LaurentGoderre
commented
6 years ago If I remember correctly, folder created by WORKDIR are owned by root even if they are created after the USER directive. Try creating the folder first
Open ORESoftware opened 6 years ago
LaurentGoderre
commented
6 years ago If I remember correctly, folder created by WORKDIR are owned by root even if they are created after the USER directive. Try creating the folder first
ORESoftware
commented
6 years ago Yeah I tried that too, I still get permissions errors with this:
RUN mkdir -p /home/node/app
WORKDIR /home/node/app
serbanghita
commented
6 years ago I have the same issue
ORESoftware
commented
6 years ago Just do this and call it a day lol
RUN sudo chmod -R 777 /home/node/appF it lol...just run that before and after npm install and you should be g2g. Even better, do this:
RUN sudo chmod -R 777 /home/node
minnam
commented
6 years ago Correct me if I'm wrong. The doc is recommending us to declare user as node because Docker runs container as root by default.
So you declare it at the end
FROM node:9
WORKDIR /home/node/app
COPY package.json .
RUN npm install --loglevel=warn;
USER nodeYou should not run node as root, bad things can happen (see the last issue with changing files permissions).
I think you need to make sure that when the node user is created it has the right permissions over /home/node (eg. https://github.com/vvo/selenium-standalone/blob/master/Dockerfile#L29). Maybe the permissions are not well propagated to subsequent directories:
@ORESoftware do a docker exec ls -al /home/node/app and check who owns that?
albertoantunes
commented
5 years ago @ORESoftware i believe this issue happens because only the /home/node directory is owned by the node user in the default node image. The /app directory is created and owned by root. If you change the WORKDIR to /home/node it should work.
0xDones
commented
5 years ago @albertoantunes You are right, it worked for me. Here is my Dockerfile, hope it helps some with the same problem.
FROM node:8
USER node
ENV NPM_CONFIG_PREFIX=/home/node/.npm-global
ENV PATH=$PATH:/home/node/.npm-global/bin
WORKDIR /home/node
COPY package.json .
RUN npm install --only=prod
COPY . .
samson-sham
commented
5 years ago This has been a nightmare for me...
Can this be documented as what the Best Practice is suggesting to use USER node but doesn't provide a viable config?
Maxime1991
commented
5 years ago @ORESoftware I had the same issue, you can specify the user with the COPY command. See my Dockerfile:
FROM node:latest
USER node
ARG APP=app
ARG HOME=/home/node
ENV NPM_CONFIG_PREFIX=$HOME/.npm-global
ENV PATH=$PATH:$HOME/.npm-global/bin
COPY --chown=node:node ./$APP/package*.json $HOME/$APP/The COPY is done by default with root (source):
All new files and directories are created with a UID and GID of 0, unless the optional --chown flag specifies a given username, groupname, or UID/GID combination to request specific ownership of the copied content.
Note that COPY --chown won't work with all docker versions (see here). Mine is 18.03.1-ce.
christyjacob4
commented
5 years ago I had the same issue and here's my Dockerfile. This fixed it
#Choose the base image for the build
FROM node:8-alpine
RUN mkdir -p /home/node/app && chown -R node:node /home/node/app
WORKDIR /home/node/app
COPY package*.json ./
USER node
RUN npm install
COPY --chown=node:node . .
RUN ["chmod", "755", "your-script.sh"]
EXPOSE 4140
CMD [ "node", "index.js" ]The trick was to use
RUN ["chmod", "755", "your-script.sh"]
GeorgeKagan
commented
4 years ago This worked for me.
A combination of using the existing /home/node dir to host the app files and specifying the user and group for the COPY commands.
FROM node:12.10.0-slim
USER node
RUN mkdir -p /home/node/app
WORKDIR /home/node/app
COPY --chown=node:node package.json .
COPY --chown=node:node yarn.lock .
RUN yarn --pure-lockfile
COPY --chown=node:node . .
EXPOSE 4040
CMD [ "node", "index.js" ]
derhecht
commented
4 years ago another working approach: start docker run with -e npm_config_cache=/path/to/cache and setup the folder e.g. in working dir
then I could use non-root user + get npm install working as it does not try to create a /.npm folder
antonovicha
commented
4 years ago I had a problem of creating files / directories while node app is running (logs directory for example, when I don't care about them and do not mount logs dir from host). Here is my solution:
RUN chown node:node /usr/src/app
USER node
CMD ["npm", "start"]That way app can create new files / directories inside of /usr/src/app. All other files/dirs are owned by root, and can not be modified by app (totally fine for me).
derhecht
commented
4 years ago yes but e.g. Jenkins setup working dir in pipeline approach on its own and you cannot really/easy/good overwrite it and you have to handle a different working dir so
antonovicha
commented
4 years ago @derhecht Sorry did not understood completely. If your comment was addressed to me, and it meant to say: when app is built on Jenkins it causes errors because of .npm dir, then here is the solution that we are using:
environment {
HOME = '.'
}Also do not forget to include .npm into your .dockerignore so that its content is not sent to daemon during build (not a big deal, but still).
ecs-hk
commented
4 years ago This issue/discussion is currently the top Google hit for the terms:
docker Error: EACCES: permission denied, scandir
[ None of the solutions in this thread were the cause of my specific issue, so I'm adding a comment here. ]
In my case, I created a new LVM2 logical volume and mounted it to /var/lib/docker (i.e. so that Docker would have room to grow). Afterward, my builds began failing with the error message I quoted above. I determined the cause to be SELinux context. The fix was simply:
sudo /usr/sbin/restorecon -R /var/lib/dockermay anyone could use it, we solved Jenkins Docker scripted pipeline build with the following setup/commands/variables:
docker.image('node:8').inside("-e npm_config_cache=$env.WORKSPACE/.npm") { sh "npm install && export BABEL_CACHE_PATH=$env.WORKSPACE/.babel.json && npm run build" }
blakemorgan
commented
3 years ago Note this comment in the Best Practices documentation: # At the end, set the user to use when running this image. What I ended up doing is running the Dockefile as the root user, then copying everything I need, using the --chown node:node flag in the COPY command when needed, then changing the user to node before running the application.
FROM node:14.15.4-slim
WORKDIR /home/node
COPY --from=build --chown=node:node ./ /home/node
ENV NODE_ENV="production"
ENV PORT="8080"
EXPOSE 8080
USER node
CMD ["node", "app.js"]
mikhailrojo
commented
3 years ago hi guys,
sometimes this happens - when the container you are trying to use (FROM) - set up the user already and it is different from the root. In this case permission is denied
abhaykumar01234
commented
3 years ago This dockerfile works fine with any image but the issue comes when you try to mount the volume <current_dir>:/home/node
FROM node:latest
ENV NODE_ENV="development"
ENV PORT="4000"
WORKDIR /home/node
COPY --chown=node:node ./node_project /home/node
RUN npm install
EXPOSE ${PORT}
USER node
ENTRYPOINT ["npm", "run", "dev"]version: "3.1"
services:
node:
build:
context: .
dockerfile: node.dockerfile
container_name: node_server
ports:
- "4000:4000"
volumes:
- ./node_project:/home/node ----------> this creates the issue, remove this and everything worksHow to fix this? How to mount current folder as volume inside docker container?
rod-glover
commented
3 years ago @abhaykumar01234 , if you build the project with the context . (where your ./node_project lives), then you don't need to mount the directory. The COPY command loads that content for you.
However ... you have to build the image each time you make a change to the code. The image contains an unchanging copy of the code as of build time.
If your objective is to have a container with "live" code changes (made from the host machine) available inside the container, then you will need a different arrangement. It's a bit complicated, and it's Friday afternoon, so I'll post some information on this on Monday.
rod-glover
commented
3 years ago @abhaykumar01234 , the basic problem is that your container is using a user (in this case node, I believe) which does not map (see below) onto a user in the host that has permission to write to the directory you mounted. You get an error because the npm install writes to that directory but the user in the host doesn't have permission.
It helps to understand what "map" means here: When a Docker container is run, the users inside the container are also interpreted as users in the host. The identity of the host user is determined by the numeric user id of the user inside the container.
All solutions to this problem involve ensuring that the user inside the container maps onto a suitable user on the host. This can be done in several ways.
The simplest way is to define and use a user in the image (i.e., in the Dockerfile) whose numeric user id is the same as a host user with suitable permissions (e.g., your own user id). This is not very flexible because the user id is fixed, but if you don't need that flexibility, it's effective.
A more flexible way to do much the same thing is to specify a user id externally when you build your image. There's some good advice on this in Avoiding Permission Issues With Docker-Created Files.
A more complex but fully flexible solution to the problem is to use Docker's user namespace mapping facility. I am doing this with a couple of Python projects, and I haven't yet worked out all the kinks, but in principle it's reasonably straightforward. I found the following articles helpful:
A few other remarks:
COPY it also in the image. The mount supersedes the copy.node:latest set for you? Is your own Dockerfile's command USER node necessary?
hraban
commented
3 years ago Yeah I tried that too, I still get permissions errors with this:
RUN mkdir -p /home/node/app WORKDIR /home/node/app
@ORESoftware FWIW this works for me. It fixes the permissions issue.
herbievine
commented
2 years ago Guys, I'm absolultly shit at Docker, I don't understand anything in this thread. Can someone please help me?
Here's my Dockerfile:
FROM node:latest
WORKDIR /usr/src/app
COPY package.json ./
COPY yarn.lock ./
RUN yarn
COPY . .
COPY .env.production .env
RUN yarn build
RUN yarn db:pull
ENV NODE_ENV production
EXPOSE 3000
CMD [ "node", "dist/main" ]
USER nodeI get this error:
yarn docker:run
yarn run v1.22.10
$ docker run -p 3000:3000 blog-api
[Nest] 1 - 11/08/2021, 6:12:26 PM LOG [NestFactory] Starting Nest application...
[Nest] 1 - 11/08/2021, 6:12:26 PM LOG [InstanceLoader] AppModule dependencies initialized +129ms
[Nest] 1 - 11/08/2021, 6:12:26 PM LOG [InstanceLoader] PassportModule dependencies initialized +1ms
[Nest] 1 - 11/08/2021, 6:12:26 PM LOG [InstanceLoader] ThrottlerModule dependencies initialized +1ms
[Nest] 1 - 11/08/2021, 6:12:26 PM LOG [InstanceLoader] JwtModule dependencies initialized +0ms
[Nest] 1 - 11/08/2021, 6:12:26 PM LOG [InstanceLoader] ConfigHostModule dependencies initialized +0ms
[Nest] 1 - 11/08/2021, 6:12:26 PM LOG [InstanceLoader] UsersModule dependencies initialized +1ms
[Nest] 1 - 11/08/2021, 6:12:26 PM LOG [InstanceLoader] ConfigModule dependencies initialized +2ms
[Nest] 1 - 11/08/2021, 6:12:26 PM LOG [InstanceLoader] AuthModule dependencies initialized +1ms
[Nest] 1 - 11/08/2021, 6:12:26 PM LOG [InstanceLoader] PostsModule dependencies initialized +0ms
[Nest] 1 - 11/08/2021, 6:12:26 PM LOG [InstanceLoader] CategoriesModule dependencies initialized +1ms
[Nest] 1 - 11/08/2021, 6:12:26 PM LOG [InstanceLoader] GraphQLSchemaBuilderModule dependencies initialized +0ms
[Nest] 1 - 11/08/2021, 6:12:26 PM LOG [InstanceLoader] GraphQLModule dependencies initialized +1ms
node:internal/process/promises:246
triggerUncaughtException(err, true /* fromPromise */);
^
[Error: EACCES: permission denied, open '/usr/src/app/schema.gql'] {
errno: -13,
code: 'EACCES',
syscall: 'open',
path: '/usr/src/app/schema.gql'
}@herbievine , I think your problem is that WORKDIR creates the working directory as root, but the process is running as user node when you run the CMD. (Pretty sure the default user for the image node -- your base image -- is user node.) This means that GraphQL (or anything else) can't create files in the working directory, which is what appears to be problem here.
The likely fix is to explicitly create the WORKDIR directory and give it correct ownership and permissions before you select it as WORKDIR. You may need to do this as root:
USER root
# Do stuff ...
USER nodeDon't stay as user root for the rest of the image, it exposes a lot of security vulnerabilities and you DO NOT want that.
thajib
commented
2 years ago I added 'user: node' on my docker-compose.yml and it fixed the issue.
version: '3'
services:
app-name:
user: node
@thajib , that means your container will be running all its commands as the root user -- both inside the container and outside the container (unless, for the latter, you have set up user namespace mapping). This exposes you to serious security risks unless you are running the container entirely behind a firewall with no outside access to it. Even then, it's not a good idea; anyone inside your firewall can docker exec into the container and from there they have root privilege on your system(s), and can effectively do anything.
That's the reason the node image gives you a default non-root user (named node).
For further information on this, search things like "Docker best practices security".
thajib
commented
2 years ago I have corrected it now. I intended to use 'node' and I typed 'root' :-(
dgleba
commented
2 years ago I made a few example docker and compose files and I found the following.
For volume mount where the folders don't exist before running the container gets folders made as root. This means no non-root user permissions to that folder or subfolders.
Making the folders to be mounted in the host before running the container means the permissions will be preserved in the container by user ID. Permission granted.
Dockerfile:
FROM node:16-slim
USER node
CMD ["yarn", "serve"]Bash code:
export iiname=userdocker_aa; echo ${PWD};
docker rmi $iiname
docker build -t $iiname .
#
runa() {
echo $1; echo iiname=$iiname
docker run --rm -v "${PWD}/$1:/$1" -w "/$1" -it $iiname sh -c "touch afile;"
}
# error: touch: cannot touch 'afile': Permission denied
ls -l code; runa code
# Works!
mkdir code2; runa code2; ls -laR;Output:
code/ doesn't exist before running and gets root permissions. Cannot touch the file. touch: cannot touch 'afile': Permission denied
code2/ is created before running and has host user permissions. Can touch file.
albe@racknerd-4f4016:/ap/dkr/605dkrcollection/userdocker/u7$ bash sha
/ap/dkr/605dkrcollection/userdocker/u7
Untagged: userdocker_aa:latest
Deleted: sha256:677eddefff16ad91a8fa95f40992720bbb4f49f38ad155312fff8c05e9ff234f
Sending build context to Docker daemon 4.608kB
Step 1/3 : FROM node:16-slim
---> 13cc87dcb313
Step 2/3 : USER node
---> Using cache
---> 5d28a19d291f
Step 3/3 : CMD ["yarn", "serve"]
---> Running in faba7178762b
Removing intermediate container faba7178762b
---> a29162820ea8
Successfully built a29162820ea8 Successfully tagged userdocker_aa:latest
code
iiname=userdocker_aa
touch: cannot touch 'afile': Permission denied
mkdir: cannot create directory ‘code2’: File exists
code2
iiname=userdocker_aa
drwxr-xr-x 2 root root 4096 Jan 8 13:35 code
drwxrwxr-x 2 albe albe 4096 Jan 8 13:35 code2
./code2:
drwxrwxr-x 2 albe albe 4096 Jan 8 13:35 .
drwxrwxr-x 4 albe albe 4096 Jan 8 13:36 ..
-rw-r--r-- 1 albe albe 0 Jan 8 13:37 afileSo I think a solution is to create ./app on the host and mount that as a volume with -v "${PWD}/app://home/node/app. If the host user and the container user are both ID=1000 then the permissions match. On Debian systems the first user is given ID=1000, but you can create users with an assigned ID if need be.
All the code is here: https://github.com/dgleba/605dkrcollection/tree/main/userdocker/u7
salehhoushangi
commented
2 years ago I know this is old poet but below code worked for me: FROM node:14.16.0-alpine3.13
RUN addgroup app && adduser -S -G app app RUN mkdir -p /app && chown -R app:app /app USER app WORKDIR /app COPY package*.json ./ RUN npm install COPY . .
EXPOSE 3000
CMD ["npm", "start"]
iglizar
commented
2 years ago Correct me if I'm wrong. The doc is recommending us to declare user as node because Docker runs container as root by default.
So you declare it at the end
FROM node:9 WORKDIR /home/node/app COPY package.json . RUN npm install --loglevel=warn; USER node
Thank you so much! This really solved my problem!
lgrachov
commented
2 years ago I know WORKDIR permissions
marcosaguilera-glober
commented
2 years ago I was getting same issue: # EACCES: permission denied, mkdir '/root/.cache/Cypress'
I've fixed like this:
#Cypress version using
FROM cypress/included:10.6.0RUN apt-get install sudo
WORKDIR /home/pwsh/tempVolume
ENTRYPOINT ["/bin/sh", "./entrypoint.sh"]
2. In my entrypoint.sh script fileecho "I'm into the sh file"
sudo npm install --unsafe-perm=true --allow-root
cypress run
I messed up a time with this issue, and I tried with permissions `chown node:node`, also some `chmod -R 777`, but nothing worked for me, so I installed `apt-get install sudo` into Linux distro given superpowers to handle internally the permissions. Maybe is unorthodox but, worked for me.
Hope this help anyone.
ryepup
commented
1 year ago I was able to solve this with a newer docker backend component called buildkit. Buildkit mode is enabled by default for Docker Desktop users, and can be enabled manually by setting an environment variable when building the image:
DOCKER_BUILDKIT=1 docker build ...
Buildkit creates directories a little differently. Say we have a dockerfile that just prints out details of the WORKDIR:
FROM node:18-alpine
USER node
WORKDIR /app
CMD stat /appWithout buildkit, the WORKDIR is owned by root:
$ docker build --quiet . -t demo
sha256:28817c441bf181fa589ed827acc08bed54605977f26c46b4923e69da2261d21d
$ docker run --rm demo
File: /app
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: 93h/147d Inode: 22454774 Links: 2
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
...With buildkit, the WORKDIR is owned by our USER:
$ DOCKER_BUILDKIT=1 docker build --quiet . -t demo
sha256:37ae7418d59cba2024bff10c798f6577b1de84ddd8a275d12b63cad19554d759
$ docker run --rm demo
File: /app
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: 8dh/141d Inode: 22558956 Links: 2
Access: (0755/drwxr-xr-x) Uid: ( 1000/ node) Gid: ( 1000/ node)
...When the WORKDIR is owned by the USER, any further RUN commands that want to create files in the WORKDIR will have enough permissions.
hafidousbaa
commented
1 year ago i get the same error when i want to build the image used podman on my runner when i run my pipeline show STEP 4: RUN npm install -g npm@9.6.0 exec /bin/sh: permission denied Error: error building at STEP "RUN npm install -g npm@9.6.0": error while running runtime: exit status 1
ghost
commented
1 year ago I'm not sure if it's the same issue, but I've stumble upon this GitHub issue trying to find out what's happening with my NestJS app. When trying to start development mode, Nest tries to rmdir the dist/ folder, but it stops because of permission denied, even with user being specified in the compose file and in the Docker file.
jeffkeilman
commented
9 months ago This worked for me. A combination of using the existing
/home/nodedir to host the app files and specifying the user and group for theCOPYcommands.FROM node:12.10.0-slim USER node RUN mkdir -p /home/node/app WORKDIR /home/node/app COPY --chown=node:node package.json . COPY --chown=node:node yarn.lock . RUN yarn --pure-lockfile COPY --chown=node:node . . EXPOSE 4040 CMD [ "node", "index.js" ]
Years later, you are helping me when several guides from well-known tech companies have failed. Thanks!
I have this:
and I get:
this seems completely crazytown. How does my user not have access to this directory by default considering it was "created" by the WORKDIR command after USER was declared?