Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docker container crashes inside Kubernetes - Permission denied #238

Closed
adrianchifor opened this issue Jul 3, 2017 · 13 comments
Closed

Docker container crashes inside Kubernetes - Permission denied #238

adrianchifor opened this issue Jul 3, 2017 · 13 comments
Labels
Docker issue: bug outdated

Comments

@adrianchifor
Copy link 

fs.js:641
  return binding.open(pathModule._makeLong(path), stringToFlags(flags), mode);
                 ^

Error: EACCES: permission denied, open '/verdaccio/storage/.sinopia-db.json'
    at Error (native)
    at Object.fs.openSync (fs.js:641:18)
    at Object.fs.writeFileSync (fs.js:1347:33)
    at LocalData.sync (/usr/local/app/lib/storage/local/local-data.js:67:8)
    at new Storage (/usr/local/app/lib/storage.js:31:33)
    at module.exports (/usr/local/app/lib/index.js:17:19)
    at afterConfigLoad (/usr/local/app/lib/cli.js:115:15)
    at Object.<anonymous> (/usr/local/app/lib/cli.js:66:1)
    at Module._compile (module.js:570:32)
    at Object.Module._extensions..js (module.js:579:10)

Started happening since we upgraded to 2.2.2. Looks like .sinopia-db.json is created by root and is then accessed by verdaccio user (introduced in 2.2.2).
@adrianchifor
Copy link
Author

If it helps, we run verdaccio inside Kubernetes and the /verdaccio/storage path is mounted on an AWS EBS volume.

@juanpicado
Copy link
Member

Do you think this should be enough to fix it?

RUN  chown -R verdaccio:verdaccio /verdaccio/storage && \
     chown -R verdaccio:verdaccio /verdaccio/conf/

@adrianchifor
Copy link
Author

Looks like this is already in the Dockerfile

RUN addgroup -S verdaccio && adduser -S -g verdaccio verdaccio && \
    chown -R verdaccio:verdaccio "$APPDIR" && \
    chown -R verdaccio:verdaccio /verdaccio

I think the problem might be that we specify the volume after that command and after assuming the verdaccio user.

VOLUME ["/verdaccio"]

@markpeterfejes
Copy link
Contributor

markpeterfejes commented Jul 4, 2017
edited
Loading

That's not the problem unfortunatelly. It won't help. Until the problem will be found, the following unsecure workaround can be used, add this to your deployment right before the verdaccio container spec:

{
    "initContainers": [
        {
            "name": "verdaccio-init",
            "image": "busybox",
            "imagePullPolicy": "IfNotPresent",
            "command": [
                "sh",
                "-c",
                "chmod 777 -R  /verdaccio/storage"
            ],
            "volumeMounts": [
                {
                    "name": "verdaccio-storage",
                    "mountPath": "/verdaccio/storage"
                }
            ]
        }
    ]
}

@juanpicado
Copy link
Member

Can that can be tested in a local environment?

@markpeterfejes
Copy link
Contributor

I think you could use minikube to test it locally. Kubernetes mounts the volume just before the dockerfile's CMD command as root. Thats why we cannot write to the storage folder.

@juanpicado
Copy link
Member

Cool, thanks for that 👍

@markpeterfejes
Copy link
Contributor

markpeterfejes commented Jul 5, 2017
edited
Loading

This is not a kubernetes specific problem unfortunately. If you run the following command the image is going to fail with EPERM, because docker is mounting the volumes as the host user or root.
docker run -it -v ~/test:/verdaccio/storage verdaccio/verdaccio:latest

The issue is tracked here.

@markpeterfejes markpeterfejes mentioned this issue Jul 5, 2017
Merged
@markpeterfejes
Copy link
Contributor

@adrianchifor So to recap this, the fix for this problem is to set this on the PodSpec:

"securityContext": {
    "fsGroup": 101
}

Where 101 is the verdaccio group id. Kubernetes is going to give permission for that group to write on the attached volume

@juanpicado
Copy link
Member

Shipped under v2.2.5. Docker image will be ready soon.

@adrianchifor
Copy link
Author

@markpeterfejes @juanpicado cheers guys!

@juanpicado juanpicado mentioned this issue Jul 11, 2017
Closed
@juanpicado
Copy link
Member

I wonder if this fix on npm 5.1.0 is related with this
Releases notes:

npm/npm@58be2ec Make sure uid and gid are getting correctly set even when they're 0. This should fix some Docker-related issues with bad permissions/broken ownership. (@rgrove)
(@zkat)

npm/npm@24ec9f2

@juanpicado juanpicado changed the title Container crashes - Permission denied Docker container crashes inside Kubernetes - Permission denied Jul 12, 2017
@lock
Copy link

lock bot commented Jul 12, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot added the outdated label Jul 12, 2018
@lock lock bot locked as resolved and limited conversation to collaborators Jul 12, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Docker issue: bug outdated
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@juanpicado @adrianchifor @markpeterfejes