Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Copying files with execute permissions in Docker Image

Seems like a basic issue but couldnt find any answers so far ..

When using ADD / COPY in Dockerfile and running the image on linux, the default file permission of the file copied in the image is 644. The onwner of this file seems to be as 'root'

However, when running the image, a non-root user starts the container and any file thus copied with 644 permission cannot execute this copied/added file and if the file is executed at ENTRYPOINT it fails to start with permission denied error.

I read in one of the posts that COPY/ADD after Docker 1.17.0+ allows chown but in my case i dont know who will be the non-root user starting so i cannot set the permission as that user.

I also saw another work around to ADD/COPY files to a different location and use RUN to copy them from the temp location to actual folder like what am doing below. But this approach doesnt work as the final image doesnt have the files in /otp/scm

#Installing Bitbucket and setting variables  
WORKDIR /tmp
ADD atlassian-bitbucket-${BITBUCKET_VERSION}.tar.gz .
COPY bbconfigupdater.sh .

#Copying Entrypoint script which will get executed when container starts 
WORKDIR /tmp 
COPY entrypoint.sh .

RUN ls -lrth /tmp

WORKDIR /opt/scm 
RUN pwd && cp /tmp/bbconfigupdater.sh /opt/scm \
 && cp /tmp/entrypoint.sh /opt/scm \
 && cp -r /tmp/atlassian-bitbucket-${BITBUCKET_VERSION} /opt/scm \
 && chgrp -R 0 /opt/ \
 && chmod -R 755 /opt/ \
 && chgrp -R 0 /scm/bitbucket \
 && chmod -R 755 /scm/bitbucket \
 && ls -lrth /opt/scm && ls -lrth /scmdata 

Any help is appreciated to figure out how i can get my entrypoint script copied to the desired path with execute permissions set.

like image 593
Raghav Vaidhyanathan Avatar asked Jun 12 '19 09:06

Raghav Vaidhyanathan


People also ask

Can you copy a file into a Docker image?

Dockerfile Dockerfiles are used to build Docker images, which are then instantiated into Docker containers. Dockerfiles can contain several different instructions, one of which is COPY. The COPY instruction lets us copy a file (or files) from the host system into the image.

Will Docker copy overwrite?

When copying a single file to an existing LOCALPATH, the docker cp command will either overwrite the contents of LOCALPATH if it is a file or place it into LOCALPATH if it is a directory, overwriting an existing file of the same name if one exists. For example, this command: $ docker cp sharp_ptolemy:/tmp/foo/myfile.

How do I copy a file from a Docker container?

To summarize, follow these steps to copy a file from a Docker container to a host machine: Obtain the name or id of the Docker container. Issue the docker cp command and reference the container name or id. The first parameter of the docker copy command is the path to the file inside the container.

How do I copy a file from one Docker container to another?

You can use the docker cp command to copy the file. The first path (Source) is the path in the Docker Container and the second one is the path inside your Local System (Destination).


1 Answers

The default file permission is whatever the file permission is in your build context from where you copy the file. If you control the source, then it's best to fix the permissions there to avoid a copy-on-write operation. Otherwise, if you cannot guarantee the system building the image will have the execute bit set on the files, a chmod after the copy operation will fix the permission. E.g.

COPY entrypoint.sh .
RUN chmod +x entrypoint.sh

A better option with newer versions of docker (and which didn't exist when this answer was first posted) is to use the --chmod flag (the permissions must be specified in octal at last check):

COPY --chmod=0755 entrypoint.sh .

You do not need to know who will run the container. The user inside the container is typically configured by the image creator (using USER) and doesn't depend on the user running the container from the docker host. When the user runs the container, they send a request to the docker API which does not track the calling user id.

The only time I've seen the host user matter is if you have a host volume and want to avoid permission issues. If that's your scenario, I often start the entrypoint as root, run a script called fix-perms to align the container uid with the host volume uid, and then run gosu to switch from root back to the container user.

like image 128
BMitch Avatar answered Sep 23 '22 02:09

BMitch