permission denied, mkdir in container on openshift - node.js

I have a container with nodejs and pm2 as start command and on OpenShift i get this error on startup:
Error: EACCES: permission denied, mkdir '/.pm2'
I tried same image on a Marathon hoster and it worked fine.
Do i need to change something with UserIds?
The Dockerfile:
FROM node:7.4-alpine
RUN npm install --global yarn pm2
RUN mkdir /src
COPY . /src
WORKDIR /src
RUN yarn install --production
EXPOSE 8100
CMD ["pm2-docker", "start", "--auto-exit", "--env", "production", "process.yml"]
Update
the node image already creates a new user "node" with UID 1000 to not run the image as root.
I also tried to fix permissions and adding user "node" to root group.
Further i told pm2 to which dir it should use with ENV var:
PM2_HOME=/home/node/app/.pm2
But i still get error:
Error: EACCES: permission denied, mkdir '/home/node/app/.pm2'
Updated Dockerfile:
FROM node:7.4-alpine
RUN npm install --global yarn pm2
RUN adduser node root
COPY . /home/node/app
WORKDIR /home/node/app
RUN chmod -R 755 /home/node/app
RUN chown -R node:node /home/node/app
RUN yarn install --production
EXPOSE 8100
USER 1000
CMD ["pm2-docker", "start", "--auto-exit", "--env", "production", "process.yml"]
Update2
thanks to Graham Dumpleton i got it working
FROM node:7.4-alpine
RUN npm install --global yarn pm2
RUN adduser node root
COPY . /home/node/app
WORKDIR /home/node/app
RUN yarn install --production
RUN chmod -R 775 /home/node/app
RUN chown -R node:root /home/node/app
EXPOSE 8100
USER 1000
CMD ["pm2-docker", "start", "--auto-exit", "--env", "production", "process.yml"]

OpenShift will by default run containers as a non root user. As a result, your application can fail if it requires it runs as root. Whether you can configure your container to run as root will depend on permissions you have in the cluster.
It is better to design your container and application so that it doesn't have to run as root.
A few suggestions.
Create a special UNIX user to run the application as and set that user (using its uid), in the USER statement of the Dockerfile. Make the group for the user be the root group.
Fixup permissions on the /src directory and everything under it so owned by the special user. Ensure that everything is group root. Ensure that anything that needs to be writable is writable to group root.
Ensure you set HOME to /src in Dockerfile.
With that done, when OpenShift runs your container as an assigned uid, where group is root, then by virtue of everything being group writable, application can still update files under /src. The HOME variable being set ensures that anything written to home directory by code goes into writable /src area.

You can also run the below command which grants root access to the project you are logged in as:
oc adm policy add-scc-to-user anyuid -z default

Graham Dumpleton'solution is working but not recommended.
Openshift, will use random UIDs when running containers.
You can see that in the generated Yaml of your Pod.
spec:
- resources:
securityContext:
runAsUser: 1005120000
You should instead apply Docker security best practices to write your Dockerfile.
Do not bind the execution of your application to a specific UID : Make resources world readable (i.e., 0644 instead of 0640) and executable when needed.
Make executables owned by root and not writable
For a full list of recommendation see : https://sysdig.com/blog/dockerfile-best-practices/
In your case, there is not need to :
RUN adduser node root
...
RUN chown -R node:node /home/node/app
USER 1000
In the original question, the application files are already owned by root.
The following chmod is enough to make them readable and executable to the world.
RUN chmod -R 775 /home/node/app

What kind of openshift are you using ?
You can edit the "restricted" Security Context Constraints :
From openshift CLI :
oc edit scc restricted
And change :
runAsUser:
type: RunAsUSer
to
runAsUser:
type: RunAsAny
Note that Graham Dumpleton's answer is proper

Related

Docker compose linux volume - permission acess denied

Below is the Dockerfile for linux images. I get file path access denied error in Ubuntu VM
environment:
- ASPNETCORE_ENVIRONMENT=Production
- ASPNETCORE_Kestrel__Certificates__Default__Password=password123
- ASPNETCORE_Kestrel__Certificates__Default__Path=/abc/https/localhost.pfx
volumes:
- ./devops/https/localhost.pfx:/abc/https/localhost.pfx:ro
The path in the image and dockerfile was the same at that time. Attempted to run on ubuntu. ubuntu user is added to docker group.
Docker file content is provided for reference.
FROM mcr.microsoft.com/dotnet/aspnet:6.0
COPY . App/
WORKDIR /App
ENV ASPNETCORE_ENVIRONMENT="Production"
ENV ASPNETCORE_URLS="https://+:44123;"
ENV ABC_WORKDIR /App
ENV ABC_FILE_STORE /abc/source
EXPOSE 44123
RUN mkdir -p $ABC_FILE_STORE
RUN mkdir -p /abc/https
RUN chown abcuser /abc/https
RUN chown abcuser $ABC_FILE_STORE
RUN chown abcuser /App
USER abcuser
VOLUME /abc/https
VOLUME $ABC_FILE_STORE
WORKDIR $ABC_FILE_STORE
# sanity check: try to write a file
RUN echo "Hello from ABC" > hello.txt
WORKDIR $ABC_WORKDIR
ENTRYPOINT ["dotnet", "ABCService.dll"]
Should all the volume paths used by app, need to be mentioned and change the permission in Dockerfile
Should a docker file need to create a user and use it in dockerfile.
Above seems, both windows and linux need separate dockerfile for image creation

Docker is not writing to the defined volumes

I am new to Docker and created following files in a large Node project folder:
Dockerfile
# syntax=docker/dockerfile:1
FROM node:16
# Update npm
RUN npm install --global npm
# WORKDIR automatically creates missing folders
WORKDIR /opt/app
# https://stackoverflow.com/a/42019654/15443125
VOLUME /opt/app
RUN useradd --create-home --shell /bin/bash app
COPY . .
RUN chown -R app /opt/app
USER app
ENV NODE_ENV=production
RUN npm install
# RUN npx webpack
CMD [ "sleep", "180" ]
docker-compose.yml
version: "3.9"
services:
app:
build:
context: .
ports:
- "3000:3000"
volumes:
- ./dist/dockerVolume/app:/opt/app
And I run this command:
docker compose up --force-recreate --build
It builds the image, starts a container and I added a sleep to make sure the container stays up for at least 3 minutes. When I open a console for that container and run cd /opt/app && ls, I can verify that there are a lot of files. project/dist/dockerVolume/app gets created by Docker, but nothing is written to it at any point.
There are no errors or warnings or other indications that something isn't set up correctly.
What am I missing?
First you should move the VOLUME declaration to the end of the Dockerfile, because:
If any build steps change the data within the volume after it has been declared, those changes will be discarded. (Documentation)
After this you will face the issue of how bind mounts and docker volumes work. Unfortunately if you use a bind mount, the contents of the host directory will always replace the files that are already in the container. Files will only appear in the host directory, if they were created during runtime by the container.
Also see:
Docker docs: bind mounts
Docker docs: volumes
To solve the issue, you could use any of these workarounds, depending on your usecase:
Use volumes in your docker-compose.yml file instead of bind mounts (Documentation)
Create the files you want to run on the host instead of in the image, and bind mount them into the container.
Use a bash script in the container that creates the neccessary files (if they are missing) when the container is starting (so the bind mount is already initialized, and the changes will persist) and after that, it starts your processes.

Permission denied: Missing write access to /app - docker error

FROM node:14.16.0-alpine3.13
RUN addgroup app && adduser -S -G app app
USER app
WORKDIR /app
ENV PATH /app/node_modules/.bin:$PATH
COPY package*.json ./
RUN npm install
COPY . .
ENV APP_URL=http://api.myapp.com
EXPOSE 3000
CMD ["npm", "start"]
This is my docker file. I am trying to dockerize a sample react-app. I added user in group and then using that user for further commands as you can see this in second line of this code. I believe by default, only root user has access to write to these files and in order to do changes in these files, root user should not be user. Hence I created app user here.
But after running docker build -t react-app.. I am getting the following error -
What am I doing wrong here? Any suggestions?
After adding Run ls -la and Run whoami -
You are seeing this error because /app directory belongs to root user. The user app which you created has no write permission to this directory. User app needs write permission to install node packages (create node_modules directory and package-lock.json file).
As suggested by #DavidMaze in comments, it would be easy to do package installation as root user and switch to USER app at the last but before the runtime CMD ["npm", "start"].
But still app user would need write permission to node_modules/.cache directory when running the app with npm start command. Hence, we need to provide the write permission to user app for this directory.
Here is an example that does all mentioned above:
FROM node:14.16.0-alpine3.13
WORKDIR /app
ENV PATH /app/node_modules/.bin:$PATH
COPY package*.json ./
RUN npm install
COPY . .
ENV APP_URL=http://api.myapp.com
EXPOSE 3000
RUN addgroup app && adduser -S -G app app
RUN mkdir node_modules/.cache
RUN chown app:app node_modules/.cache
USER app
CMD ["npm", "start"]
Also, note that you are running the React App in development mode using npm start, you might want to use a static server to serve, after creating a build.
when you create user with name "app", a new directory for this user is created in home directory "/home/app"
so,workdir should be like this:
WORKDIR /home/app

Can not connect to node app running in Docker container from browser

I am running a nodejs application in a Docker container. The application is hosted on a bluehost centOS VPS to which I connect using SSH. I use the following command to run the app in the container: sudo docker run -p 80:8080 -d skepticalbonobo/dandakou-nodeapp. Then I check that the container is running using sudo docker ps and sure enough it is. But when I try to access the app from Chrome using the domain name or IP address I get: "This site can’t be reached". I have noticed however that in the output of sudo docker ps, under COMMAND I get docker-entrypoint... as opposed to node app.js and I do not know how to fix it.You can pull the container using docker pull skepticalbonobo/dandakou-nodeapp. Here is the content of my Dockerfile:
RUN mkdir -p /home/node/app/node_modules && chown -R node:node /home/node/app
WORKDIR /home/node/app
COPY package*.json ./
USER node
RUN npm install
COPY . .
USER root
RUN chown -R node:node . .
EXPOSE 8080
CMD [ "node", "app.js" ]
Thank you!
The default for Nodejs app is 3000.
Run following command and check on which port node app is running
sudo docker run -ti skepticalbonobo/dandakou-nodeapp /bin/sh
Expose in Dockerfile is just for documentation purpose.

Docker - Permission denied while trying to access folder created in Dockerfile

I have problem with my Dockerfile (code below)
FROM node:4.2.6
MAINTAINER kamil
RUN useradd -ms /bin/bash node
RUN mkdir -p /home/node/app && chown -R node:node /home/node/app
WORKDIR /home/node/app
COPY /myFolder .
USER node
COPY --chown=node:node . .
RUN ["chmod", "777", "/home/node/app"]
ENTRYPOINT /home/node/app
CMD ["node myApp.js"]
I'm building docker image with
"docker build -t my_docker_image ."
and it finished with no errors.
Next I am running it with command "docker run --name my_run_docker_image -d my_docker_image" and its also finished without errors, but when I want to check status of my new container with "docker ps -l" command i'm getting info that status of my container is "EXITED".
Hence i'm trying to run it once again with command "docker start -a my_run_docker_image" but I'm receiving error:
"node MyApp.js: 1: node myApp.js: /home/node/app: Permission denied"
I was trying to run it with root user, without specified user but every time I have the same issue.
It looks like you may have a problem with your user add command.
Change
RUN useradd -ms /bin/bash/node
to
RUN useradd -ms /bin/bash node
And also
RUN mkdir -p /home/node/app && -R node:node /home/node/app
Needs to change to
RUN mkdir -p /home/node/app && chown -R node:node /home/node/app
The ENTRYPOINT and CMD tell Docker what command to run when you start the container. Since ENTRYPOINT is a bare string, it’s wrapped in a shell, and CMD is ignored. So when you start your container, the main container process is
/bin/sh -c '/home/node/app'
Which fails, because that is a directory.
In this Dockerfile, broadly, I’d suggest two things. The first is to install your application as root but then run it as non-root, as protection against accidentally overwriting the application code. The second is to prefer CMD to ENTRYPOINT in most cases, unless you’re clear on how they interact. You might come up with something more like:
FROM node:4.2.6
MAINTAINER kamil
WORKDIR /app # Docker will create on first use
COPY myFolder .
RUN useradd node # its shell should never matter
USER node
CMD ["node", "myApp.js"]

Resources