I have a GitHub Actions workflow where my build is failing because Docker can’t install all of libraries from my requirements.txt
file.
During the COPY ./requirements.txt .
step and after the packages are finished downloading, the install phase stops with the error: ERROR: Could not install packages due to an OSError: [Errno 13] Permission denied: '/nonexistent'
As I was looking through the logs, I noticed:
#7 [2/7] RUN adduser --system nonroot
#0 0.105 Adding system user `nonroot' (UID 100) ...
#0 0.105 Adding new user `nonroot' (UID 100) with group `nogroup' ...
#7 0.117 Not creating `/nonexistent'. <---???
#7 DONE 0.7s
This is a snippet from a CI workflow that succeeded yesterday:
#7 [2/7] RUN adduser --system nonroot
#0 0.099 Adding system user `nonroot' (UID 101) ...
#0 0.099 Adding new user `nonroot' (UID 101) with group `nogroup' ...
#7 0.120 Creating home directory `/home/nonroot' ...
#7 DONE 0.5s
I don’t understand what is causing this. My Dockerfile has not changed in months.
FROM python:3.10-slim
RUN adduser --system nonroot
USER nonroot
WORKDIR /home/nonroot
RUN mkdir /home/nonroot/app
COPY ./requirements.txt .
RUN pip3 install --no-cache-dir -r requirements.txt
COPY . .
CMD ["python3", "standings.py"]
2
Answers
I still don't know what changed but I updated my Dockerfile to:
then all is good. smh.
There has been a change in the behaviour of
adduser
in relation to system users.TLDR;
System users now do not get a home directory by default (actually, they get
/nonexistent
, which should never exist :D). If you still require to have a home directory for this system user, the--home DIR
argument needs to be set.Full explanation
This change happened at: https://salsa.debian.org/debian/adduser/-/merge_requests/20
In this specific case, the python project has replaced the default
python:3.10
OCI image, from Debianbullseye
tobookwork
, at https://github.com/docker-library/python/pull/822, which now uses the new version ofadduser
with the previously linked change.This can also be seen in the manpages of both Debian versions: