skip to Main Content

I have a Dockerfile:

FROM public.ecr.aws/bitnami/node:15 AS stage-01
COPY package.json /app/package.json
COPY package-lock.json /app/package-lock.json
WORKDIR /app
RUN npm ci

FROM stage-01 AS stage-02
COPY src /app/src
COPY public /app/public
COPY tsconfig.json /app/tsconfig.json
WORKDIR /app
RUN PUBLIC_URL=/myapp/web npm run build

FROM public.ecr.aws/bitnami/nginx:1.20

USER 1001

COPY --from=stage-02 /app/build /app/build
COPY nginx.conf /opt/bitnami/nginx/conf/server_blocks/nginx.conf
COPY ./env.sh /app/build
COPY window.env /app/build

EXPOSE 8080
WORKDIR /app/build

CMD ["/bin/sh", "-c", "/app/build/env.sh && nginx -g "daemon off;""]

If I build this image locally it starts normally and does what it has to do.

My local docker version:

Client: Docker Engine - Community
 Version:           20.10.7
 API version:       1.41
 Go version:        go1.13.15
 Git commit:        f0df350
 Built:             Wed Jun  2 11:56:40 2021
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.8
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.16.6
  Git commit:       75249d8
  Built:            Fri Jul 30 19:52:16 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.9
  GitCommit:        e25210fe30a0a703442421b0f60afac609f950a3
 runc:
  Version:          1.0.1
  GitCommit:        v1.0.1-0-g4144b63
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

If I build it in Codebuild it does not starts:

/app/build/env.sh: 4: /app/build/env.sh: cannot create ./env-config.js: Permission denied

This is the image I am using in codebuild: aws/codebuild/amazonlinux2-x86_64-standard:3.0

I have also run the same script in local and still no error.

What could be the cause of this? If you have something in mind please let me know, otherwise I will post more code

This is my env.sh

#!/usr/bin/env sh

# Add assignment
echo "window._env_ = {" > ./env-config.js

# Read each line in .env file
# Each line represents key=value pairs
while read -r line || [ -n "$line" ];
do
  echo "$line"
  # Split env variables by character `=`
  if printf '%sn' "$line" | grep -q -e '='; then
    varname=$(printf '%sn' "$line" | sed -e 's/=.*//')
    varvalue=$(printf '%sn' "$line" | sed -e 's/^[^=]*=//')
  fi

  # Read value of current variable if exists as Environment variable
  eval value="$"$varname""
  # Otherwise use value from .env file
  [ -z "$value" ] && value=${varvalue}

  echo name: "$varname", value: "$value"

  # Append configuration property to JS file
  echo "  $varname: "$value"," >> ./env-config.js
done < window.env

echo "}" >> ./env-config.js

buildspec:

version: 0.2
env:
  git-credential-helper: yes
  secrets-manager:
    GITHUB_TOKEN: "github:GITHUB_TOKEN"

phases:
  install:
    runtime-versions:
      nodejs: 12
    commands:
      - npm install
  build:
    commands:
      - echo Build started on `date`
      - GITHUB_USERNAME=${GITHUB_USERNAME} GITHUB_EMAIL=${GITHUB_EMAIL} GITHUB_TOKEN=${GITHUB_TOKEN} AWS_REGION=${AWS_DEFAULT_REGION} GITHUB_REPOSITORY_URL=${GITHUB_REPOSITORY_URL} ECR_REPOSITORY_URL=${ECR_REPOSITORY_URL} ENV=${ENV} node release.js

My build project terraform configuration:

resource "aws_codebuild_project" "dashboard_image" {
  name = var.project.name
  service_role = var.codebuild_role_arn
  artifacts {
    type = "CODEPIPELINE"
  }
  environment {
    compute_type = "BUILD_GENERAL1_SMALL"
    image = "aws/codebuild/amazonlinux2-x86_64-standard:3.0"
    type = "LINUX_CONTAINER"
    privileged_mode = true

    environment_variable {
      name = "GITHUB_REPOSITORY_URL"
      value = "https://github.com/${var.project.github_organization_name}/${var.project.github_repository_name}.git"
    }

    environment_variable {
      name = "ECR_REPOSITORY_URL"
      value = var.project.ecr_repository_url
    }

    environment_variable {
      name = "ECR_IMAGE_NAME"
      value = var.project.ecr_image_name
    }

    environment_variable {
      name = "ENV"
      value = "prod"
    }
  }
  source {
    type = "CODEPIPELINE"
    buildspec = "buildspec.yml"
  }
}

2

Answers


  1. Chosen as BEST ANSWER

    This is the change I had to make to my Dockerfile in order to make it work:

    FROM public.ecr.aws/bitnami/node:15 AS stage-01
    COPY package.json /app/package.json
    COPY package-lock.json /app/package-lock.json
    WORKDIR /app
    RUN npm ci
    
    FROM stage-01 AS stage-02
    COPY src /app/src
    COPY public /app/public
    COPY tsconfig.json /app/tsconfig.json
    WORKDIR /app
    RUN PUBLIC_URL=/myapp/web npm run build
    
    FROM public.ecr.aws/bitnami/nginx:1.20
    
    USER root
    
    COPY --from=stage-02 /app/build /app/build
    COPY nginx.conf /opt/bitnami/nginx/conf/server_blocks/nginx.conf
    COPY ./env.sh /app/build
    COPY window.env /app/build
    RUN chmod 777 /app/build/env-config.js
    
    EXPOSE 8080
    WORKDIR /app/build
    USER 1001
    
    CMD ["/bin/sh", "-c", "/app/build/env.sh && nginx -g "daemon off;""]
    

    It is probably due to the codebuild permissions when cloning the repository

    777 is just temporary, later I will probably test if I can restrict the permissions.


  2. It’s all about your Dockerfile and user permissions in it. Try to run docker run public.ecr.aws/bitnami/nginx:1.20 whoami – you will see that this image has not default user. It will be the same if you exec something inside this container. You have to add --user root to run or exec commands. See section "Why use a non-root container?" in Bitnami Nginx image documentation

    That’s why you don’t have permission to create file inside the /app folder. The owner of this folder is root from the first public.ecr.aws/bitnami/node:15 image (which has root user by default).

    In order to make it work in your case you have to change the line from USER 1001 to USER root (or someone with proper permissions) and double check that env.sh file has execute permission chmod +x env.sh.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search