issue with following the instructions in the README.md and using the `USER` command in the Dockerfile

Question

issue with following the instructions in the README.md and using the `USER` command in the Dockerfile

cowchimp opened this issue 8 years ago · 4 comments

Hi.

I wanted to start using node-red with extra custom "contrib" nodes via Docker.
Initially I followed the instructions in the README for the "Host Directory As Volume" mode, but was unable to get this working.
Specifically, node-red loaded correctly but I got a runtime error when clicking "Deploy" because node-red was unable to persist to the flows.json file due to a linux permission issue.

Eventually I was able to get this working correctly and persisting flows.json by using the docker run --user flag (see relevant Docker docs).
I thought I'd open an issue because maybe other users encountered this problem and perhaps this clarification should be a part of the README.

I'm just starting out with Docker, but here's my understanding of the problem & fix:

When you use the USER command in the Dockerfile (as the case in this project) it creates a new user with a new userid and performs the remaining instructions as that user
If there was no prior USER command, the userid will probably be 1000 but Docker doesn't guarantee what the generated userid would be so it's discouraged to rely on this
The /data folder will be owned by the user with that userid
If you try to map the container's /data directory to a directory on the host, that external directory and its contents will probably be owned by a user with a different userid than the one used by the container
Only if by some chance it's the same userid (which could happen if both users are the first users created on the server and both have userid 1000) then this would work correctly.
In other cases where the userid does not match, a permission issue would prevent node-red from successfully persisting flows.json
You can fix this by using the --user flag of the docker run command (or the user property if you're using docker-compose) that lets you pass the host's userid so that the USER command will use that userid instead of creating a new one. This will make the userids match and will fix the permission issue.

Would be happy to send a PR but figured I'd first reach out to get feedback, and to have one else verify this is not just a local issue caused by my configuration.

Thanks.

Answer 1 · 2016-10-01T14:54:40.000Z

Thanks for the detailed feedback and persevering with this!
I'll have a detailed review of the above next week and get back to you.

Answer 2 · 2016-10-10T09:09:17.000Z

I'm managed to re-create this issue locally using the information you've left above.
If you would be happy to send a PR with the updated README that would be amazing!

Thanks for digging into this!

Answer 3 · 2016-10-12T01:53:10.000Z

I'm running into this on CoreOS, and apparently either tickling a bug or exposing the limits of my understanding of that system when I try to invoke Docker with --user core.

Answer 4 · 2016-10-12T04:10:31.000Z

It wasn't a bug, but I did have to change my CoreOS Dockerfile to resolve this; I'm now doing something like this:

https://github.com/syntechdev/node-red-docker/blob/v0.0.3-coreos/coreos/Dockerfile#L16

RUN adduser -h /usr/src/node-red -D -H -u 500 core \
    && chown -R core:core /data \
    && chown -R core:core /usr/src/node-red

i.e. in the container running as the "core" user, and specifically setting the UID of that user to match the UID of the "core" user in the underlying filesystem, so that I can properly access the filesystem. (Eventually that file system will be Amazon EFS.) So far so good.