Question 84567 in Docker Question posted in
The official documentation can be found here.

How to give proper permission for file system in containers running on OCP? – Docker

I have my docker application running on OpenShift. I am facing a permission issue in the container. My docker file looks like this:

.....

RUN chmod +x /tmp/ui-app/isf-management-api

RUN chgrp -R 0 /tmp/ui-app/build/ && 
    chmod -R g=u /tmp/ui-app/build/

# Set the entry point
ENTRYPOINT (cd /tmp/ui-app && ./management-api)

USER 65534

EXPOSE 10555

I added chgrp and chmod so that I could create/update the file in the container programmatically. It works correctly on some clusters but some clusters still give the permission issue. After debugging more I found the user on containers are different.

In non-working case :

sh-4.4$ touch 1
touch: cannot touch '1': Permission denied
sh-4.4$ whoami
nobody
sh-4.4$

on the other hand, in the working case it is :

sh-4.4$ whoami
1000630000
sh-4.4$ touch 3
sh-4.4$

But the docker image is the same in both places.

Any idea what’s wrong here?

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    Got the issue. USER 65534 is nobody. DockerFile should contain 1001 as non-root user.


  2. 0

    Quoting the docs:

    By default, OpenShift Container Platform runs containers using an arbitrarily assigned user ID. This provides additional security against processes escaping the container due to a container engine vulnerability and thereby achieving escalated permissions on the host node.

    For an image to support running as an arbitrary user, directories and files that are written to by processes in the image must be owned by the root group and be read/writable by that group. Files to be executed must also have group execute permissions.

    The docs then give some example of how to build a Dockerfile that complies with this, as well as how to modify the SecurityContextConstraint if you really must violate this security policy. (Which it doesn’t sound like you need to.)

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search