dockerpermissionscontainersprivilegesdocker-entrypoint

create a symlink in an unprivileged container error

I'm running K8s deployment and trying to harden the security of one of my pod and because of that I started using the following docker image:

nginxinc/nginx-unprivileged:alpine

The problem is that I need to create a symlink and cannot get it done.

Here is the structure of my dockerfile

FROM nginxinc/nginx-unprivileged:alpine

ARG name
ARG ver

USER root

COPY ./outbox/${name}-${ver}.tgz ./
COPY ./nginx.conf /etc/nginx/nginx.conf
COPY ./mime.types /etc/nginx/mime.types
COPY ./about.md ./

RUN mv /${name}-${ver}.tgz /usr/share/nginx/html

WORKDIR /usr/share/nginx/html

RUN tar -zxf ${name}-${ver}.tgz \
  && mv ngdist/* . \
  && mv /about.md ./assets \
  && rm -fr ngdist web-ui-${ver}.tgz \
  && mkdir -p /tmp/reports

RUN chown -R 1001 /usr/share/nginx/html/

COPY ./entrypoint.sh.${name} /bin/entrypoint.sh

RUN chown 1001 /bin/entrypoint.sh

USER 1001

EXPOSE 8080

CMD [ "/bin/entrypoint.sh" ]

and here my entrypoint.sh

#!/bin/sh

ln -s /tmp/reports /usr/share/nginx/html/reports

and here is my container in the pod deployment yaml file

      containers:
      - name: web-ui
        image: "myimage"
        imagePullPolicy: Always
        ports:
        - containerPort: 8080
          name: web-ui
        volumeMounts:
        - name: myvolume
          mountPath: /tmp/reports

I tried to set the entrypoint under the root execution but that did not help either, the error i'm getting is this:

Error: failed to start container "web-ui": Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "/bin/entrypoint.sh": permission denied: unknown

Solution

  • Like other Linux commands, a Docker container's main CMD can't run if the program it names isn't executable.

    Most source-control systems will track whether or not a file is executable, and Docker COPY will preserve that permission bit. So the best way to address this is to make the scripts executable on the host:

    chmod +x entrypoint.sh.*
git add entrypoint.sh.*
git commit -m 'make entrypoint scripts executable'

docker-compose build
docker-compose up -d

    If that's not an option, you can fix this up in the Dockerfile too.

    COPY ./entrypoint.sh.${name} /bin/entrypoint.sh
RUN chmod 0755 /bin/entrypoint.sh

    Like other things in /bin, the script should usually be owned by root, executable by everyone, and writable only by its owner; you do not generally want the application to have the ability to overwrite its own code.