New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Directory permission was changed to root in container #38492

Closed
liqlin2015 opened this Issue Jan 4, 2019 · 5 comments

Comments

Projects
None yet
3 participants
@liqlin2015
Copy link

liqlin2015 commented Jan 4, 2019

Description

We have following Dockerfile for our image.

COPY . /app
...
RUN chown -R ${IAM_USER}:${IAM_USER} /app
...
USER ${IAM_USER}

But when we start a container from the image, the permission of dir /app was changed to root.

Steps to reproduce the issue:

  1. Start container from our image.
  2. The container was failed to start because no permission to access dir /app.

Describe the results you received:

Container was failed to start because of file permission issue.

Describe the results you expected:

Container should be start successfully.

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

docker ce 18.03.1

Output of docker info:

docker ce 18.03.1

Additional environment details (OS):

CentOS 7.5
@thaJeztah

This comment has been minimized.

Copy link
Member

thaJeztah commented Jan 4, 2019

Could you post the full output of docker version and docker info ?

How are you starting the container? Are you using a volume or bind-mount for the /app directory (e.g. docker run -v host-directory:/app myimage ?)

@liqlin2015

This comment has been minimized.

Copy link

liqlin2015 commented Jan 7, 2019

$ sudo docker version
Client:
 Version:      18.03.1-ce
 API version:  1.37
 Go version:   go1.9.5
 Git commit:   9ee9f40
 Built:        Thu Apr 26 07:20:16 2018
 OS/Arch:      linux/amd64
 Experimental: false
 Orchestrator: swarm

Server:
 Engine:
  Version:      18.03.1-ce
  API version:  1.37 (minimum version 1.12)
  Go version:   go1.9.5
  Git commit:   9ee9f40
  Built:        Thu Apr 26 07:23:58 2018
  OS/Arch:      linux/amd64
  Experimental: false
$ sudo docker info
Containers: 45
 Running: 40
 Paused: 0
 Stopped: 5
Images: 108
Server Version: 18.03.1-ce
Storage Driver: overlay2
 Backing Filesystem: xfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 773c489c9c1b21a6d78b5c538cd395416ec50f88
runc version: 4fc53a81fb7c994640722ac585fa9ca548971871
init version: 949e6fa
Security Options:
 seccomp
  Profile: default
Kernel Version: 3.10.0-862.el7.x86_64
Operating System: Red Hat Enterprise Linux Server 7.5 (Maipo)
OSType: linux
Architecture: x86_64
CPUs: 16
Total Memory: 31.25GiB
Name: w02-master01.watson.devlab.net
ID: P75N:HZWR:EF4R:PND6:GZ5O:VA3O:KB2S:LEIE:BDH5:MVIC:RDQN:HHCB
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
HTTP Proxy: http://172.16.180.155:3128
HTTPS Proxy: http://172.16.180.155:3128
No Proxy: localhost,127.0.0.1,wisccluster.wis,192.168.30.0/24,192.168.31.0/24
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

We did not use any volume. app is inside the docker image. You can refer to above Dockerfile footprint. We have chown the directory /app in Dockerfile for a normal user IAM_USER. But when we start the container on the host, the following shows there.

$ sudo docker run -it --rm wisccluster.wisc:8500/iam-policy-administration:3.1.0 bash
iam@580c307309e5:/app$ ls -l /
total 0
drwxr-xr-x.   1 root root  20 Aug 25 13:00 app
drwxr-xr-x.   1 root root  68 Aug  7 06:20 bin

Any suggestions for the issue @thaJeztah ?

@thaJeztah

This comment has been minimized.

Copy link
Member

thaJeztah commented Jan 7, 2019

I'm not able to reproduce this 😕 Here's what I tried:

Prepare some files and create a Dockerfile

mkdir repro-38492 && cd repro-38492
touch some files etcetera

cat > Dockerfile -<<'EOF'
FROM centos:7
ARG IAM_USER=0

COPY . /app
RUN echo chowning to ${IAM_USER}:${IAM_USER}
RUN chown -R ${IAM_USER}:${IAM_USER} /app
RUN ls -l / | grep app


USER ${IAM_USER}
WORKDIR /app
EOF

Build the image, passing 123 as IAM_USER:

sudo docker build -t repro-38492 --build-arg IAM_USER=123 .

Which shows;

Sending build context to Docker daemon  3.584kB
Step 1/8 : FROM centos:7
 ---> 1e1148e4cc2c
Step 2/8 : ARG IAM_USER=0
 ---> Running in 1b99a45930d9
Removing intermediate container 1b99a45930d9
 ---> 347ac786adab
Step 3/8 : COPY . /app
 ---> 32c6a113985f
Step 4/8 : RUN echo chowning to ${IAM_USER}:${IAM_USER}
 ---> Running in ec02d66a829c
chowning to 123:123
Removing intermediate container ec02d66a829c
 ---> 082f63d60fbf
Step 5/8 : RUN chown -R ${IAM_USER}:${IAM_USER} /app
 ---> Running in 0214e6d869a2
Removing intermediate container 0214e6d869a2
 ---> 577011f664f0
Step 6/8 : RUN ls -l / | grep app
 ---> Running in bd045cf687de
drwxr-xr-x   1  123  123  4096 Jan  7 12:04 app
Removing intermediate container bd045cf687de
 ---> 3ebcc31196db
Step 7/8 : USER ${IAM_USER}
 ---> Running in f501fcade931
Removing intermediate container f501fcade931
 ---> a490d1c4277b
Step 8/8 : WORKDIR /app
 ---> Running in 2c7c1a1666bd
Removing intermediate container 2c7c1a1666bd
 ---> 2089a1beba46
Successfully built 2089a1beba46
Successfully tagged repro-38492:latest

Run the image and verify that permissions are correct:

sudo docker run --rm repro-38492 bash -c 'ls -l / | grep app'
drwxr-xr-x   1  123  123  4096 Jan  7 12:04 app

The above all looks to be correct.

  • Can you explain how IAM_USER is set in your case? I suspect you're using that env-var / build-arg to make the image permissions match the current user ("you"). If that's the case, you may want to check if you're actually passing the right user-id / group-id: I see you're using sudo, which means the docker command is executed as root; how are you setting the IAM_USER variable? If set as root, that could explain if it's using the wrong permissions.
  • Are you only able to reproduce with that specific image/dockerfile or can you also reproduce the same issue with a minimal Dockerfile (such as the one I'm using to reproduce?)
@liqlin2015

This comment has been minimized.

Copy link

liqlin2015 commented Jan 8, 2019

Here is what we do:

ENV IAM_USER=iam
USER root
COPY . /app
RUN chown -R ${IAM_USER}:${IAM_USER} /app

USER ${IAM_USER}

EXPOSE 39001

CMD ["bash", "-c", "./startiam.sh"]

I will also try your sample Dockerfile on my host.

@liqlin2015

This comment has been minimized.

Copy link

liqlin2015 commented Jan 16, 2019

Close it as it seems image problem.

@liqlin2015 liqlin2015 closed this Jan 16, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment