-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Permissions error - after declaring USER and WORKDIR #740
Comments
If I remember correctly, folder created by |
Yeah I tried that too, I still get permissions errors with this:
|
I have the same issue |
Just do this and call it a day lol
F it lol...just run that before and after
|
Correct me if I'm wrong. The doc is recommending us to declare user as node because Docker runs container as root by default. So you declare it at the end
|
You should not run node as root, bad things can happen (see the last issue with changing files permissions). @ORESoftware do a |
@ORESoftware i believe this issue happens because only the /home/node directory is owned by the node user in the default node image. The /app directory is created and owned by root. If you change the WORKDIR to /home/node it should work. |
@albertoantunes You are right, it worked for me. Here is my Dockerfile, hope it helps some with the same problem.
|
This has been a nightmare for me... |
@ORESoftware
The COPY is done by default with root (source):
Note that |
I had the same issue and here's my Dockerfile. This fixed it #Choose the base image for the build
FROM node:8-alpine
RUN mkdir -p /home/node/app && chown -R node:node /home/node/app
WORKDIR /home/node/app
COPY package*.json ./
USER node
RUN npm install
COPY --chown=node:node . .
RUN ["chmod", "755", "your-script.sh"]
EXPOSE 4140
CMD [ "node", "index.js" ] The trick was to use RUN ["chmod", "755", "your-script.sh"] |
This worked for me.
|
tsc fails with permission denied for writing under lib. Fixed with advice from nodejs/docker-node#740 (comment)
another working approach: start docker run with then I could use non-root user + get npm install working as it does not try to create a /.npm folder |
I had a problem of creating files / directories while node app is running (logs directory for example, when I don't care about them and do not mount logs dir from host). Here is my solution:
That way app can create new files / directories inside of |
yes but e.g. Jenkins setup working dir in pipeline approach on its own and you cannot really/easy/good overwrite it and you have to handle a different working dir so |
@derhecht Sorry did not understood completely. If your comment was addressed to me, and it meant to say: when app is built on Jenkins it causes errors because of
Also do not forget to include |
This issue/discussion is currently the top Google hit for the terms:
[ None of the solutions in this thread were the cause of my specific issue, so I'm adding a comment here. ] In my case, I created a new LVM2 logical volume and mounted it to sudo /usr/sbin/restorecon -R /var/lib/docker |
may anyone could use it, we solved Jenkins Docker scripted pipeline build with the following setup/commands/variables: |
Note this comment in the Best Practices documentation: FROM node:14.15.4-slim
WORKDIR /home/node
COPY --from=build --chown=node:node ./ /home/node
ENV NODE_ENV="production"
ENV PORT="8080"
EXPOSE 8080
USER node
CMD ["node", "app.js"] |
hi guys, sometimes this happens - when the container you are trying to use (FROM) - set up the user already and it is different from the root. In this case permission is denied |
This dockerfile works fine with any image but the issue comes when you try to mount the volume FROM node:latest
ENV NODE_ENV="development"
ENV PORT="4000"
WORKDIR /home/node
COPY --chown=node:node ./node_project /home/node
RUN npm install
EXPOSE ${PORT}
USER node
ENTRYPOINT ["npm", "run", "dev"] version: "3.1"
services:
node:
build:
context: .
dockerfile: node.dockerfile
container_name: node_server
ports:
- "4000:4000"
volumes:
- ./node_project:/home/node ----------> this creates the issue, remove this and everything works How to fix this? How to mount current folder as volume inside docker container? |
@abhaykumar01234 , if you build the project with the context However ... you have to build the image each time you make a change to the code. The image contains an unchanging copy of the code as of build time. If your objective is to have a container with "live" code changes (made from the host machine) available inside the container, then you will need a different arrangement. It's a bit complicated, and it's Friday afternoon, so I'll post some information on this on Monday. |
@abhaykumar01234 , the basic problem is that your container is using a user (in this case It helps to understand what "map" means here: When a Docker container is run, the users inside the container are also interpreted as users in the host. The identity of the host user is determined by the numeric user id of the user inside the container.
All solutions to this problem involve ensuring that the user inside the container maps onto a suitable user on the host. This can be done in several ways. The simplest way is to define and use a user in the image (i.e., in the Dockerfile) whose numeric user id is the same as a host user with suitable permissions (e.g., your own user id). This is not very flexible because the user id is fixed, but if you don't need that flexibility, it's effective. A more flexible way to do much the same thing is to specify a user id externally when you build your image. There's some good advice on this in Avoiding Permission Issues With Docker-Created Files. A more complex but fully flexible solution to the problem is to use Docker's user namespace mapping facility. I am doing this with a couple of Python projects, and I haven't yet worked out all the kinks, but in principle it's reasonably straightforward. I found the following articles helpful:
A few other remarks:
|
@ORESoftware FWIW this works for me. It fixes the permissions issue. |
Guys, I'm absolultly shit at Docker, I don't understand anything in this thread. Can someone please help me? Here's my
I get this error:
|
@herbievine , I think your problem is that The likely fix is to explicitly create the
Don't stay as user |
I added 'user: node' on my docker-compose.yml and it fixed the issue.
|
@thajib , that means your container will be running all its commands as the root user -- both inside the container and outside the container (unless, for the latter, you have set up user namespace mapping). This exposes you to serious security risks unless you are running the container entirely behind a firewall with no outside access to it. Even then, it's not a good idea; anyone inside your firewall can That's the reason the For further information on this, search things like "Docker best practices security". |
I have corrected it now. I intended to use 'node' and I typed 'root' :-( |
I made a few example docker and compose files and I found the following. For volume mount where the folders don't exist before running the container gets folders made as root. This means no Making the folders to be mounted in the host before running the container means the permissions will be preserved in the container by user ID. Permission granted. Minimal example:Dockerfile:
Bash code: export iiname=userdocker_aa; echo ${PWD};
docker rmi $iiname
docker build -t $iiname .
#
runa() {
echo $1; echo iiname=$iiname
docker run --rm -v "${PWD}/$1:/$1" -w "/$1" -it $iiname sh -c "touch afile;"
}
# error: touch: cannot touch 'afile': Permission denied
ls -l code; runa code
# Works!
mkdir code2; runa code2; ls -laR; Output:
albe@racknerd-4f4016:/ap/dkr/605dkrcollection/userdocker/u7$ bash sha
/ap/dkr/605dkrcollection/userdocker/u7
Untagged: userdocker_aa:latest
Deleted: sha256:677eddefff16ad91a8fa95f40992720bbb4f49f38ad155312fff8c05e9ff234f
Sending build context to Docker daemon 4.608kB
Step 1/3 : FROM node:16-slim
---> 13cc87dcb313
Step 2/3 : USER node
---> Using cache
---> 5d28a19d291f
Step 3/3 : CMD ["yarn", "serve"]
---> Running in faba7178762b
Removing intermediate container faba7178762b
---> a29162820ea8
Successfully built a29162820ea8 Successfully tagged userdocker_aa:latest
code
iiname=userdocker_aa
touch: cannot touch 'afile': Permission denied
mkdir: cannot create directory ‘code2’: File exists
code2
iiname=userdocker_aa
drwxr-xr-x 2 root root 4096 Jan 8 13:35 code
drwxrwxr-x 2 albe albe 4096 Jan 8 13:35 code2
./code2:
drwxrwxr-x 2 albe albe 4096 Jan 8 13:35 .
drwxrwxr-x 4 albe albe 4096 Jan 8 13:36 ..
-rw-r--r-- 1 albe albe 0 Jan 8 13:37 afile So I think a solution is to create ./app on the host and mount that as a volume with -v "${PWD}/app://home/node/app. All the code is here: https://github.com/dgleba/605dkrcollection/tree/main/userdocker/u7 |
I know this is old poet but below code worked for me: RUN addgroup app && adduser -S -G app app EXPOSE 3000 CMD ["npm", "start"] |
Thank you so much! This really solved my problem! |
This alpine version is overriding the custom user: - nodejs/docker-node#740 - https://stackoverflow.com/questions/44766665/how-do-i-docker-copy-as-non-root?answertab=votes#tab-top
I know WORKDIR permissions |
I was getting same issue: I've fixed like this:
I messed up a time with this issue, and I tried with permissions Hope this help anyone. |
I was able to solve this with a newer docker backend component called buildkit. Buildkit mode is enabled by default for Docker Desktop users, and can be enabled manually by setting an environment variable when building the image:
Buildkit creates directories a little differently. Say we have a dockerfile that just prints out details of the FROM node:18-alpine
USER node
WORKDIR /app
CMD stat /app Without buildkit, the $ docker build --quiet . -t demo
sha256:28817c441bf181fa589ed827acc08bed54605977f26c46b4923e69da2261d21d
$ docker run --rm demo
File: /app
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: 93h/147d Inode: 22454774 Links: 2
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
... With buildkit, the $ DOCKER_BUILDKIT=1 docker build --quiet . -t demo
sha256:37ae7418d59cba2024bff10c798f6577b1de84ddd8a275d12b63cad19554d759
$ docker run --rm demo
File: /app
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: 8dh/141d Inode: 22558956 Links: 2
Access: (0755/drwxr-xr-x) Uid: ( 1000/ node) Gid: ( 1000/ node)
... When the |
i get the same error when i want to build the image used podman on my runner when i run my pipeline show |
I'm not sure if it's the same issue, but I've stumble upon this GitHub issue trying to find out what's happening with my NestJS app. When trying to start development mode, Nest tries to rmdir the dist/ folder, but it stops because of permission denied, even with user being specified in the compose file and in the Docker file. |
Years later, you are helping me when several guides from well-known tech companies have failed. Thanks! |
I have this:
and I get:
this seems completely crazytown. How does my user not have access to this directory by default considering it was "created" by the WORKDIR command after USER was declared?
The text was updated successfully, but these errors were encountered: