16

I'm using Docker to run an Apache instance. My docker file goes something like this:

FROM ubuntu

MAINTAINER your.face@gmail.com

RUN cat /etc/passwd
RUN cat /etc/group

RUN apt-get update && apt-get install -yq apache2 php5 libapache2-mod-php5 php5-mysql
RUN apt-get install -yq openssh-server
RUN mkdir /var/run/sshd

ENV APACHE_RUN_USER www-data
ENV APACHE_RUN_GROUP www-data
ENV APACHE_LOG_DIR /var/log/apache2

EXPOSE 80

ADD config/apache2/000-default.conf /etc/apache2/sites-available/000-default.conf
ADD config/php5/php.ini /etc/php5/apache2/php.ini
ADD config/start.sh /tmp/start.sh
ADD src /var/www

RUN chown -R root:www-data /var/www
RUN chmod u+rwx,g+rx,o+rx /var/www
RUN find /var/www -type d -exec chmod u+rwx,g+rx,o+rx {} +
RUN find /var/www -type f -exec chmod u+rw,g+rw,o+r {} +

#essentially: CMD ["/usr/sbin/apache2ctl", "-D", "FOREGROUND"]
CMD ["/tmp/start.sh"]

However, when I build the container and run it, I only ever get 403 errors.

Notice that I've specified that Apache should run as www-data in www-data group, and that /var/www has been recursively chownd to belong to root:www-data.

Also, all directories are searchable and readable, and all files are readable and writeable by the www-data group (well, according to ls -la and namei -m they are anyways).

How do I fix these permissions issues? I cant figure it out.

Actual error from the Apache error.log:

[Fri May 23 18:33:27.663087 2014] [core:error] [pid 14] (13)Permission denied: [client 11.11.11.11:61689] AH00035: access to /index.php denied (filesystem path '/var/www/index.php') because search permissions are missing on a component of the path

EDIT:

output of ls -laR /var/www at the end of the Dockerfile:

Step 21 : RUN ls -laR /var/www
 ---> Running in 74fd3609dfc8
/var/www:
total 1036
drwxr-xr-x 67 root www-data  4096 May 23 18:38 .
drwxr-xr-x 26 root root      4096 May 23 18:38 ..
-rw-rw-r--  1 root www-data    28 May 23 12:22 .gitignore
-rw-rw-r--  1 root www-data   501 May 23 12:22 .htaccess
-rw-rw-r--  1 root www-data  7566 May 23 12:22 index.php

Output of namei -m /var/www/index.php at the end of the Dockerfile:

Step 22 : RUN namei -m /var/www/index.php
 ---> Running in 1203f0353090
f: /var/www/index.php
 drwxr-xr-x /
 drwxr-xr-x var
 drwxr-xr-x www
 -rw-rw-r-- index.php

EDIT2

After trying a whole bunch of things, including chmod -R 777 just to see if I could get anything to work, I tried putting the source files added from the Dockerfile into /var/www/html, the default location for Apache files to be served.

I matched the default file permissions exactly (I think), and it still isn't working. The default index.html that comes with Apache loads just fine, but the added src folder still have a 403 access denied error.

I changed the Dockerfile to ADD src /var/www/html/src and the permissions were set using:

RUN find /var/www/html -type d -exec chmod u+rwx,g+rx,o+rx {} +
RUN find /var/www/html -type f -exec chmod u+rw,g+r,o+r {} +

No luck. Below is some of the output of ls -laR on /var/www. Notice that the permissions for the html folder and index.html that come with an apache2 install match those of the added src folder:

Step 19 : RUN ls -laR /var/www/
 ---> Running in 0520950d0426
/var/www/:
total 12
drwxr-xr-x  6 root root 4096 May 23 19:23 .
drwxr-xr-x 24 root root 4096 May 23 19:23 ..
drwxr-xr-x  5 root root 4096 May 23 19:23 html

/var/www/html:
total 24
drwxr-xr-x  5 root root  4096 May 23 19:23 .
drwxr-xr-x  6 root root  4096 May 23 19:23 ..
-rw-r--r--  1 root root 11510 May 23 18:28 index.html
drwxr-xr-x 47 root root  4096 May 23 19:23 src

/var/www/html/src:
total 1032
drwxr-xr-x 47 root root  4096 May 23 19:23 .
drwxr-xr-x  5 root root  4096 May 23 19:23 ..
-rw-r--r--  1 root root    28 May 23 12:22 .gitignore
-rw-r--r--  1 root root   501 May 23 12:22 .htaccess
-rw-r--r--  1 root root  7566 May 23 12:22 index.php

Perhaps chmod doesn't work quite the way I thought it does??

EDIT3

A final bit of information. The Docker container is being built by buildbot, which I've been assuming runs as root. I haven't been able to reproduce this scenario without using buildbot to do the building.

Building everything via sudo docker build -t apache . type commands on my laptop works fine, but the problems arise when buildbot does it. No idea why :^/

halfer
  • 19,824
  • 17
  • 99
  • 186
d0c_s4vage
  • 3,947
  • 6
  • 23
  • 32
  • 7
    I DO NOT consider this an answer, but adding the source to /tmp via the ADD command, then having a RUN command that copies everything one file at a time over to /var/www/html worked. SO WEIRD ** 10000000!!!!!!1 – d0c_s4vage May 23 '14 at 19:59
  • I just ran into this after posting a similar question at http://stackoverflow.com/questions/24308760/running-app-inside-docker-as-non-root-user My guess is you can't chmod/ chown files that were added via the `ADD` command. – thom_nic Jun 19 '14 at 14:14
  • please state docker version and host platform to identify. – Larry Cai Jun 20 '14 at 05:26
  • @MarkusOrreilly If you put that comment as an answer I'll vote you up! It solved my problem after hours of me pulling hair. Thanks! – Lukman Feb 24 '16 at 10:40
  • Same Problem here – Psi Nov 03 '16 at 11:28
  • forgot to add my solution (ADD and then RUN to copy the files) as an answer, but someone else added it. See the accepted answer below. (@Lukman) – d0c_s4vage Jun 30 '17 at 14:13

2 Answers2

11

I just ran into this after posting a similar question at Running app inside Docker as non-root user.

My guess is you can't chmod/ chown files that were added via the ADD command. – thom_nic Jun 19 at 14:14

Actually you can. You just need to issue a a RUN command after the ADD for the file location that will be INSIDE your container. For example 

ADD extras/dockerstart.sh /usr/local/servicemix/bin/
RUN chmod 755 /usr/local/bin/dockerstart.sh

Hope that helps. It worked for me.

Community
  • 1
  • 1
user3590150
  • 171
  • 1
  • 5
  • yup! this is what I found as well. It's been a while since I asked this question, so I'm just going to accept this answer since it's the best anybody's come up with so far. I still think there should be a better way to do this. – d0c_s4vage Jun 30 '17 at 14:12
  • But then you will push it to git and before PROD deployment you must change permissions! – Jaroslav Štreit Jan 07 '19 at 20:18
8

I encountered a similar issue; however my container was using VOLUME to map directories across the container.

Changing the permissions on the directory that maps to /var/www/html itself remedied the 403 Forbidden errors.

docker-host$ ls -ld /var/www/html
drwxr--r--  53 me  staff  1802 Mar  8 22:33 .

docker-host$ chmod a+x /var/www/html

docker-host$ ls -ld /var/www/html
drwxr-xr-x  53 me  staff  1802 Mar  8 22:33 .

Note that chmod must be applied on the Docker host, not within the container. Executing it within the container effects no change to the directory.

docker-container$ chmod a+x /var/www/html

docker-container$ ls -ld /var/www/html
drwxr--r--  53 me  staff  1802 Mar  8 22:33 .
Matt Strom
  • 595
  • 8
  • 13
  • Dear Internet, > Note that `chmod` must be applied on the Docker host, not within the container. Executing it within the container effects no change to the directory. A big thumbs up to matt – Temitayo Apr 24 '20 at 05:10