Failed to open stream: Permission denied #179
Comments
jaydrogers
added
the
🧐 Bug: Needs Confirmation
|
I am re-opening this issue. This is related to the attempted fix implemented in #180, suggested by @tsterker. Reason for re-open
More details on the failure
Ways to test your own apps
Next stepsI am going to continue to troubleshoot and may possibly revert #180 if I cannot get this to work well. |
|
Adding my error message in here too for future reference 
|
|
Wanted to add a few things on this issue. COPY --chown=$PUID:$PGID ./composer.json ./composer.lock ./
RUN composer install --no-cache --no-dev --no-scripts --no-autoloader --ansi --no-interaction
COPY --chown=$PUID:$PGID . .
RUN composer dump-autoload -oNow the issue is that it can't create cache files:
I've tried giving to the whole |
|
Thanks for chiming in. The user running PHP is Also -- I am not sure why you would need two copy commands in there. Also, the default web root is COPY --chown=$PUID:$PGID . /var/www/html
RUN su webuser && \
composer install --no-cache --no-dev --no-scripts --no-autoloader --ansi --no-interaction && \
composer dump-autoload -o |
|
Right, splitting the command is not needed. At the end I've cleared all my docker images and containers and now this is the full, working code, no errors related to FROM serversideup/php:8.2-fpm-nginx as base
ENV AUTORUN_LARAVEL_MIGRATION=true
ENV SSL_MODE=off
ENV APP_ENV=production
FROM base as production
COPY --chown=$PUID:$PGID . .
RUN composer install --no-cache --no-dev --no-scripts --no-autoloader --ansi --no-interaction \
&& composer dump-autoload -oI had to create a separate Dockerfile because I added (not pasted here) some tweaks to opcache, more extensions and so on. Thank you for the support and the image :) |
|
@jaydrogers I'm currently trying to follow up on this topic and understand the issue mentioned above and how #180 could be the cause for this. ℹ️ Is there an example that works with the current setup and breaks with #180? e.g. you mention a GitLab CI + DIND setup above.
Is this related to building docker images? In this case, maybe kaniko could be an option to build images without privileged mode? That said, if there is a general compatibility issue with the ubiquitous DIND it's still a problem that would need solving. |
|
Hey @tsterker, Thanks for checking in! Regarding where the issue stands nowThe root cause of his issue is a user experience issue -- it's not the users fault either. Some background:
Where the problem stems:
The user would need to know to switch to Regarding the CI + DIND
I want the images to assume this is compatible with any system and I don't want any dependencies on other libraries. Moving forwardLet me take some time to document the issue better and see if I can post an issue on the S6 Overlay repo. They've been really helpful in the past, but I want to make sure I have the issue fully documented so I don't waste any of their time. I'll keep you posted! |
Just adding a note for myself...S6 Overlay has some changes that were released on May 4th. I might want to explore these changes since they talk specifically about the |
|
Just adding a note, #180 has been reverted. New approach
|
|
I'm having the same issue here. Just for context, if I check the owner of the files using a disposable container by running Which is interesting because I expected the user and group ids to be 9999:9999. |
For additional context, I tried to run the project changing the 9999 user and group ids to 1000 (the default values) and the permission denied error disappeared. Briefly, I replaced 9999 with 1000 in:
Actually, if I now run a |
Same effect here, in my case is 1001 |
|
I am not expert on how the user 9999 is being created but i think we are on the way :) |
|
Till there is a solid fix, I would just suggest to add the following environment variables, to let the image run on a different PUID & PGID. docker-compose example: environment:
PUID: 1000
PGID: 1000
|
👉 Just a noteIf you're running this locally, the owner and group IDs will differ based on the host machine. If you're using a Linux host to run the docker container
If you're using a Windows or macOS host to run the container -- it gets complicated
Just another level of complexity I am trying to work through 🙃 |
|
For me, when I had an issue trying to create a Docker Image that wasn't using volumes my RUN commands were running as root. I solved it by setting the user to the expected values before the RUN and then importantly, setting back to root as the last command in the Dockerfile. This is my Dockerfile ARG PHP_VERSION='8.2'
# ================
# Base Stage
# ================
FROM serversideup/php:${PHP_VERSION}-fpm-nginx as base
ENV AUTORUN_ENABLED=false
ENV SSL_MODE=off
# ================
# Production Stage
# ================
FROM base as production
ENV APP_ENV=production
ENV APP_DEBUG=false
# Required Modules
RUN apt-get update && \
apt-get install -y php${PHP_VERSION}-pgsql && \
apt-get clean && \
rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /usr/share/doc/*
USER $PUID:$PGID
# Copy contents.
# - To ignore files or folders, use .dockerignore
COPY --chown=$PUID:$PGID . .
RUN composer install --optimize-autoloader --no-dev --no-interaction --no-progress --ansi
# artisan commands
RUN php ./artisan event:cache && \
php ./artisan route:cache && \
php ./artisan view:cache
USER root:rootNote the setting of USER to $PUID:$PGID and then back to root:root for fpm to work correctly. |
Quick QuestionCan everyone on this thread post their host operating system? I assume it's all Linux? I am working on resolving this issue. I finally have a Linux development machine to do some testing and reproduction with this issue to finally get it resolved. |
jaydrogers
added
🐛 Bug: Confirmed
Ubuntu 22.04.3 LTS |
|
Linux, but got team members using WSl & Mac. |
|
Hmm... we use macOS exclusively and never run into a problem. Usually with the file mount on macOS, it actually helps prevent the issues from happening. Do you have steps to reproduce specifically for your Mac? I can run it on my machine and see if I can replicate. |
|
Experiencing the issue on Ubuntu 22.04 LTS, fresh install. For what it's worth; I'm not seeing this problem with Laravel Sail, maybe we can find some inspiration there? |
|
Yes, I hope they will be added. But I wonder how others are using these containers for develpoment? It doesn't work on Windows or Linux. Does it work seamlessly on MacOs? Does everyone only use these containers production-wise? 😃 |
|
@xaimes I'm using it on Linux for local dev, but I had to set the services:
laravel.test:
image: serversideup/php:8.2-fpm-nginx
extra_hosts:
- 'host.docker.internal:host-gateway'
ports:
- '${APP_PORT:-80}:80'
environment:
LARAVEL_SAIL: 1
SSL_MODE: 'off'
PUID: '${UID:-1000}'
PGID: '${GID:-1000}'
volumes:
- '.:/var/www/html'
networks:
- sail
depends_on:
- mysql
// ... |
These env vars works in v2, not in v3 beta |
|
Ah, missed that y'all trying to use the v3 beta. Whoops, sorry. |
|
I'll have an update for you guys soon on this in the V3 beta. @tonysm's comment is heading in the right direction -- but it can have negative effects depending on what variation you're using. Unfortunately a lot of this comes down to how Docker & PHP work, so I will be providing improved documentation on how to address permission issues. I have an idea with Spin on how to make this really easy and automated, but I will need more time to explore this solution. |
👉 Important UpdateHey all, I just wanted to give you another update that I confirmed I have a working and stable solution with Spin. I feel this is the best balance that I know of "The Docker Way" and how PHP works. In short, the best way so solve this is use a build argument to change the user ID: # Learn more about the Server Side Up PHP Docker Images at:
# https://serversideup.net/open-source/docker-php/
FROM serversideup/php:beta-8.3-fpm-nginx as base
FROM base as development
# Fix permission issues in development by setting the "www-data"
# user to the same user and group that is running docker.
ARG USER_ID
ARG GROUP_ID
RUN usermod -u $USER_ID www-data && \
groupmod -g $GROUP_ID www-data
FROM base as deploy
COPY --chown=www-data:www-data . /var/www/htmlYou can do this in Docker Compose yourself if you wanted to. version: '3.8'
services:
php:
build:
target: development
args:
USER_ID: ${SPIN_USER_ID}
GROUP_ID: ${SPIN_GROUP_ID}
volumes:
- .:/var/www/html/
networks:
- developmentHow this worksThe above examples will change the In Spin, I automate ALL of this for you:
👉 All of this above prevents any PHP commands from running as a differing user ID Best of all, I got this to work on macOS, Linux, and Windows (with WSL2). 🥳 Next StepsStay tuned as I will likely create content around this issue. This is one of those "gotchas" of using Docker + PHP in a production use case. I will post on here once I have more documentation/videos ready on this 👍 |
|
I like this way and is exactly the way i'm doing right now. Using the env var for id with 1000 as default |
Related noteFeel free to chime in on this issue: #253 Right now I don't like that. I am thinking of creating a |
⚡️ New Feature AddedHey all, I just wanted to explain my latest commit: 2115656 What's newNote This is feature is available in the v3 beta images only. I created a Usage: docker-php-serversideup-set-id [username] [uid] [gid]What this doesThis takes the username you want to change the UID and GID for. It also checks to make sure other users in the container are not taken. If they are, the script moves them to a new id (hopefully that's safe 😅). Why this was createdThe intention of this script was to make it easy for a sysadmin to work with a decentralized workforce with many different types of machines and configurations. It allows a sysadmin to set these files to fix the permission issues when developers are working with their files: Dockerfile: # Learn more about the Server Side Up PHP Docker Images at:
# https://serversideup.net/open-source/docker-php/
FROM serversideup/php:beta-8.3.0-fpm-nginx-bookworm as base
# Fix permission issues in development by setting the "www-data"
# user to the same user and group that is running docker.
FROM base as development
ARG USER_ID
ARG GROUP_ID
RUN docker-php-serversideup-set-id www-data ${USER_ID} ${GROUP_ID}
FROM base as deploy
COPY --chown=www-data:www-data . /var/www/htmldocker-compose.yml: version: '3.8'
services:
php:
build:
target: development
args:
USER_ID: ${SPIN_USER_ID}
GROUP_ID: ${SPIN_GROUP_ID}
volumes:
- .:/var/www/html/Long story shortThis wasn't really a bug with the Docker images, this was more of a user experience thing due to how PHP, Docker, and File Permissions work. I created this feature and will provide templates to minimize confusion. Next StepsLet me know if you like this solution and I can close this issue. Thanks for all your feedback to help get this resolved! |
|
this error also happened to me when i try to mount volume in kubernetes.. but if i not mount volume, it can start the pod..
|
|
If anyone is having permissions issues and using Docker desktop, try uninstalling and using only Docker Engine. |
|
@jaydrogers I am trying to run the docker container as non-root as you have outlined in #179 (comment) services:
review:
image: my/app
build:
context: .
dockerfile: Dockerfile-review
ports:
# laravel
- '8001:81'
environment:
PORT: 81
PUID: '${UID:-1000}'
PGID: '${GID:-1000}'
user: 'www-data:1000'
networks:
- app-networkI am trying to get such a container running on heroku and heroku wont allow you to run as root. I am running |
|
@rburgst: You'll need to remove the This is something I plan to improve documentation on, but it's also a limitation with some of these older servers like Apache. I hope that I can find a true non-privileged execution of PHP with FrankenPHP (#283) |
As I am trying to run in heroku this is nothing I have under my control. |
💪 Big UpdateSo here is a recap of the problem. It all comes down to
🦄 Proposed Solution
|
|
Works for me, would like to see it implemented |
|
There's only one answer and the answer is YES |
|
That would be cool, while I a had some success to get franken-php to work, I still have a long way to go to get it to work properly on heroku. |
Would love to see that merged asap 😄 |
💪 Another Big UpdateWe have a PR ready for testing that will dramatically improve container security and developer experience: 🙏 Please help test thisEverything is documented on the PR on how to test:
We will merge this big change soon if we get good feedback 😅🚀 |
github-project-automation
bot
moved this from In Progress
to Done
in v3.0 - PHP Docker Images
A fix has been released 🥳These changes are now live in our Monitor this CI/CD job for the exact moment these changes will be live (takes about an hour to build): |
|
It worked fine for me until a few minutes ago when I did a --build, now I get these errors Password: su: Authentication failure |
Affected Docker Images
All
Current Behavior
There are many reports where this error randomly appears, usually on fresh deployments.
Examples
#172 (comment)
Bugflow
Expected Behavior
There is a discussion where we may be able to adjust S6 Overlay and have the commands run correctly (instead of root)
#71 (comment)
Steps To Reproduce
TBD
Host Operating System
Linux
Docker Version
Anything else?
No response
The text was updated successfully, but these errors were encountered: