65

I am creating a folder inside my Dockerfile and I want to give it a write permission. But I am getting permission denied error when I try to do it

FROM python:2.7
RUN pip install Flask==0.11.1 
RUN useradd -ms /bin/bash admin
USER admin
COPY app /app
WORKDIR /app
RUN chmod 777 /app
CMD ["python", "app.py"]

My error is 

PS C:\Users\Shivanand\Documents\Notes\Praneeth's work\Flask> docker build -t 
shivanand3939/test .
Sending build context to Docker daemon  209.9kB
Step 1/8 : FROM python:2.7
---> 8a90a66b719a
Step 2/8 : RUN pip install Flask==0.11.1
---> Using cache
---> 6dc114bd7cf1
Step 3/8 : RUN useradd -ms /bin/bash admin
---> Using cache
---> 1cfdb6eea7dc
Step 4/8 : USER admin
---> Using cache
---> 27c5e8b09f15
Step 5/8 : COPY app /app
---> Using cache
---> 5d628573b24f
Step 6/8 : WORKDIR /app
---> Using cache
---> 351e19a5a007
Step 7/8 : RUN chmod 777 /app
---> Running in aaad3c79e0f4
**chmod: changing permissions of ‘/app’: Operation not permitted
The command '/bin/sh -c chmod 777 /app' returned a non-zero code: 1**

How can I give write permissions to app folder inside my Docker container

Shivanand T
  • 1,093
  • 1
  • 10
  • 18
  • 2
    The problem is that `ADD/COPY` after `USER` doesn't use the new user id as the owner of the files added to the container - even though that is what the informed user would expect. Using `--chown` as so-random-dude suggested, is the fix that shouldn't have been needed if Docker developers knew what they were doing. – Guss Apr 19 '21 at 11:13

4 Answers4

79

I guess you are switching to user "admin" which doesn't have the ownership to change permissions on /app directory. Change the ownership using "root" user. Below Dockerfile worked for me - 

FROM python:2.7
RUN pip install Flask==0.11.1 
RUN useradd -ms /bin/bash admin
COPY app /app
WORKDIR /app
RUN chown -R admin:admin /app
RUN chmod 755 /app
USER admin
CMD ["python", "app.py"]

PS - Try to get rid of "777" permission. I momentarily tried to do it in above Dockerfile.

vivekyad4v
  • 13,321
  • 4
  • 55
  • 63
  • 1
    Docker images use different distros of Linux. Some of the Linux does not have command useradd. In my case, I had to use adduser to make it work. – supritshah1289 Aug 01 '18 at 14:54
  • This solution is w.r.t docker image `python:2.7` which has `useradd` binary. Anyway, I am glad that this answer helped you in some way. – vivekyad4v Aug 01 '18 at 14:59
  • 2
    I don't think this will work for unprivileged images. In fact it returns `Operation not permitted` – Matteo Jun 26 '21 at 05:05
  • `docker container create -v /home/python:/app ` no permission /app, – HelloWorld Oct 22 '21 at 06:08
  • Also note: `chown` and `chmod` might have an impact on the overall image size: [link](https://stackoverflow.com/q/30085621) – minus one Nov 28 '22 at 21:00
26

As the Other user already pointed out, move USER admin to a later step

FROM python:2.7
RUN pip install Flask==0.11.1 
RUN useradd -ms /bin/bash admin
COPY --chown=admin:admin app /app
WORKDIR /app
USER admin
CMD ["python", "app.py"]

For versions release v17.09.0-ce and newer you can use the optional flag --chown=<user>:<group> with either the ADD or COPY commands.

For example

COPY --chown=<user>:<group> <hostPath> <containerPath>

The documentation for the --chown flag is documented on Dockerfile Reference page.

so-random-dude
  • 15,277
  • 10
  • 68
  • 113
1

On line two, after FROM ..., adding one line:

USER root

This will give you the power of root user.

helvete
  • 2,455
  • 13
  • 33
  • 37
Raymond
  • 67
  • 2
0

Running the docker image from a root user is the bad practise! e.g. : Add a custom user and use command to extend permissions

RUN addgroup -g 1001 -S 1000 && adduser -u 1001 -S 1000 -G 1000
Afelaia Timur
  • 51
  • 1
  • 4
  • Could you explain this more? Right now in my container users (jovyan) can only r/w to /home/jovyan. I want the user to also have r/w to a separate folder /analyst. How does the above allow such a thing? Right now in docker-compose I use user:root and GRANT_SUDO: "yes" ... which allows r/w anywhere and so is sub-optimal – MikeB2019x Mar 02 '23 at 15:38