1

I tried to run a docker container that I built on a mounted network volume under Parallels. I am adding this here to document the issue as it is different from: PermissionError: [Errno 13] Permission denied: '/manage.py', in that this is not an issue with /var/run/docker.sock at all but with a little known issue with the permissions on network shares and how this intersects with your container image after building.

Steps to reproduce the issue, this is from the Flask demo app which I was modifying to run under Kubernetes.

Pertinent excerpt from Dockerfile:

WORKDIR /flaskr
COPY ./flaskr .

Build the image normally, then run the image with:

docker run -p 5001:5000 flaskr-k8s:0.1.0

The result:

  PermissionError

  [Errno 13] Permission denied: '/flaskr/app.py'

  at /usr/local/lib/python3.9/os.py:597 in _execvpe
       593│         argrest = (args,)
       594│         env = environ
       595│ 
       596│     if path.dirname(file):
    →  597│         exec_func(file, *argrest)
       598│         return
       599│     saved_exc = None
       600│     path_list = get_exec_path(env)
       601│     if name != 'nt':
JimC
  • 69
  • 1
  • 7

1 Answers1

1

The issue lies with the COPY step in the Docker manifest and how Parallels manages permissions on network shares. Even if volumes are shared with 'ignore ownership', Parallels will make the files appear to be owned by the currently logged in user (see: http://download.parallels.com/doc/pcs/html/Parallels_Cloud_Server_Users_Guide/35697.htm). If you build with 'sudo', or run as a different user either when the container is launched or during the build process, then the ownership will not be correct and you will get PermissionError as above. See: Understanding user file ownership in docker: how to avoid changing permissions of linked volumes for more information on how Docker manages permissions on volumes.

The solution I used was to change ownership of the files after copying them to the Docker image -- in this case to user 1000 as it is the user that will be running the containers by default on my Kubernetes nodes:

# Dockerfile extract
...
COPY ./app /app/updatr

# do stuff

# fix permissions
RUN chown -R 1000:1000 /app

# lastly
USER 1000

There are other solutions, please see: https://blog.gougousis.net/file-permissions-the-painful-side-of-docker/, https://vsupalov.com/docker-shared-permissions/ and Switching users inside Docker image to a non-root user for excellent discussions.

JimC
  • 69
  • 1
  • 7