Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

"Operation not permitted" from docker container logged as root

I need your help to understand my problem.

I updated my macintosh with Catalina last week, then i updated docker for mac.

Since those updates, i have ownership issues on shared volumes.

I can reproduce with a small example. I just create a small docker-compose which build a nginx container. I have a folder src with a PHP file like this "src/index.php".

I build the container and start it. Then i go to /app/www/mysrc (shared volume) and tape "ls -la" to check if the index.php is OK and i get :

ls: cannot open directory '.': Operation not permitted

Here is a simple docker-compose file : docker-compose.yml :

version: "3"

services:
  test-nginx:
    restart: always
    image: 'nginx:1.17.3'
    ports:
      - "8082:80"
    volumes:
      - ./src:/app/www/mysrc

When i build and start the container, i get :

$ docker-compose exec test-nginx sh
# cd /app/www
# ls -la
total 8
drwxr-xr-x 3 root root 4096 Oct 21 07:58 .
drwxr-xr-x 3 root root 4096 Oct 21 07:58 ..
drwxr-xr-x 3 root root   96 Oct 21 07:51 mysrc
# cd mysrc
# ls -la
ls: cannot open directory '.': Operation not permitted
# whoami
root

So, my nginx server is down because nginx can't access to the source files.

Thanks for your help.

like image 393
hugoDuf Avatar asked Oct 21 '19 08:10

hugoDuf


People also ask

How do I run a docker container as a root user?

Docker containers are designed to be accessed as root users to execute commands that non-root users can't execute. We can run a command in a running container using the docker exec. We'll use the -i and -t option of the docker exec command to get the interactive shell with TTY terminal access.

Does not run container as root?

Running containers as root is a bad idea for security. This has been shown time and time again. Hackers find new ways of escaping out of the container, and that grants unfettered access to the host or Kubernetes node.

How do I fix permission denied Docker?

If running elevated Docker commands does not fix the permission denied error, verify that your Docker Engine is running. Similar to running a docker command without the sudo command, a stopped Docker Engine triggers the permission denied error. How do you fix the error? By restarting your Docker engine.

Is it OK to run Docker as root?

Running the container as root brings a lot of risks. Although being root inside the container is not the same as root on the host machine (some more details here) and you're able to deny a lot of capabilities during container startup, it is still the recommended approach to avoid being root .

How to Exec using the root user inside a docker container?

In order to exec using the root user inside the Docker container, we'll use the –u option: Using the “-u” option of the docker exec command, we define the id of the root user. We can also use the user name in this command: In order to check the current user details, we'll run the whoami command:

How to run a command in a docker container?

Docker containers are designed to be accessed as root users to execute commands that non-root users can't execute. We can run a command in a running container using the docker exec. We'll use the -i and -t option of the docker exec command to get the interactive shell with TTY terminal access. 3.1. Using the Non-Root User

Why can't I see the user inside a docker container?

This is only a guess but the reason might be that Docker performs the UID map first for the image and then modifies /etc/sub {u,g}id resulting in different UID map rules -> Docker cannot map the user inside the container. You can verify this by running docker inspect <image name> and checking the directories in "LowerDir" part.

How do I change the permissions of a script in Docker?

chmod +x scripts/myScript.sh docker build . docker will keep the permissions when it copies the files. Show activity on this post. Changing permissions of files you do not own in Linux requires root access, and the COPY command is most likely copying the file as root.


1 Answers

If it was working prior to the update to Catalina, the issue is due to the new permissions requested by Catalina.

Now, macOS requests permissions for everything, even for accessing a directory. So, probably you had a notification about granting Docker for Mac permission to access the shared folder, you didn't grant it, and now you are facing the outcome of such action.

To grant privileges now, go to System preferences > Security & Privacy > Files and Folders, and add Docker for Mac and your shared directory.

like image 78
Ay0 Avatar answered Oct 21 '22 06:10

Ay0