python script in image gets permission denied

Question

python script in image gets permission denied

martinvelos opened this issue 5 years ago · 3 comments

Seems the python script is not run as root and thus with the command from Readme we get

Traceback (most recent call last):
  File "/usr/local/bin/kubetop", line 11, in <module>
    load_entry_point('kubetop==17.4.17.1.dev0', 'console_scripts', 'kubetop')()
  File "/usr/local/lib/python2.7/site-packages/kubetop/_twistmain.py", line 89, in __call__
    ] + argv[1:])
  File "/usr/local/lib/python2.7/site-packages/twisted/application/twist/_twist.py", line 119, in main
    options = cls.options(argv)
  File "/usr/local/lib/python2.7/site-packages/twisted/application/twist/_twist.py", line 40, in options
    options.parseOptions(argv[1:])
  File "/usr/local/lib/python2.7/site-packages/twisted/application/twist/_options.py", line 168, in parseOptions
    Options.parseOptions(self, options=options)
  File "/usr/local/lib/python2.7/site-packages/twisted/python/usage.py", line 267, in parseOptions
    self.subOptions.parseOptions(rest)
  File "/usr/local/lib/python2.7/site-packages/twisted/python/usage.py", line 277, in parseOptions
    self.postOptions()
  File "/usr/local/lib/python2.7/site-packages/kubetop/_script.py", line 49, in postOptions
    self['context'] = current_context(FilePath(expanduser(self['config'])))
  File "/usr/local/lib/python2.7/site-packages/kubetop/_script.py", line 34, in current_context
    with config_path.open() as cfg:
  File "/usr/local/lib/python2.7/site-packages/twisted/python/filepath.py", line 1012, in open
    return open(self.path, mode + 'b')
IOError: [Errno 13] Permission denied: '/root/.kube/config'

Answer 1 · 2019-08-28T12:25:45.000Z

I wonder why. The Dockerfile doesn't specify another user. Maybe Docker has changed since the Dockerfile was written. Is the default user in the container no longer root?

Answer 2 · 2019-09-02T13:01:54.000Z

It think that remained, see:

$ docker run -it --entrypoint sh   --volume ~/.kube/:/root/.kube/:ro exarkun/kubetop -c id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

Seems like something with the volume mapping:

$ docker run -it --entrypoint ls   --volume ~/.kube/:/root/.kube/:ro exarkun/kubetop /root/.kube
ls: can't open '/root/.kube': Permission denied

Answer 3 · 2019-09-02T13:35:20.000Z

Aah, I see, o Fedora, where Selinux rules, we need to use the :Z mapping, which I don't undrsand properly, but have similar troubles when running docker-compose.

docker run -it --rm --volume ~/.kube/:/root/.kube/:Z exarkun/kubetop
started fine, only it is not handling self-signed certs we have on our "lab"...