'create a symlink in an unprivileged container error

I'm running K8s deployment and trying to harden the security of one of my pod and because of that I started using the following docker image:

nginxinc/nginx-unprivileged:alpine

The problem is that I need to create a symlink and cannot get it done.

Here is the structure of my dockerfile

FROM nginxinc/nginx-unprivileged:alpine

ARG name
ARG ver

USER root

COPY ./outbox/${name}-${ver}.tgz ./
COPY ./nginx.conf /etc/nginx/nginx.conf
COPY ./mime.types /etc/nginx/mime.types
COPY ./about.md ./

RUN mv /${name}-${ver}.tgz /usr/share/nginx/html

WORKDIR /usr/share/nginx/html

RUN tar -zxf ${name}-${ver}.tgz \
  && mv ngdist/* . \
  && mv /about.md ./assets \
  && rm -fr ngdist web-ui-${ver}.tgz \
  && mkdir -p /tmp/reports

RUN chown -R 1001 /usr/share/nginx/html/

COPY ./entrypoint.sh.${name} /bin/entrypoint.sh

RUN chown 1001 /bin/entrypoint.sh

USER 1001

EXPOSE 8080

CMD [ "/bin/entrypoint.sh" ]

and here my entrypoint.sh

#!/bin/sh

ln -s /tmp/reports /usr/share/nginx/html/reports

and here is my container in the pod deployment yaml file

      containers:
      - name: web-ui
        image: "myimage"
        imagePullPolicy: Always
        ports:
        - containerPort: 8080
          name: web-ui
        volumeMounts:
        - name: myvolume
          mountPath: /tmp/reports

I tried to set the entrypoint under the root execution but that did not help either, the error i'm getting is this:

Error: failed to start container "web-ui": Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "/bin/entrypoint.sh": permission denied: unknown

dockerpermissionscontainersprivilegesdocker-entrypoint


Solution 1:[1]

Like other Linux commands, a Docker container's main CMD can't run if the program it names isn't executable.

Most source-control systems will track whether or not a file is executable, and Docker COPY will preserve that permission bit. So the best way to address this is to make the scripts executable on the host:

chmod +x entrypoint.sh.*
git add entrypoint.sh.*
git commit -m 'make entrypoint scripts executable'

docker-compose build
docker-compose up -d

If that's not an option, you can fix this up in the Dockerfile too.

COPY ./entrypoint.sh.${name} /bin/entrypoint.sh
RUN chmod 0755 /bin/entrypoint.sh

Like other things in /bin, the script should usually be owned by root, executable by everyone, and writable only by its owner; you do not generally want the application to have the ability to overwrite its own code.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 David Maze

Related Questions

Is it possible to run containers with port forwarding using ctr command?

Is it possible to run containers with port forwarding using ctr command?

Is it possible to run containers with port forwarding using ctr command?

Mount EFS to Lambda Container

How to check if a process is running inside docker container?

How to check if a process is running inside docker container?

How to create a curved container in flutter

shrink_to_fit() for unordered containers?

In terms of networking, are there any limitation to windows container over linux container like host network access from container

How to run a cron job inside a docker container?

docker compose orphan containers warning

Is it possible the restart a docker container which it's network deleted?

Is it possible the restart a docker container which it's network deleted?

Update max_map_count for ElasticSearch docker container Mac host

Access the port mapped by the docker container :curl: (56) Recv failure: Connection reset by peer