Question posted in 
I have a Dockerfile:
FROM public.ecr.aws/bitnami/node:15 AS stage-01
COPY package.json /app/package.json
COPY package-lock.json /app/package-lock.json
WORKDIR /app
RUN npm ci
FROM stage-01 AS stage-02
COPY src /app/src
COPY public /app/public
COPY tsconfig.json /app/tsconfig.json
WORKDIR /app
RUN PUBLIC_URL=/myapp/web npm run build
FROM public.ecr.aws/bitnami/nginx:1.20
USER 1001
COPY --from=stage-02 /app/build /app/build
COPY nginx.conf /opt/bitnami/nginx/conf/server_blocks/nginx.conf
COPY ./env.sh /app/build
COPY window.env /app/build
EXPOSE 8080
WORKDIR /app/build
CMD ["/bin/sh", "-c", "/app/build/env.sh && nginx -g "daemon off;""]
If I build this image locally it starts normally and does what it has to do.
My local docker version:
Client: Docker Engine - Community
Version: 20.10.7
API version: 1.41
Go version: go1.13.15
Git commit: f0df350
Built: Wed Jun 2 11:56:40 2021
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.8
API version: 1.41 (minimum version 1.12)
Go version: go1.16.6
Git commit: 75249d8
Built: Fri Jul 30 19:52:16 2021
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.4.9
GitCommit: e25210fe30a0a703442421b0f60afac609f950a3
runc:
Version: 1.0.1
GitCommit: v1.0.1-0-g4144b63
docker-init:
Version: 0.19.0
GitCommit: de40ad0
If I build it in Codebuild it does not starts:
/app/build/env.sh: 4: /app/build/env.sh: cannot create ./env-config.js: Permission denied
This is the image I am using in codebuild: aws/codebuild/amazonlinux2-x86_64-standard:3.0
I have also run the same script in local and still no error.
What could be the cause of this? If you have something in mind please let me know, otherwise I will post more code
This is my env.sh
#!/usr/bin/env sh
# Add assignment
echo "window._env_ = {" > ./env-config.js
# Read each line in .env file
# Each line represents key=value pairs
while read -r line || [ -n "$line" ];
do
echo "$line"
# Split env variables by character `=`
if printf '%sn' "$line" | grep -q -e '='; then
varname=$(printf '%sn' "$line" | sed -e 's/=.*//')
varvalue=$(printf '%sn' "$line" | sed -e 's/^[^=]*=//')
fi
# Read value of current variable if exists as Environment variable
eval value="$"$varname""
# Otherwise use value from .env file
[ -z "$value" ] && value=${varvalue}
echo name: "$varname", value: "$value"
# Append configuration property to JS file
echo " $varname: "$value"," >> ./env-config.js
done < window.env
echo "}" >> ./env-config.js
buildspec:
version: 0.2
env:
git-credential-helper: yes
secrets-manager:
GITHUB_TOKEN: "github:GITHUB_TOKEN"
phases:
install:
runtime-versions:
nodejs: 12
commands:
- npm install
build:
commands:
- echo Build started on `date`
- GITHUB_USERNAME=${GITHUB_USERNAME} GITHUB_EMAIL=${GITHUB_EMAIL} GITHUB_TOKEN=${GITHUB_TOKEN} AWS_REGION=${AWS_DEFAULT_REGION} GITHUB_REPOSITORY_URL=${GITHUB_REPOSITORY_URL} ECR_REPOSITORY_URL=${ECR_REPOSITORY_URL} ENV=${ENV} node release.js
My build project terraform configuration:
resource "aws_codebuild_project" "dashboard_image" {
name = var.project.name
service_role = var.codebuild_role_arn
artifacts {
type = "CODEPIPELINE"
}
environment {
compute_type = "BUILD_GENERAL1_SMALL"
image = "aws/codebuild/amazonlinux2-x86_64-standard:3.0"
type = "LINUX_CONTAINER"
privileged_mode = true
environment_variable {
name = "GITHUB_REPOSITORY_URL"
value = "https://github.com/${var.project.github_organization_name}/${var.project.github_repository_name}.git"
}
environment_variable {
name = "ECR_REPOSITORY_URL"
value = var.project.ecr_repository_url
}
environment_variable {
name = "ECR_IMAGE_NAME"
value = var.project.ecr_image_name
}
environment_variable {
name = "ENV"
value = "prod"
}
}
source {
type = "CODEPIPELINE"
buildspec = "buildspec.yml"
}
}
2
Answers
This is the change I had to make to my Dockerfile in order to make it work:
It is probably due to the codebuild permissions when cloning the repository
777is just temporary, later I will probably test if I can restrict the permissions.It’s all about your Dockerfile and user permissions in it. Try to run
docker run public.ecr.aws/bitnami/nginx:1.20 whoami– you will see that this image has not default user. It will be the same if you exec something inside this container. You have to add--user roottorunorexeccommands. See section "Why use a non-root container?" in Bitnami Nginx image documentationThat’s why you don’t have permission to create file inside the
/appfolder. The owner of this folder isrootfrom the firstpublic.ecr.aws/bitnami/node:15image (which has root user by default).In order to make it work in your case you have to change the line from
USER 1001toUSER root(or someone with proper permissions) and double check thatenv.shfile has execute permissionchmod +x env.sh.