Alpine Docker ERROR: Unable to lock database: Permission denied ERROR: Failed to open apk database: Permission denied

Question

So I have used the default docker for testcafe which on docker hub is testcafe/testcafe and I have to run a few testcafe scripts.

However, I need the screenshot that fires on error, to be uploaded to somewhere where I can look at it later after the docker image is done running.

I am using the Imgur program which uses bash so I re-did a few things to make it sh compatible and everything works except I need curl. I tried running

apk add curl

but I'm getting the error

ERROR: Unable to lock database: Permission denied ERROR: Failed to open apk database:

Now I no this means that I do not have permission to do this but can I get around this is there some way to become root (this is in bitbucket pipeline).

I do NOT really want to create my own docker.

Also note all questions I have found relating to this are about installing while creating the docker, however, my question is how to do this after the docker is created. thx (a fine answer would be another way to save the screen shot, but preferably not with ssh).

You can add the -u="root" command when running a container: docker run -it -u="root" testcafe/testcafe Is this what you are after? — Marion, Jun 07 '18 at 12:05
thanks @Marion but am asking about after i'm in the docker not starting the docker — Vladimir_314159, Jun 07 '18 at 12:41
@Vladimir_314159 You should really give a try to @Marion's suggestion because specifying a user on the docker command line will run the default or provided command as that user in the container (hence if you start a shell, you'll end with a shell as root, which is what you probably need to be able to `apk add`). I faced exactly the same problem as you describe and it was the solution. — Guillaume G., Jun 08 '18 at 17:52
@Vladimir_314159 In Bitbucket Pipelines you can use the "run-as" tag. https://confluence.atlassian.com/bitbucket/use-docker-images-as-build-environments-792298897.html#UseDockerimagesasbuildenvironments-pipelines_default_userOverridethedefaultuser You'd want to run as '0'. — phod, Aug 10 '18 at 13:44
For me this issue was resolved by removing the container and image, using `docker rmi `. This first untagged it, after which I removed it and rebuilt it. After pulling it worked again and assigned users properly. — HelloBlob, Feb 08 '20 at 18:59
If the container is already running, you can specify the user for docker exec as well: `docker exec -it -u=root bash` and then do `apk add curl` — Matthew, Nov 03 '20 at 21:05

score 111 · Answer 1 · answered Jun 15 '19 at 19:43

111

For those seeing this error using a Dockerfile (and coming here via a Google search): add the following line to your Dockerfile:

USER root

answered Jun 15 '19 at 19:43

Penghe Geng

13,286
5
31
40

10

If I do not want to use `root`. What should I add in this command `RUN addgroup -S something && adduser -S -G something something` to make it run `apk add`? – kamal Sep 18 '19 at 11:46
Insecure, but it works. It was a permissions issue for the agent running the Dockerfile. For Reference -- I ran into this setting up a Dockerfile build for a Digital Ocean Jenkins CI server (I needed to APK ADD NodeJS and NVM, etc.). – RoboBear Nov 21 '19 at 00:55
@kamal the way i fixed it is that I simply used the `RUN addgroup -S something && adduser -S -G something something` after the apk add comment. Probalby not fitting for every scenario though. – LOLWTFasdasd asdad Mar 16 '20 at 16:58
This indeed fixed the issue, just make sure to run 'USER nobody' at the end of your Dockerfile. – Felipe Plazas Oct 02 '20 at 14:41
are their any consequences while using this container? or we need to modify entrypoiny/cmd in order to login as `root` always? – kAmol Jun 02 '21 at 04:50
1

Hint: Please check the Dockerfile for `USER` statements and use that `USER` statement after the command in place. In my case, the "upstream" image had `USER node` in it. I then used `USER root`, then my commands, then `USER node` to be closer to the original image again. – koppor Jun 06 '22 at 12:40

score 76 · Answer 2 · edited Nov 13 '20 at 12:31

76

Hopefully this will help anyone who is not interested in creating a new container.

If you are trying to enter into your docker container like so:

docker exec -it <containername> /bin/sh

Instead, try this:

docker exec -it --user=root <containername> /bin/sh

edited Nov 13 '20 at 12:31

Jaume Jiménez

33
6

answered Nov 05 '20 at 11:23

flyer2403

961
7
7

A lifesaver right here. I just needed to debug something in a docker container running on the server. I didn't want to have to rebuild my docker image. – DJ House Nov 30 '22 at 19:50

score 12 · Answer 3 · edited Feb 10 '21 at 17:29

The best fix is to place USER <youruser> AFTER the lines where your docker build is failing. In most cases it is safe to add the USER line directly above the command or entrypoint.

For example:

FROM python:3.8.0-alpine

RUN addgroup -S app && adduser -S -G app app

RUN apk add --no-cache libmaxminddb postgresql-dev gcc musl-dev

ADD . .

USER app

ENTRYPOINT ["scripts/entrypoint.sh"]

CMD ["scripts/gunicorn.sh"]

score 10 · Answer 4 · edited Jan 13 '21 at 16:41

10

docker exec -it --user=root {containername} bash

with this I can able to execute apk-update

edited Jan 13 '21 at 16:41

Chandan

11,465
1
6
25

answered Jan 13 '21 at 09:19

Phani Chakradhar

281
3
7

petschenek · Answer 5 · 2022-06-30T09:04:58.423

For a Docker container it is easy:

docker exec -it --user root container-name sh

For Kubernetes pods, it is a bit more complicated. If your image is built with a non-root user and also you cannot run pods with a root user inside your cluster, you need to install the packages with this method:

Identify the user which the pod is using

Create a new Dockerfile

Configure it as such

FROM pod-image-name:pod-image-tag

USER root

RUN apk update && apk add curl

USER the-original-pod-user

Then build it

docker build -t pod-image-name:pod-image-tag-with-curl .

And change the image of your deployment/pod inside the cluster from pod-image-name:pod-image-tag to pod-image-name:pod-image-tag-with-curl

score 8 · Answer 6 · answered Feb 20 '20 at 18:56

8

For those seeing this error when running through a Jenkins pipeline script (and coming hre via a Google search), use the following when starting your Docker image:

node('docker') {
  docker.image('golang:1.14rc1-alpine3.11').inside(' -u 0') {
    sh 'apk add curl'
    ...
  }
}

answered Feb 20 '20 at 18:56

Neil P.

1,026
2
15
32

1

When using a declarative pipeline add `args '-u 0'` inside `docker { }` before defining the image – Thomas Göhringer May 14 '20 at 08:22
1

It is working!! Thanks. Can you explain what exactly this args is doing? – Karthikeyan Mar 04 '21 at 06:02

score 0 · Answer 7 · answered Nov 22 '21 at 15:52

0

I have resolved the same problem executing the "docker build -t" command with root user:

#docker build -t $DOCKER_IMAGE

answered Nov 22 '21 at 15:52

JaGaln

21
4

score 0 · Answer 8 · answered Jul 04 '23 at 01:58

0

apk update https Permission denied but working request when using http:

RUN sed -i 's/https/http/g' /etc/apk/repositories
RUN apk update

answered Jul 04 '23 at 01:58

Dương Quang Mạnh

179
1
5

Alpine Docker ERROR: Unable to lock database: Permission denied ERROR: Failed to open apk database: Permission denied

8 Answers8

Linked

Related