:80
volumes:
- ./:/var/www/html
- /var/run/docker.sock:/var/run/docker.sock
environment:
full Dockerfile:
FROM nginx:latest
RUN apt-get update && apt-get install -y php-gd
RUN apt-get -y install php7.2-zip
#COPY app /var/www/html/app
#COPY artisan /var/www/html/app/artisan
#COPY bootstrap /var/www/html/bootstrap
#COPY config /var/www/html/config
#COPY database /var/www/html/database
#COPY public /var/www/html/public
#COPY resources /var/www/html/resources
#COPY routes /var/www/html/routes
#COPY storage /var/www/html/storage
#COPY vendor /var/www/html/vendor
#COPY artisan /var/www/html/artisan
#COPY composer.json /var/www/html/composer.json
COPY entrypointcust.sh /entrypointcust.sh
RUN chmod +x /entrypointcust.sh
EXPOSE 80
WORKDIR /var/www/html/old
# Add crontab file in the cron directory
ADD cron /etc/cron.d/appcron
# Give execution rights on the cron job
RUN chmod 0644 /etc/cron.d/appcron
RUN /usr/bin/crontab /etc/cron.d/appcron
# Create the log file to be able to run tail
#RUN touch /var/log/cron.log
#RUN touch /var/www/html/storage/logs/laravel.log
#RUN chown -R www-data:www-data /var/www/html
#RUN chmod -R 777 /var/www/html/storage
ENTRYPOINT ["/bin/bash", "-c", "/entrypointcust.sh"]
What am I missing?

Resources