1

I created a Dockerfile in the following

FROM nvidia/cuda:10.1-cudnn7-runtime-ubuntu18.04

ENV CUDA_PATH /usr/local/cuda
ENV CUDA_INCLUDE_PATH /usr/local/cuda/include
ENV CUDA_LIBRARY_PATH /usr/local/cuda/lib64

RUN apt update -yq 

RUN apt install -yq curl wget unzip git vim cmake zlib1g-dev g++ gcc sudo build-essential libncurses5-dev libgdbm-dev libnss3-dev libssl-dev libreadline-dev libffi-dev openssh-server

RUN adduser --disabled-password --gecos '' docker && \
    adduser docker sudo && \
    echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers

RUN mkdir -p /.cache/pip
RUN mkdir -p /.local/share
RUN mkdir -p /.local/lib
RUN mkdir -p /.local/bin
RUN chown -R docker:docker /.cache/pip
RUN chown -R docker:docker /.local
RUN chown -R docker:docker /.local/lib
RUN chown -R docker:docker /.local/bin

# Configure SSHD.
# SSH login fix. Otherwise user is kicked off after login
RUN sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd
RUN mkdir /var/run/sshd
RUN bash -c 'install -m755 <(printf "#!/bin/sh\nexit 0") /usr/sbin/policy-rc.d'
RUN ex +'%s/^#\zeListenAddress/\1/g' -scwq /etc/ssh/sshd_config
RUN ex +'%s/^#\zeHostKey .*ssh_host_.*_key/\1/g' -scwq /etc/ssh/sshd_config
RUN RUNLEVEL=1 dpkg-reconfigure openssh-server
RUN ssh-keygen -A -v
RUN update-rc.d ssh defaults
RUN ln -s /lib/x86_64-linux-gnu/libc.so.6 /lib64/libc.so.6
RUN ln -s /lib/x86_64-linux-gnu/libc.so.6 /lib/libc.so.6

# Configure sudo.
RUN ex +"%s/^%sudo.*$/%sudo ALL=(ALL:ALL) NOPASSWD:ALL/g" -scwq! /etc/sudoers

USER docker
RUN ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519

WORKDIR /home/docker/

RUN chmod a+rwx /home/docker/ && \
    wget https://repo.anaconda.com/miniconda/Miniconda3-py37_4.10.3-Linux-x86_64.sh && \
    bash Miniconda3-py37_4.10.3-Linux-x86_64.sh -b && rm Miniconda3-py37_4.10.3-Linux-x86_64.sh

ENV PATH /home/docker/.local/bin:$PATH
ENV PATH /home/docker/miniconda3/bin:$PATH

ENV which python3.7

RUN mkdir -p /home/docker/.local/
RUN chown -R docker:docker /home/docker/.local/
RUN chmod -R 777 /home/docker/.local/
RUN chmod -R 777 /.local/lib
RUN chmod -R 777 /.local/bin
RUN chmod -R 777 /.cache/pip/

RUN python3.7 -m pip install pip -U
RUN python3.7 -m pip install tensorflow-gpu==2.5.0 ray[rllib] gym[atari] torch==1.7.1 torchvision==0.8.2 scikit_learn==0.23.1 sacred==0.8.1 PyYAML==5.4.1 tensorboard_logger

# ENV PYTHONPATH "${PYTHONPATH}:/home/docker/.local/lib/python3.7/site-packages/"

RUN sudo ln -s $(which python3.7) /usr/bin/python
RUN ls $(python3.7 -c "import site; print(site.getsitepackages()[0])")
RUN python3.7 -m pip list
RUN python3.7 -m pip uninstall -y enum34
USER docker
RUN mkdir -p /home/docker/app
RUN chown -R docker:docker /home/docker/app
WORKDIR /home/docker/app

Then I built an image. After that, I run with this image.

NV_GPU=1 nvidia-docker run -i \
    --name $name \
    --user docker \
    -v `pwd`:/home/docker/app \
    -t MyImage:1.0 \
    ${@:2}

I used the user docker defined in the Dockerfile and mount current files to the workdir. However, it shows the docker user had no permission to create any files

PermissionError: [Errno 13] Permission denied

And the file in /home/docker/app

docker@109c5e6b269a:~/app$ ls -l
total 64
-rw-rw-r--  1 1002 1003 11342 Oct 13 12:50 LICENSE
-rw-rw-r--  1 1002 1003  4831 Oct 14 05:49 README.md
drwxrwxr-x  3 1002 1003  4096 Oct 14 08:12 docker
-rwxrw-r--  1 1002 1003   225 Oct 14 08:36 run_train.sh
drwxrwxr-x 11 1002 1003  4096 Oct 14 03:46 src
drwxrwxr-x  4 1002 1003  4096 Oct 13 12:50 third-party

It shows the user and group are not docker. I tried to change owner to docker but some error occurred in my local file system.

How can I address this PermissionError issue?

Thank you.

oguz ismail
  • 1
  • 16
  • 47
  • 69
GoingMyWay
  • 16,802
  • 32
  • 96
  • 149
  • Imagine you have two PC. On one of them there is user `docker`. On the other there is too. But on one `id -u docker` is 1002, but on the other it's not. – KamilCuk Oct 14 '21 at 09:12
  • File ownership of the files and dirs does not change when mapping a volume. The numerical IDs listed by `ls -l` correspond to those of the user and group owning the corresponding file or dir on your host. Check with `id`. – frippe Oct 14 '21 at 09:15
  • As an aside, `mkdir` and `chown` both accept a *list* of arguments, as do generally all file and directory utilities on Unix. You don't have to invoke them umpteen times to create or manipulate umpteen directories. – tripleee Oct 14 '21 at 09:40
  • 1
    If you delete the `docker run -v` option, Docker will use the code built into the image, and the settings and permissions in the Dockerfile will have their intended effect. I'd suggest leaving the code owned by the root user, writing the files into a dedicated data directory, and changing that directory's permission only to allow a different user. If you need to persist the data, you can set the container's user to the numeric user ID of the matching host user; `docker run -u $(id -u) -v "$PWD/data:/home/docker/app/data"`. – David Maze Oct 14 '21 at 09:46

1 Answers1

1

You are mapping some directory (pwd) to a volume. The problem is that your local directory belongs to a user with UID=1002, but inside the container the user docker maps to a different UID (probably 1000).

One easy solution is to edit the Dockerfile to specify the UID when creating the user, so it matches your local directory.

If you want your image to be used by others, one good solution is to create an entry point script to modify the user's UID at container creation time, based on environment variable.

Carlos Marx
  • 496
  • 1
  • 6
  • 13