[OCP] permission denied, mkdir in container on openshift

 

문제 상황

로컬에서는 문제없이 작동하는 Container가 Redhat OpenShift에 올리니까 Permission Deny 에러가 발생했다.

Error: EACCES: permission denied, mkdir '/home/node/app/.pm2'

 

사용한 Dockerfile은 아래와 같다.

FROM node:16.14-alpine

WORKDIR /home/node

COPY . .

RUN npm install

USER 1000

EXPOSE 8080

CMD node server.js

 

 

에러 원인

By default, OpenShift Container Platform runs containers using an arbitrarily assigned user ID. This provides additional security against processes escaping the container due to a container engine vulnerability and thereby achieving escalated permissions on the host node.

For an image to support running as an arbitrary user, directories and files that are written to by processes in the image must be owned by the root group and be read/writable by that group. Files to be executed must also have group execute permissions.

Adding the following to your Dockerfile sets the directory and file permissions to allow users in the root group to access them in the built image:

RUN chgrp -R 0 /some/directory && \
    chmod -R g=u /some/directory

WORKDIR /some/directory

 

Because the container user is always a member of the root group, the container user can read and write these files.

 

참고

https://docs.openshift.com/container-platform/4.11/openshift_images/create-images.html#use-uid_create-images

 

 

해결 방법

해당 디렉터리가 루트 그룹 소유가 아니라서 Permission Deny가 발생한 거였다.

Dockerfile을 아래와 같이 수정해서 문제를 해결했다.

FROM node:16.14-alpine

RUN chgrp -R 0 /home/node && chmod -R g=u /home/node

WORKDIR /home/node

COPY . .

RUN npm install

USER 1000

EXPOSE 8080

CMD node server.js