![[OCP] permission denied, mkdir in container on openshift](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FBQHej%2FbtsCktdc8wt%2FjkvKEwHSA77ufHVGvN2zwK%2Fimg.png)
문제 상황
로컬에서는 문제없이 작동하는 Container가 Redhat OpenShift에 올리니까 Permission Deny 에러가 발생했다.
Error: EACCES: permission denied, mkdir '/home/node/app/.pm2'
사용한 Dockerfile은 아래와 같다.
FROM node:16.14-alpine
WORKDIR /home/node
COPY . .
RUN npm install
USER 1000
EXPOSE 8080
CMD node server.js
에러 원인
By default, OpenShift Container Platform runs containers using an arbitrarily assigned user ID. This provides additional security against processes escaping the container due to a container engine vulnerability and thereby achieving escalated permissions on the host node.
For an image to support running as an arbitrary user, directories and files that are written to by processes in the image must be owned by the root group and be read/writable by that group. Files to be executed must also have group execute permissions.
Adding the following to your Dockerfile sets the directory and file permissions to allow users in the root group to access them in the built image:
RUN chgrp -R 0 /some/directory && \
chmod -R g=u /some/directory
WORKDIR /some/directory
Because the container user is always a member of the root group, the container user can read and write these files.
참고
해결 방법
해당 디렉터리가 루트 그룹 소유가 아니라서 Permission Deny가 발생한 거였다.
Dockerfile을 아래와 같이 수정해서 문제를 해결했다.
FROM node:16.14-alpine
RUN chgrp -R 0 /home/node && chmod -R g=u /home/node
WORKDIR /home/node
COPY . .
RUN npm install
USER 1000
EXPOSE 8080
CMD node server.js
'DevOps > Kubernetes' 카테고리의 다른 글
| 모놀리식(Monolithic)에서 MSA으로 전환시 고려사항 (2) | 2024.09.05 |
|---|---|
| Kubernetes Pod Security Admission - Namespace Level (0) | 2023.10.27 |
| AWS EKS Node 인스턴스 타입의 최대 Pod 개수 (Too many pods 해결 방법) (0) | 2023.08.04 |
| Kubernetes Deprecated API Version Check 방법 (클러스터 버전 업그레이드 사전 작업) (1) | 2023.05.23 |
| Kubernetes QoS(Qualitu Of Service)와 Pod Eviction의 상관 관계 (0) | 2023.03.25 |