docker mounting volume with permission denied - linux

I am trying to setup a docker container that mounts a volume from the host. No matter what I try, it always says permission denied when I remote into the docker container. This is some of the commands I have tried adding to my docker file:
RUN su -c "setenforce 0"
and
chcon -Rt svirt_sandbox_file_t /app
Still I get the following error when I remote into my container:
Error: EACCES: permission denied, scandir '/app'
at Error (native)
Error: EACCES: permission denied, open 'npm-debug.log.578996924'
at Error (native)
And as you can see, the app directory is assigned to some user with uid 1000:
Here is my docker file:
FROM php:5.6-fpm
# Install modules
RUN apt-get update && apt-get install -y \
git \
unzip \
libmcrypt-dev \
libicu-dev \
mysql-client \
freetds-dev \
libxml2-dev
RUN apt-get install -y freetds-dev php5-sybase
# This symlink fixes the pdo_dblib install
RUN ln -s /usr/lib/x86_64-linux-gnu/libsybdb.a /usr/lib/
RUN docker-php-ext-install pdo \
&& docker-php-ext-install pdo_mysql \
&& docker-php-ext-install pdo_dblib \
&& docker-php-ext-install iconv \
&& docker-php-ext-install mcrypt \
&& docker-php-ext-install intl \
&& docker-php-ext-install opcache \
&& docker-php-ext-install mbstring
# Override the default php.ini with a custom one
COPY ./php.ini /usr/local/etc/php/
# replace shell with bash so we can source files
RUN rm /bin/sh && ln -s /bin/bash /bin/sh
# nvm environment variables
ENV NVM_DIR /usr/local/nvm
ENV NODE_VERSION 4.4.7
# install nvm
RUN curl --silent -o- https://raw.githubusercontent.com/creationix/nvm/v0.31.2/install.sh | bash
# install node and npm
RUN source $NVM_DIR/nvm.sh \
&& nvm install $NODE_VERSION \
&& nvm alias default $NODE_VERSION \
&& nvm use default
# add node and npm to path so the commands are available
ENV NODE_PATH $NVM_DIR/v$NODE_VERSION/lib/node_modules
ENV PATH $NVM_DIR/versions/node/v$NODE_VERSION/bin:$PATH
# confirm installation
RUN node -v
RUN npm -v
# Install Composer
RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer
RUN composer --version
# Configure freetds
ADD ./freetds.conf /etc/freetds/freetds.conf
WORKDIR /app
# Gulp install
RUN npm install -g gulp
RUN npm install -g bower
CMD ["php-fpm"]
Here is my docker-compose:
nginx_dev:
container_name: nginx_dev
build: docker/nginx_dev
ports:
- "80:80"
depends_on:
- php_dev
links:
- php_dev
volumes:
- ./:/app
php_dev:
container_name: php_dev
build: docker/php-dev
volumes:
- ./:/app`
Is there any commands I can run to give the root user permissions to access the app directory? I am using docker-compose as well.

From the directory listing, it appears that you have selinux configured (that's the trailing dots on the permission bits). In Docker with selinux enabled, you need to mount volumes with an extra flag, :z. Docker describes this as a volume label but I believe this is an selinux term rather than a docker label on the volume.
Your resulting docker-compose.yml should look like:
version: '2'
services:
nginx_dev:
container_name: nginx_dev
build: docker/nginx_dev
ports:
- "80:80"
depends_on:
- php_dev
links:
- php_dev
volumes:
- ./:/app:z
php_dev:
container_name: php_dev
build: docker/php-dev
volumes:
- ./:/app:z
Note, I also updated the syntax to version 2. Version 1 of the docker-compose.yml is being phased out. Version 2 will result in the containers being run in their own network by default which is usually preferred but may cause issues if you have other containers trying to talk to these.

Related

cannot reach docker container even its connected to a port

ı am trying to use a container and I came across a problem. when I curl localhost:8000 inside the container it connects but when I try to go there it says unable to connect. I am providing a screenshot, my YAML file, and my dockerfile.devel in case that helps. Thanks already.
i curled inside the container and it connected to the port
my yaml file
version: "2"
services:
cuckoo:
privileged: true
image: cuckoo-docker:2.0.7
build:
context: ./
dockerfile: src/Dockerfile.devel
ports:
- "8888:8000"
- "2042:2042"
expose:
- "8000"
links:
- mongo
- postgres
networks:
- cuckoo
restart: always
cap_add:
- NET_ADMIN
extra_hosts:
- "libvirt.local:172.30.201.1"
mongo:
image: mongo
ports:
- 27017:27017
networks:
- cuckoo
restart: always
postgres:
image: postgres
ports:
- 5432:5432
environment:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: cuckoo
networks:
- cuckoo
restart: always
networks:
cuckoo:
driver: bridge
my dockerfile.devel
FROM ubuntu:18.04
ENV container docker
ENV LC_ALL C
ENV DEBIAN_FRONTEND noninteractive
RUN sed -i 's/# deb/deb/g' /etc/apt/sources.list
RUN apt update \
&& apt full-upgrade -y \
&& apt install -y systemd systemd-sysv \
&& apt clean \
&& rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
RUN cd /lib/systemd/system/sysinit.target.wants/ \
&& ls | grep -v systemd-tmpfiles-setup | xargs rm -f $1
RUN rm -f /lib/systemd/system/multi-user.target.wants/* \
/etc/systemd/system/*.wants/* \
/lib/systemd/system/local-fs.target.wants/* \
/lib/systemd/system/sockets.target.wants/*udev* \
/lib/systemd/system/sockets.target.wants/*initctl* \
/lib/systemd/system/basic.target.wants/* \
/lib/systemd/system/anaconda.target.wants/* \
/lib/systemd/system/plymouth* \
/lib/systemd/system/systemd-update-utmp*
RUN apt update \
&& apt install -y python2.7 python-pip python-dev libffi-dev libssl-dev python-virtualenv python-setuptools libjpeg-dev zlib1g-dev swig qemu-kvm libvirt-bin \
ubuntu-vm-builder bridge-utils python-libvirt tcpdump libguac-client-rdp0 libguac-client-vnc0 libguac-client-ssh0 guacd pcregrep libpcre++-dev autoconf automake libtool \
build-essential libjansson-dev libmagic-dev supervisor mongodb postgresql postgresql-contrib libpq-dev nano bison byacc tor suricata flex\
&& apt clean
RUN set -x \
&& cd /tmp/ \
&& git clone --recursive --branch 'v3.11.0' https://github.com/VirusTotal/yara.git \
&& cd /tmp/yara \
&& ./bootstrap.sh * \
&& sync \
&& ./configure --with-crypto --enable-magic --enable-cuckoo --enable-dotnet \
&& make \
&& make install \
&& rm -rf /tmp/* \
&& cd /tmp \
&& git clone --recursive --branch '2.6.1' https://github.com/volatilityfoundation/volatility.git \
&& cd volatility \
&& python setup.py build install \
&& rm -rf /tmp/*
RUN pip install -U --no-cache-dir pyrsistent==0.16.1 MarkupSafe==1.1.1 itsdangerous==1.1.0 configparser==4.0.2 distorm3==3.4.4 setuptools pycrypto ujson cryptography psycopg2 jsonschema==3.2.0 werkzeug==0.16.0 Mako==1.1.0 python-editor==1.0.3 urllib3==1.25.7 tlslite==0.4.9 SFlock==0.3.3 tlslite-ng==0.7.6 pyOpenSSL==18.0.0
RUN apt update && apt install -y vim
COPY cuckoo /opt/cuckoo
WORKDIR /opt/cuckoo
RUN python stuff/monitor.py
RUN python setup.py sdist develop
RUN cuckoo init
RUN cuckoo community
COPY etc/conf /root/.cuckoo/conf
COPY etc/supervisord.conf /root/.cuckoo/
COPY etc/cuckoo.sh /opt/
RUN chmod +x /opt/cuckoo.sh
CMD ["/opt/cuckoo.sh"]
When you set
ports:
- "8888:8000"
this means that the port 8000 in the container is mapped to the port 8888 in the host machine
so if you curl from the host machine you have to curl port 8888

Run a shell script from docker-compose command, inside the container

I am attempting to run a shell script by using docker-compose inside the docker container. I am using the Dockerfile to build the container environment and installing all dependancies. I then copy all the project files to the container. This works well as far as I can determine. (I am still fairly new to docker, docker-compose)
My Dockerfile:
FROM python:3.6-alpine3.7
RUN apk add --no-cache --update \
python3 python3-dev gcc \
gfortran musl-dev \
libffi-dev openssl-dev
RUN pip install --upgrade pip
ENV PYTHONUNBUFFERED 1
ENV APP /app
RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
RUN mkdir $APP
WORKDIR $APP
ADD requirements.txt .
RUN pip install -r requirements.txt
COPY . .
What I am currently attempting is this:
docker-compose file:
version: "2"
services:
nginx:
image: nginx:latest
container_name: nginx
ports:
- "8000:8000"
- "443:443"
volumes:
- ./:/app
- ./config/nginx:/etc/nginx/conf.d
- ./config/nginx/ssl/certs:/etc/ssl/certs
- ./config/nginx/ssl/private:/etc/ssl/private
depends_on:
- api
api:
build: .
container_name: app
command: /bin/sh -c "entrypoint.sh"
expose:
- "5000"
This results in the container not starting up, and from the log I get the following:
/bin/sh: 1: entrypoint.sh: not found
For more reference and information this is my entrypoint.sh script:
python manage.py db init
python manage.py db migrate --message 'initial database migration'
python manage.py db upgrade
gunicorn -w 1 -b 0.0.0.0:5000 manage:app
Basically, I know I could run the container with only the gunicorn line above in the command line of the dockerfile. But, I am using a sqlite db inside the app container, and really need to run the db commands for the database to initialise/migrate.
Just for reference this is a basic Flask python web app with a nginx reverse proxy using gunicorn.
Any insight will be appreciated. Thanks.
First thing, You are copying entrypoint.sh to $APP which you passed from your build args but you did not mentioned that and second thing you need to set permission for entrypoint.sh. Better to add these three lines so you will not need to add command in docker-compose file.
FROM python:3.6-alpine3.7
RUN apk add --no-cache --update \
python3 python3-dev gcc \
gfortran musl-dev \
libffi-dev openssl-dev
RUN pip install --upgrade pip
ENV PYTHONUNBUFFERED 1
ENV APP /app
RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
RUN mkdir $APP
WORKDIR $APP
ADD requirements.txt .
RUN pip install -r requirements.txt
COPY . .
# These line for /entrypoint.sh
COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
entrypoint "/entrypoint.sh"
docker compose for api will be
api:
build: .
container_name: app
expose:
- "5000"
or you can use you own also will work fine
version: "2"
services:
api:
build: .
container_name: app
command: /bin/sh -c "entrypoint.sh"
expose:
- "5000"
Now you can check with docker run command too.
docker run -it --rm myapp
entrypoint.sh needs to be specified with its full path.
It's not clear from your question where exactly you install it; if it's in the current directory, ./entrypoint.sh should work.
(Tangentially, the -c option to sh is superfluous if you want to run a single script file.)

Docker Volume overwriting file permissions

I have a Dockerfile where I bring in some files and change permissions.
I also have a docker-compose that creates a volume for nodemon to watch. I believe that these volumes are overwriting the permissions that I set. When I remove the volumes the app works but I don't get the server restarting. When the volumes are there the app crashes due to permissions. I've tried creating the volume first but perhaps I was doing that wrong.
FROM ubuntu:16.04
RUN apt-get update && apt-get install -y --no-install-recommends curl sudo
RUN curl -sL https://deb.nodesource.com/setup_9.x | sudo -E bash -
RUN apt-get install -y nodejs && \
apt-get install --yes build-essential
RUN apt-get install --yes npm
#VOLUME "/usr/local/app"
# Set up C++ dev env
RUN apt-get update && \
apt-get dist-upgrade -y && \
apt-get install gcc-multilib g++-multilib cmake wget -y && \
apt-get clean autoclean && \
apt-get autoremove -y
#wget -O /tmp/conan.deb -L https://github.com/conan-io/conan/releases/download/0.25.1/conan-ubuntu-64_0_25_1.deb && \
#dpkg -i /tmp/conan.deb
#ADD ./scripts/cmake-build.sh /build.sh
#RUN chmod +x /build.sh
#RUN /build.sh
RUN curl -sL https://deb.nodesource.com/setup_9.x | sudo -E bash -
RUN apt-get install -y nodejs sudo
RUN mkdir -p /usr/local/app
WORKDIR /usr/local/app
COPY package.json /usr/local/app
RUN ["npm", "install"]
RUN npm install --global nodemon
COPY . .
RUN echo "/usr/local/app/dm" > /etc/ld.so.conf.d/mythrift.conf
RUN echo "/usr/lib/x86_64-linux-gnu" >> /etc/ld.so.conf.d/mythrift.conf
RUN echo "/usr/local/lib64" >> /etc/ld.so.conf.d/mythrift.conf
RUN ldconfig
EXPOSE 9090
RUN ["chmod", "+x", "dm/dm3"]
RUN ["chmod", "777", "policy"]
RUN ls -al .
RUN npm -v
RUN node -v
notice at the end where i'm changing permissions.
version: '3'
services:
web:
build: .
volumes:
- .:/usr/local/app/
- /usr/app/node_modules
command: nodemon
ports:
- "3000:3000"
When you mount volumes into a docker container, the files inside are on a lower layer so they are hidden.
In your case, /usr/local/app from the Dockerfile is hidden. Its contents are the files from the host machine (the parent directory of docker-compose.yml). You should set the permissions in the host machine.

Docker-compose EACCESS error when spawning executable

I have a Dockerfile where I bring in some files and chmod some stuff. it's a node server that spawns an executable file.
FROM ubuntu:16.04
RUN apt-get update && apt-get install -y --no-install-recommends curl sudo
RUN curl -sL https://deb.nodesource.com/setup_9.x | sudo -E bash -
RUN apt-get install -y nodejs && \
apt-get install --yes build-essential
RUN apt-get install --yes npm
#VOLUME "/usr/local/app"
# Set up C++ dev env
RUN apt-get update && \
apt-get dist-upgrade -y && \
apt-get install gcc-multilib g++-multilib cmake wget -y && \
apt-get clean autoclean && \
apt-get autoremove -y
#wget -O /tmp/conan.deb -L https://github.com/conan-io/conan/releases/download/0.25.1/conan-ubuntu-64_0_25_1.deb && \
#dpkg -i /tmp/conan.deb
#ADD ./scripts/cmake-build.sh /build.sh
#RUN chmod +x /build.sh
#RUN /build.sh
RUN curl -sL https://deb.nodesource.com/setup_9.x | sudo -E bash -
RUN apt-get install -y nodejs sudo
RUN mkdir -p /usr/local/app
WORKDIR /usr/local/app
COPY package.json /usr/local/app
RUN ["npm", "install"]
COPY . .
RUN echo "/usr/local/app/dm" > /etc/ld.so.conf.d/mythrift.conf
RUN echo "/usr/lib/x86_64-linux-gnu" >> /etc/ld.so.conf.d/mythrift.conf
RUN echo "/usr/local/lib64" >> /etc/ld.so.conf.d/mythrift.conf
RUN ldconfig
EXPOSE 9090
RUN chmod +x dm/dm3
RUN ldd dm/dm3
RUN ["chmod", "+x", "dm/dm3"]
RUN ["chmod", "777", "policy"]
RUN ls -al .
CMD ["nodejs", "app.js"]
it works all fine but when I use docker-compose for the purpose of having an autoreload dev enviornment in docker, I get an EACCES error when spawning the executable process.
version: '3'
services:
web:
build: .
command: npm run start
volumes:
- .:/usr/local/app/
- /usr/app/node_modules
ports:
- "3000:3000"
I'm using nodemon to restart the server on changes, hence the volumes in the compose. woulds love to get that workflow up again.
I think that you problem is how you wrote the docker-compose.yml file.
I think that the line command doesn't necessary because you
especified how start the program in Dockerfile.
Could you try to run this lines?
version: '3'
services:
web:
build:
context: ./
dockerfile: Dockerfile
volumes:
- .:/usr/local/app/
- /usr/app/node_modules
ports:
- "3000:3000"
Otherwise, I think that the volumes property doesn't share /usr/app/node_modules. And I think that this is bad practice. You can run "npm install" in your Dockerfile
I hope that you could understand me =)

How to convert a Dockerfile to a docker compose image?

This is how I'm creating a docker image with nodeJS and meteorJS based on an ubuntu image. I'll use this image to do some testing.
Now I'm thinking of doing this via docker compose. But is this possible at all? Can I convert those commands into a docker compose yml file?
FROM ubuntu:16.04
COPY package.json ./
RUN apt-get update -y && \
apt-get install -yqq \
python \
build-essential \
apt-transport-https \
ca-certificates \
curl \
locales \
nodejs \
npm \
nodejs-legacy \
sudo \
git
## NodeJS and MeteorJS
RUN curl -sL https://deb.nodesource.com/setup_4.x | bash -
RUN curl https://install.meteor.com/ | sh
## Dependencies
RUN npm install -g eslint eslint-plugin-react
RUN npm install
## Locale
ENV OS_LOCALE="en_US.UTF-8"
RUN locale-gen ${OS_LOCALE}
ENV LANG=${OS_LOCALE} LANGUAGE=en_US:en LC_ALL=${OS_LOCALE}
## User
RUN useradd ubuntu && \
usermod -aG sudo ubuntu && \
mkdir -p /builds/core/.meteor /home/ubuntu && \
chown -Rh ubuntu:ubuntu /builds/core/.meteor && \
chown -Rh ubuntu:ubuntu /home/ubuntu
USER ubuntu
Docker Compose doesn't replace your Dockerfile, but you can use Docker Compose to build an image from your Dockerfile:
version: '3'
services:
myservice:
build:
context: /path/to/Dockerfile/dir
dockerfile: Dockerfile
image: result/latest
Now you can build it with:
docker-compose build
And start it with:
docker-compose up -d

Resources