8

I'm trying to create a multi-stage build in docker which simply run a non root crontab which write to volume accessible from outside the container. I have two problem with permissions, with volume external access and with cron:

  1. the first build in dockerfile create a non-root user image with entry-point and su-exec useful to fix permission with volume!

  2. the second build in the same dockerfile used the first image to run a crond process which normally write to /backup folder.

The docker-compose.yml file to build the dockerfile: 

version: '3.4'
services:
  scrap_service:
        build: .
        container_name: "flight_scrap"
        volumes:
          - /home/rey/Volumes/mongo/backup:/backup

In the first step of DockerFile (1), I try to adapt the answer given by denis bertovic to Alpine image

############################################################
# STAGE 1
############################################################

# Create first stage image
FROM gliderlabs/alpine:edge as baseStage

RUN echo http://nl.alpinelinux.org/alpine/edge/testing >> /etc/apk/repositories
RUN apk add --update && apk add -f gnupg ca-certificates curl dpkg su-exec shadow

COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh

# ADD NON ROOT USER, i hard fix value to 1000, my current id 
RUN addgroup scrapy \
    && adduser -h /home/scrapy -u 1000 -S -G scrapy scrapy

ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]

My docker-entrypoint.sh to fix permission is: 

#!/usr/bin/env bash
chown -R scrapy .
exec su-exec scrapy "$@"

The second stage (2) run the cron service to write into /backup folder mounted as volume

############################################################
# STAGE 2
############################################################

FROM baseStage
MAINTAINER rey 

ENV TZ=UTC
RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone

RUN apk add busybox-suid
RUN apk add -f tini bash build-base curl

# CREATE FUTURE VOLUME FOLDER WRITEABLE BY SCRAPY USER
RUN mkdir /backup && chown scrapy:scrapy /backup

# INIT NON ROOT USER CRON CRONTAB

COPY crontab /var/spool/cron/crontabs/scrapy
RUN chmod 0600 /var/spool/cron/crontabs/scrapy
RUN chown scrapy:scrapy /var/spool/cron/crontabs/scrapy

RUN touch /var/log/cron.log
RUN chown scrapy:scrapy /var/log/cron.log

# Switch to user SCRAPY already created in stage 1
WORKDIR /home/scrapy
USER scrapy

# SET TIMEZONE https://serverfault.com/questions/683605/docker-container-time-timezone-will-not-reflect-changes

VOLUME /backup

ENTRYPOINT ["/sbin/tini"]
CMD ["crond", "-f", "-l", "8", "-L", "/var/log/cron.log"]

The crontab file which normally create a test file into /backup volume folder: 

* * * * * touch /backup/testCRON

DEBUG phase :

  • Login into my image with bash, it seems image correctly run the scrapy user :

    uid=1000(scrapy) gid=1000(scrapy) groups=1000(scrapy)

  • The crontab -e command also gives the correct information

  • But first error, cron don't run correctly, when i cat /var/log/cron.log i have a permission denied error 

    crond: crond (busybox 1.27.2) started, log level 8
crond: root: Permission denied
crond: root: Permission denied

  • I have also a second error when I try to write directly into the /backup folder using the command touch /backup/testFile. The /backup volume folder continue to be only accessible using root permission, don't know why.

Benjamin W.
  • 46,058
  • 19
  • 106
  • 116
reyman64
  • 523
  • 4
  • 34
  • 73

1 Answers1

5

crond or cron should be used as root, as described in this answer.

Check out instead aptible/supercronic, a crontab-compatible job runner, designed specifically to run in containers. It will accomodate any user you have created.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250