See Linear task
Depends on D4177
Details
Details
- Reviewers
tomek atul - Commits
- rCOMMfc22a7ffc480: [keyserver] Run Docker as non-root user
Make sure docker-compose down -v && docker-compose up --build still works
Diff Detail
Diff Detail
- Repository
- rCOMM Comm
- Lint
Lint Not Applicable - Unit
Tests Not Applicable
Event Timeline
Comment Actions
We can clean this up by creating the /home/comm/app directory as comm with the mkdir command in RUN step.
| keyserver/Dockerfile | ||
|---|---|---|
| 20 ↗ | (On Diff #13271) | Ran into a similar permissions issue when @varun was working on services/identity/Dockerfile. What we found was that if a directory doesn't exist, WORKDIR will create it as root and the directory will be "owned" by root. This happens even if the WORKDIR step happens after the USER comm step... which we found confusing. To get around the permissions issue, we created the directory as comm before the WORKDIR step. It ended up looking like the following: RUN useradd -m comm USER comm ... RUN mkdir -p /home/comm/app/identity WORKDIR /home/comm/app/identity This should let us skip the --chown=comm argument for all the COPY commands. |
Comment Actions
Thanks for the reference! I did read through services/identity/Dockerfile, and thought I had tried that... but it's very possible I did something wrong, as I wasn't operating on much sleep last night. Will give it another try
Comment Actions
Yeah, confirming that doesn't work. I think the issue is that COPY is still run as root, even if you specify a USER. (Or perhaps it's just that directories created as a consequence of running COPY are created as root – not 100% sure.)