I'm trying to write a simple python application to run inside docker with non-root user and I want to log into a shared volume the log files.
docker-compose.yml
version: '3.7'
services:
testapp:
hostname: pythonapp
container_name: pythonapp
build:
context: .
dockerfile: Dockerfile
environment:
- TZ=Europe/Rome
ports:
- "8080:8080"
volumes:
- ./log:/home/pythonapp/src/log
docker build file
FROM python:3
# set environment variables
ENV PYTHONDONTWRITEBYTECODE 1
ENV PYTHONUNBUFFERED 1
# Create a user with given UID.
RUN useradd -m -u 5000 pythonapp
USER pythonapp
RUN id
RUN mkdir -p /home/pythonapp/src/log
RUN chown -R pythonapp:pythonapp /home/pythonapp
WORKDIR /home/pythonapp/src
## copy from host to container files
COPY --chown=pythonapp:pythonapp . .
## install dependencies
RUN pip install --user --upgrade pip
RUN pip install --user -r requirements.txt
CMD ["python", "/home/pythonapp/src/pythonapp.py", "-p", "8080"]
Before building the image I created log folder in host macchine.
mkdir log
ls -la
>>> drwxrwxr-x 2 tabita tabita 4096 ott 2 19:16 log
setfacl -m u:5000:rwx ./log
ls -la
>>> drwxrwxr-x 2 tabita tabita 4096 ott 2 19:16 log
getfacl log/
>>># file: log/
# owner: tabita
# group: tabita
user::rwx
user:5000:rw-
group::rwx
mask::rwx
other::r-x
Then I created the image using docker-compose
docker-compose -f docker-compose.yml up --build -v
However, I get error here
pythonapp | /home/pythonapp/src
pythonapp | pythonapp
pythonapp | uid=5000(pythonapp) gid=5000(pythonapp) groups=5000(pythonapp)
pythonapp | Traceback (most recent call last):
pythonapp | File "/home/pythonapp/src/ssh_honeypot.py", line 28, in <module>
pythonapp | logging.basicConfig(
pythonapp | File "/usr/local/lib/python3.9/logging/__init__.py", line 2003, in basicConfig
pythonapp | h = FileHandler(filename, mode,
pythonapp | File "/usr/local/lib/python3.9/logging/__init__.py", line 1146, in __init__
pythonapp | StreamHandler.__init__(self, self._open())
pythonapp | File "/usr/local/lib/python3.9/logging/__init__.py", line 1175, in _open
pythonapp | return open(self.baseFilename, self.mode, encoding=self.encoding,
pythonapp | PermissionError: [Errno 13] Permission denied: '/home/pythonapp/src/log/pythonapp.log'
pythonapp exited with code 1
DEBUGGING
I tried to get into the container and create a file in the log folder. I'm able to create one but from host system I can't see the created file.
Could you please help me?
CodePudding user response:
I've tried your files with this script :
# pythonapp.py
with open('/home/pythonapp/src/log/test.txt', 'w') as f:
f.write("Hello world!")
f.close()
It works very well only if x access is granted to user 5000.
this permission is needed to go through log directory.
Regarding your output, permissions are currently rw-
getfacl log/
>>># file: log/
...
user:5000:rw-
...
As your procedure seemed exact, could you try again from this :
log is under my working directory
- Add rights for user with
UID:5000:setfacl -m u:5000:rwx log - Check rights,
rwxis requiredI think --tabular is a good option to view ACL permissions
getfacl --tabular log # file: log USER <myuser> rwx user 5000 rwx GROUP <myuser> rwx mask rwx other r-x - pythonapp.py should be able to write under log directory:
docker-compose up --build
Step 13/13 : CMD ["python", "/home/pythonapp/src/pythonapp.py", "-p", "8080"] ---> Using cache ---> fcd2afb9f961 Successfully built fcd2afb9f961 Successfully tagged so_testapp:latest Starting pythonapp ... done Attaching to pythonapp pythonapp exited with code 0