Scenario / Questions
I’m trying to add a file to a Docker image built from the official
tomcat image. That image does not seem to have root rights, as I’m logged in as user
tomcat if I run bash:
docker run -it tomcat /bin/bash tomcat@06359f7cc4db:/usr/local/tomcat$
If I instruct a
Dockerfile to copy a file to that container, the file has permissions
644 and the owner is
root. As far as I understand, that seems to be reasonable as all commands in the Dockerfile are run as root. However, if I try to change ownership of that file to
tomcat:tomcat, I get a
Operation not permitted error.
Why can’t I change the permissions of a file copied to that image?
How it can be reproduced:
mkdir docker-addfilepermission cd docker-addfilepermission touch test.txt echo 'FROM tomcat COPY test.txt /usr/local/tomcat/webapps/ RUN chown tomcat:tomcat /usr/local/tomcat/webapps/test.txt' > Dockerfile docker build .
The output of
docker build .:
Sending build context to Docker daemon 3.072 kB Sending build context to Docker daemon Step 0 : FROM tomcat ---> 44859847ef64 Step 1 : COPY test.txt /usr/local/tomcat/webapps/ ---> Using cache ---> a2ccb92480a4 Step 2 : RUN chown tomcat:tomcat /usr/local/tomcat/webapps/test.txt ---> Running in 208e7ff0ec8f chown: changing ownership of '/usr/local/tomcat/webapps/test.txt': Operation not permitted 2014/11/01 00:30:33 The command [/bin/sh -c chown tomcat:tomcat /usr/local/tomcat/webapps/test.txt] returned a non-zero code: 1
Find below all possible solutions or suggestions for the above questions..
There is likely a way to view and change the Dockerfile for tomcat, but I can’t figure it out after a few minutes. My inelegant solution is to add this line before the chown:
If you want to de-elevate the privileges after (which is recommended) you could add this line:
Alternately, work with an image that has no software installed so you can begin your Dockerfile as root and install tomcat and all that. It’s actually odd they change that in their image from my experience. It makes sense to allow the intended end user to set the USER directive as they see fit.
Since Docker 17.09 one can use the
--chown flag on ADD/COPY operations in Dockerfile to change the owner in the ADD/COPY step itself rather than a separate RUN operation with chown which increases the size of the image as you have noted. It would have been good to have this as the default mode i.e. the permissions of the user copying the files are applied to the copied files. However, the Docker team did not want to break backward compatibility and hence introduced a new flag.
COPY --chown=<user>:<group> <hostPath> <containerPath>
The other alternatives are:
- Change the permission in a staging folder prior to building the image.
- Run the container via a bootstrap script that changes the ownership.
- Squash the layers!
Disclaimer: This has been sourced from a third party syndicated feed through internet. We are not responsibility or liability for its dependability, trustworthiness, reliability and data of the text. We reserves the sole right to alter, delete or remove (without notice) the content in its absolute discretion for any reason whatsoever.