permission denied, mkdir in container on openshift

ivoba picture ivoba · Feb 21, 2017 · Viewed 15.9k times · Source

I have a container with nodejs and pm2 as start command and on OpenShift i get this error on startup:

Error: EACCES: permission denied, mkdir '/.pm2'

I tried same image on a Marathon hoster and it worked fine.

Do i need to change something with UserIds?

The Dockerfile:

FROM node:7.4-alpine

RUN npm install --global yarn pm2

RUN mkdir /src

COPY . /src

WORKDIR /src

RUN yarn install --production

EXPOSE 8100

CMD ["pm2-docker", "start", "--auto-exit", "--env", "production", "process.yml"]

Update
the node image already creates a new user "node" with UID 1000 to not run the image as root.
I also tried to fix permissions and adding user "node" to root group.
Further i told pm2 to which dir it should use with ENV var:

PM2_HOME=/home/node/app/.pm2

But i still get error:

Error: EACCES: permission denied, mkdir '/home/node/app/.pm2'

Updated Dockerfile:

FROM node:7.4-alpine

RUN npm install --global yarn pm2

RUN adduser node root
COPY . /home/node/app
WORKDIR /home/node/app
RUN chmod -R 755 /home/node/app
RUN chown -R node:node /home/node/app

RUN yarn install --production

EXPOSE 8100

USER 1000

CMD ["pm2-docker", "start", "--auto-exit", "--env", "production", "process.yml"]

Update2 thanks to Graham Dumpleton i got it working

FROM node:7.4-alpine

RUN npm install --global yarn pm2

RUN adduser node root
COPY . /home/node/app
WORKDIR /home/node/app

RUN yarn install --production

RUN chmod -R 775 /home/node/app
RUN chown -R node:root /home/node/app

EXPOSE 8100

USER 1000

CMD ["pm2-docker", "start", "--auto-exit", "--env", "production", "process.yml"]

Answer

Graham Dumpleton picture Graham Dumpleton · Feb 21, 2017

OpenShift will by default run containers as a non root user. As a result, your application can fail if it requires it runs as root. Whether you can configure your container to run as root will depend on permissions you have in the cluster.

It is better to design your container and application so that it doesn't have to run as root.

A few suggestions.

  • Create a special UNIX user to run the application as and set that user (using its uid), in the USER statement of the Dockerfile. Make the group for the user be the root group.

  • Fixup permissions on the /src directory and everything under it so owned by the special user. Ensure that everything is group root. Ensure that anything that needs to be writable is writable to group root.

  • Ensure you set HOME to /src in Dockerfile.

With that done, when OpenShift runs your container as an assigned uid, where group is root, then by virtue of everything being group writable, application can still update files under /src. The HOME variable being set ensures that anything written to home directory by code goes into writable /src area.