Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Permission issues with Apache inside Docker

I'm using Docker to run an Apache instance. My docker file goes something like this:

FROM ubuntu

MAINTAINER [email protected]

RUN cat /etc/passwd
RUN cat /etc/group

RUN apt-get update && apt-get install -yq apache2 php5 libapache2-mod-php5 php5-mysql
RUN apt-get install -yq openssh-server
RUN mkdir /var/run/sshd

ENV APACHE_RUN_USER www-data
ENV APACHE_RUN_GROUP www-data
ENV APACHE_LOG_DIR /var/log/apache2

EXPOSE 80

ADD config/apache2/000-default.conf /etc/apache2/sites-available/000-default.conf
ADD config/php5/php.ini /etc/php5/apache2/php.ini
ADD config/start.sh /tmp/start.sh
ADD src /var/www

RUN chown -R root:www-data /var/www
RUN chmod u+rwx,g+rx,o+rx /var/www
RUN find /var/www -type d -exec chmod u+rwx,g+rx,o+rx {} +
RUN find /var/www -type f -exec chmod u+rw,g+rw,o+r {} +

#essentially: CMD ["/usr/sbin/apache2ctl", "-D", "FOREGROUND"]
CMD ["/tmp/start.sh"]

However, when I build the container and run it, I only ever get 403 errors.

Notice that I've specified that Apache should run as www-data in www-data group, and that /var/www has been recursively chownd to belong to root:www-data.

Also, all directories are searchable and readable, and all files are readable and writeable by the www-data group (well, according to ls -la and namei -m they are anyways).

How do I fix these permissions issues? I cant figure it out.

Actual error from the Apache error.log:

[Fri May 23 18:33:27.663087 2014] [core:error] [pid 14] (13)Permission denied: [client 11.11.11.11:61689] AH00035: access to /index.php denied (filesystem path '/var/www/index.php') because search permissions are missing on a component of the path

EDIT:

output of ls -laR /var/www at the end of the Dockerfile:

Step 21 : RUN ls -laR /var/www
 ---> Running in 74fd3609dfc8
/var/www:
total 1036
drwxr-xr-x 67 root www-data  4096 May 23 18:38 .
drwxr-xr-x 26 root root      4096 May 23 18:38 ..
-rw-rw-r--  1 root www-data    28 May 23 12:22 .gitignore
-rw-rw-r--  1 root www-data   501 May 23 12:22 .htaccess
-rw-rw-r--  1 root www-data  7566 May 23 12:22 index.php

Output of namei -m /var/www/index.php at the end of the Dockerfile:

Step 22 : RUN namei -m /var/www/index.php
 ---> Running in 1203f0353090
f: /var/www/index.php
 drwxr-xr-x /
 drwxr-xr-x var
 drwxr-xr-x www
 -rw-rw-r-- index.php

EDIT2

After trying a whole bunch of things, including chmod -R 777 just to see if I could get anything to work, I tried putting the source files added from the Dockerfile into /var/www/html, the default location for Apache files to be served.

I matched the default file permissions exactly (I think), and it still isn't working. The default index.html that comes with Apache loads just fine, but the added src folder still have a 403 access denied error.

I changed the Dockerfile to ADD src /var/www/html/src and the permissions were set using:

RUN find /var/www/html -type d -exec chmod u+rwx,g+rx,o+rx {} +
RUN find /var/www/html -type f -exec chmod u+rw,g+r,o+r {} +

No luck. Below is some of the output of ls -laR on /var/www. Notice that the permissions for the html folder and index.html that come with an apache2 install match those of the added src folder:

Step 19 : RUN ls -laR /var/www/
 ---> Running in 0520950d0426
/var/www/:
total 12
drwxr-xr-x  6 root root 4096 May 23 19:23 .
drwxr-xr-x 24 root root 4096 May 23 19:23 ..
drwxr-xr-x  5 root root 4096 May 23 19:23 html

/var/www/html:
total 24
drwxr-xr-x  5 root root  4096 May 23 19:23 .
drwxr-xr-x  6 root root  4096 May 23 19:23 ..
-rw-r--r--  1 root root 11510 May 23 18:28 index.html
drwxr-xr-x 47 root root  4096 May 23 19:23 src

/var/www/html/src:
total 1032
drwxr-xr-x 47 root root  4096 May 23 19:23 .
drwxr-xr-x  5 root root  4096 May 23 19:23 ..
-rw-r--r--  1 root root    28 May 23 12:22 .gitignore
-rw-r--r--  1 root root   501 May 23 12:22 .htaccess
-rw-r--r--  1 root root  7566 May 23 12:22 index.php

Perhaps chmod doesn't work quite the way I thought it does??

EDIT3

A final bit of information. The Docker container is being built by buildbot, which I've been assuming runs as root. I haven't been able to reproduce this scenario without using buildbot to do the building.

Building everything via sudo docker build -t apache . type commands on my laptop works fine, but the problems arise when buildbot does it. No idea why :^/

like image 280
d0c_s4vage Avatar asked May 23 '14 18:05

d0c_s4vage


People also ask

How do I run Apache Docker?

To run an Apache httpd Docker container with a volume mapping that points to the local file system, simply issue a docker run command with these attributes: The -d switch to run the process as a daemon. The --name switch to provide a friendly name for the container. Mapping port 80 to an open port on your machine.

Can I access localhost from Docker?

Accessing the Host With the Default Bridge ModeYou just need to reference it by its Docker network IP, instead of localhost or 127.0. 0.1 . Your host's Docker IP will be shown on the inet line. Connect to this IP address from within your containers to successfully access the services running on your host.

How do I make my Docker container accessible from localhost?

Use --network="host" in your docker run command, then 127.0. 0.1 in your docker container will point to your docker host. Note: This mode only works on Docker for Linux, per the documentation.


2 Answers

I just ran into this after posting a similar question at Running app inside Docker as non-root user.

My guess is you can't chmod/ chown files that were added via the ADD command. – thom_nic Jun 19 at 14:14

Actually you can. You just need to issue a a RUN command after the ADD for the file location that will be INSIDE your container. For example

ADD extras/dockerstart.sh /usr/local/servicemix/bin/
RUN chmod 755 /usr/local/bin/dockerstart.sh

Hope that helps. It worked for me.

like image 67
user3590150 Avatar answered Oct 04 '22 12:10

user3590150


I encountered a similar issue; however my container was using VOLUME to map directories across the container.

Changing the permissions on the directory that maps to /var/www/html itself remedied the 403 Forbidden errors.

docker-host$ ls -ld /var/www/html
drwxr--r--  53 me  staff  1802 Mar  8 22:33 .

docker-host$ chmod a+x /var/www/html

docker-host$ ls -ld /var/www/html
drwxr-xr-x  53 me  staff  1802 Mar  8 22:33 .

Note that chmod must be applied on the Docker host, not within the container. Executing it within the container effects no change to the directory.

docker-container$ chmod a+x /var/www/html

docker-container$ ls -ld /var/www/html
drwxr--r--  53 me  staff  1802 Mar  8 22:33 .
like image 45
Matt Strom Avatar answered Oct 04 '22 12:10

Matt Strom