CODEWITHSUNDEEP
node.jsdockeropenshiftpm2
ivoba
ivoba

Reputation: 5986

permission denied, mkdir in container on openshift

I have a container with nodejs and pm2 as start command and on OpenShift i get this error on startup:

Error: EACCES: permission denied, mkdir '/.pm2'

I tried same image on a Marathon hoster and it worked fine.

Do i need to change something with UserIds?

The Dockerfile:

FROM node:7.4-alpine

RUN npm install --global yarn pm2

RUN mkdir /src

COPY . /src

WORKDIR /src

RUN yarn install --production

EXPOSE 8100

CMD ["pm2-docker", "start", "--auto-exit", "--env", "production", "process.yml"]

Update
the node image already creates a new user "node" with UID 1000 to not run the image as root.
I also tried to fix permissions and adding user "node" to root group.
Further i told pm2 to which dir it should use with ENV var:

PM2_HOME=/home/node/app/.pm2

But i still get error: 

Error: EACCES: permission denied, mkdir '/home/node/app/.pm2'

Updated Dockerfile:

FROM node:7.4-alpine

RUN npm install --global yarn pm2

RUN adduser node root
COPY . /home/node/app
WORKDIR /home/node/app
RUN chmod -R 755 /home/node/app
RUN chown -R node:node /home/node/app

RUN yarn install --production

EXPOSE 8100

USER 1000

CMD ["pm2-docker", "start", "--auto-exit", "--env", "production", "process.yml"]

Update2 thanks to Graham Dumpleton i got it working

FROM node:7.4-alpine

RUN npm install --global yarn pm2

RUN adduser node root
COPY . /home/node/app
WORKDIR /home/node/app

RUN yarn install --production

RUN chmod -R 775 /home/node/app
RUN chown -R node:root /home/node/app

EXPOSE 8100

USER 1000

CMD ["pm2-docker", "start", "--auto-exit", "--env", "production", "process.yml"]

Upvotes: 20

Views: 41371

Answers (5)

jcompetence
jcompetence

Reputation: 8383

By default, OpenShift Container Platform runs containers using an arbitrarily assigned user ID. This provides additional security against processes escaping the container due to a container engine vulnerability and thereby achieving escalated permissions on the host node.

For an image to support running as an arbitrary user, directories and files that are written to by processes in the image must be owned by the root group and be read/writable by that group. Files to be executed must also have group execute permissions.

Adding the following to your Dockerfile sets the directory and file permissions to allow users in the root group to access them in the built image:

RUN chgrp -R 0 /some/directory && \
    chmod -R g=u /some/directory


WORKDIR /some/directory

Because the container user is always a member of the root group, the container user can read and write these files.

https://docs.openshift.com/container-platform/4.11/openshift_images/create-images.html#use-uid_create-images

Example on how this would look on the docker file:

# Add non-root user (with home dir at /opal)

RUN useradd -m -b / -s /bin/bash opal

RUN chgrp -R 0 /opal && \
    chmod -R g=u /opal

WORKDIR /opal

This way you would be running as opal user, but the WORKDIR /opal has root as group.

Upvotes: 0

loonis
loonis

Reputation: 1487

Graham Dumpleton'solution is working but not recommended.

Openshift, will use random UIDs when running containers.

You can see that in the generated Yaml of your Pod.

spec:
    - resources:
      securityContext:
        runAsUser: 1005120000

You should instead apply Docker security best practices to write your Dockerfile.

  1. Do not bind the execution of your application to a specific UID : Make resources world readable (i.e., 0644 instead of 0640) and executable when needed.

  2. Make executables owned by root and not writable

For a full list of recommendation see : https://sysdig.com/blog/dockerfile-best-practices/

In your case, there is not need to :

RUN adduser node root
...
RUN chown -R node:node /home/node/app
USER 1000

In the original question, the application files are already owned by root.
The following chmod is enough to make them readable and executable to the world.

RUN chmod -R 775 /home/node/app

Upvotes: 0

Gloorfindel
Gloorfindel

Reputation: 404

You can also run the below command which grants root access to the project you are logged in as:

oc adm policy add-scc-to-user anyuid -z default

Upvotes: 5

Victor Rocheron
Victor Rocheron

Reputation: 69

What kind of openshift are you using ?

You can edit the "restricted" Security Context Constraints :

From openshift CLI : 

oc edit scc restricted

And change :

runAsUser:
  type: RunAsUSer

to 

runAsUser:
  type: RunAsAny

Note that Graham Dumpleton's answer is proper

Upvotes: -4

Graham Dumpleton
Graham Dumpleton

Reputation: 58523

OpenShift will by default run containers as a non root user. As a result, your application can fail if it requires it runs as root. Whether you can configure your container to run as root will depend on permissions you have in the cluster.

It is better to design your container and application so that it doesn't have to run as root.

A few suggestions.

  • Create a special UNIX user to run the application as and set that user (using its uid), in the USER statement of the Dockerfile. Make the group for the user be the root group.

  • Fixup permissions on the /src directory and everything under it so owned by the special user. Ensure that everything is group root. Ensure that anything that needs to be writable is writable to group root.

  • Ensure you set HOME to /src in Dockerfile.

With that done, when OpenShift runs your container as an assigned uid, where group is root, then by virtue of everything being group writable, application can still update files under /src. The HOME variable being set ensures that anything written to home directory by code goes into writable /src area.

Upvotes: 21

Related Questions