Why does simple Dockerfile give “permission denied

2019-08-27 07:17发布

站内问答 / Docker
1000 3 6

I am learning to use Docker with ROS, and I am surprised by this error message:

FROM ros:kinetic-robot-xenial

# create non-root user
ENV USERNAME ros
RUN adduser --ingroup sudo --disabled-password --gecos "" --shell /bin/bash --home /home/$USERNAME $USERNAME
RUN bash -c 'echo $USERNAME:ros | chpasswd'
ENV HOME /home/$USERNAME
USER $USERNAME

RUN apt-get update

Gives this error message

Step 7/7 : RUN apt-get update
 ---> Running in 95c40d1faadc
Reading package lists...
E: List directory /var/lib/apt/lists/partial is missing. - Acquire (13: Permission denied)
The command '/bin/sh -c apt-get update' returned a non-zero code: 100

标签: docker
举报
3条回答
Bombasti
2楼-- · 2019-08-27 07:46

apt-get generally needs to run as root, but once you've run a USER command, commands don't run as root any more.

You'll frequently run commands like this at the start of the Dockerfile: you want to take advantage of Docker layer caching if you can, and you'll usually be installing dependencies the rest of the Dockerfile needs. Also for layer-caching reasons, it's important to run apt-get update and other installation steps in a single step. So your Dockerfile would typically look like

FROM ros:kinetic-robot-xenial
# Still root
RUN apt-get update \
 && apt-get install ...
# Copy in application (still as root, won't be writable by other users)
COPY ...
CMD ["..."]
# Now as the last step create a user and default to running as it
RUN adduser ros
USER ros

If you need to, you can explicitly USER root to switch back to root for subsequent commands, but it's usually easier to read and maintain Dockerfiles with less user switching.

Also note that neither sudo nor user passwords are really useful in Docker. It's hard to run sudo in a script just in general and a lot of Docker things happen in scripts. Containers also almost never run things like getty or sshd that could potentially accept user passwords, and they're trivial to read back from docker history, so there's no point in setting one. Conversely, if you're in a position to get a shell in a container, you can always pass -u root to the docker run or docker exec command to get a root shell.

查看更多
0人赞 添加讨论(0) 举报
ら.Afraid
3楼-- · 2019-08-27 07:51

Try putting this line at the end of your dockerfile

USER $USERNAME (once this line appears in dockerfile...u will assume this users permissions...which in this case does not have to install anything) by default you are root

查看更多
0人赞 添加讨论(0) 举报
在下西门庆
4楼-- · 2019-08-27 07:53

You add the user ros to the group sudo but you try to apt-get update without making use of sudo. Therefore you run the command unprivileged and you get the permission denied.

Use do run the command (t):

FROM ros:kinetic-robot-xenial

RUN whoami
RUN apt-get update
# create non-root user
RUN apt-get install sudo
RUN echo "ros ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers
ENV USERNAME ros 
RUN adduser --ingroup sudo --disabled-password --gecos "" --shell /bin/bash --home /home/$USERNAME $USERNAME
RUN bash -c 'echo $USERNAME:ros | chpasswd'
ENV HOME /home/$USERNAME
USER $USERNAME

RUN whoami
RUN sudo apt-get update

All in all that does not make much sense. It is OK to prepare a docker image (eg. install software etc.) with its root user. If you are concerned about security (which is a good thing) leave the sudo stuff and make sure that the process(es) that run when the image is executed (eg the container is created) with your unprivileged user...

Also consider multi stage builds if you want to separate the preparation of the image from the actual runnable thing:

https://docs.docker.com/develop/develop-images/multistage-build/

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)