error "permission for /opt/config nodebb" in installing with Docker compose
-
I was going to install the nodebb with Docker, but the container log shows this error:
panic: no write permission for /opt/config nodebbdocker-compose.yaml:
volumes:
build_volume:
name: build_volume
uploads_volume:
name: uploads_volume
config_volume:
name: config_volumeservices:
nodebb:
build: .
restart: unless-stopped
ports:
- 4567:4567
volumes:
- build_volume:/usr/src/app/build
- uploads_volume:/usr/src/app/public/uploads
- config_volume:/opt/config
- ./install/docker/setup.json:/usr/src/app/setup.json
mongo:
image: "mongo:7-jammy"
restart: unless-stopped
expose:
- "27017"
environment:
MONGO_INITDB_ROOT_USERNAME: nodebb
MONGO_INITDB_ROOT_PASSWORD: pass
MONGO_INITDB_DATABASE: nodebb
volumes:
- ./.docker/database/mongo/config:/etc/mongo
- ./.docker/database/mongo/data:/data/db
- ./install/docker/mongodb-user-init.js:/docker-entrypoint-initdb.d/user-init.js -
@control1390 said in error "permission for /opt/config nodebb" in installing with Docker compose:
panic: no write permission for /opt/config nodebb
This says it all. You'll need to ensure that your nodebb user has sufficient permission to that path
-
@phenomlab said in error "permission for /opt/config nodebb" in installing with Docker compose:
@control1390 said in error "permission for /opt/config nodebb" in installing with Docker compose:
panic: no write permission for /opt/config nodebb
This says it all. You'll need to ensure that your nodebb user has sufficient permission to that path
So do you think there is a problem with Dockerfile in GitHub?
Because this is happening inside the container and the container is based on the image made from the docker file.docker file content:
FROM --platform=$BUILDPLATFORM node:lts as npmRUN mkdir -p /usr/src/build &&
chown -R node:node /usr/src/build
WORKDIR /usr/src/buildARG NODE_ENV
ENV NODE_ENV $NODE_ENVCOPY --chown=node:node install/package.json /usr/src/build/package.json
USER node
RUN npm install --omit=dev
FROM node:lts as rebuild
ARG BUILDPLATFORM
ARG TARGETPLATFORMRUN mkdir -p /usr/src/build &&
chown -R node:node /usr/src/buildCOPY --from=npm /usr/src/build /usr/src/build
RUN if [ $BUILDPLATFORM != $TARGETPLATFORM ]; then
npm rebuild &&
npm cache clean --force; fiFROM node:lts-slim as run
ARG NODE_ENV
ENV NODE_ENV=$NODE_ENV
daemon=false
silent=falseRUN mkdir -p /usr/src/app &&
chown -R node:node /usr/src/appCOPY --chown=node:node --from=rebuild /usr/src/build /usr/src/app
WORKDIR /usr/src/app
USER node
COPY --chown=node:node . /usr/src/app
EXPOSE 4567
VOLUME ["/usr/src/app/node_modules", "/usr/src/app/build", "/usr/src/app/public/uploads", "/opt/config"]
ENTRYPOINT ["./install/docker/entrypoint.sh"] -
My nodebb docker installation randomly broke and the logs are showing the same error.
There is definitely something wrong with the docker image.
-
I wish I had better Docker comprehension to establish what the original author of the
Dockerfile
in the repo was trying to accomplish, with regards to all theUSER node
s andchmod
s. Don't Docker services normally just run as theroot
user inside the container?In any event, if you remove all the
chown -R node:node
s,--chown=node:node
s, andUSER node
s from theDockerfile
, thendocker-compose build
, thendocker-compose up
, you might have yourself a workaround. That's what I did. Granted, I'm not running a Docker image in production, just trying NodeBB out for the first time. A bad time to run into a problem like this, to be honest—fortunately I'm stubborn/persistent.:)
If you need more of a nudge than the above, I'd encourage you to wait until someone with more experience weighs in on the discussion here, in the PR that originated these changes to the
Dockerfile
. -
@ernstki It’s best practice to drop down to a non root user for docker images for security purposes.
I could submit a PR but what bothers me most is breaking changes that don’t get resolved for months.
I like nodebb but I am afraid to run it in production for a community due to breaking changes like this that go unnoticed / ignored.
-
@douglasparker said in error "permission for /opt/config nodebb" in installing with Docker compose:
@ernstki It’s best practice to drop down to a non root user for docker images for security purposes.
Agreed, in any other context. My Docker daemon is already running non-root, which I thought was the actual best practice.
I get that container security is complex, and the topic of countless blog posts and conference talks, but the fact remains I've not (yet!) seen many other examples of popular containerized software in the wild doing this in their Dockerfiles, and that incongruity is what made me wonder.
-
You can see how it works in Podman (lightweight alternative to Docker).
Nobbic (NodeBB In a Container) GitHub repository:
chown -R node:node
search returns 3 files:
https://github.com/search?q=repo%3Aahwayakchih%2Fnobbic+"node%3Anode"&type=codeand one file for
USER node
search:
https://github.com/search?q=repo%3Aahwayakchih%2Fnobbic+"USER+node"&type=code -
@nhl-pl At first I didn't know what I was looking at, and just thought, well, that's what the
Dockerfile
in the NodeBB repo already does, so why is this interesting?But they're similar enough that maybe there was some cross-pollination of the NodeBB Dockerfile with the setup scripts for the Podman rendition, from the nobbic repo. Things were copy-pasted because they worked, not because they were needed. That's relatable though.
The nobbic maintainers helpfully commented the script(s), which is really the only way to let other people inside your head about decisions like this. The why of it is probably still not clear to me just due to my relative inexperience with running production web applications in containers.
-
You have answered your own question. Reason for making it like this is to secure Node.js from abuse. You can find more by reading about Node.js disadvantages and maybe a little about Deno (runtime environment for JavaScript and TypeScript).
-
@nhl-pl OK, thanks.
-
@nhl-pl Since the
Dockerfile
in the NodeBB is currently misbehaving as stated above, or at the very least the documentation is lacking in that it doesn't tell you you must create a localnode
user*, do you have a recommendation of how to move forward?* …at least I think that's the problem/solution
-
You can experiment with some other guides and projects.
As you probably seen before:
One more option is to make your own modified
Dockerfile
. For example Nobbic works on Alpine Linux based Docker images and most of the NodeBB guides are Ubuntu/Debian based. So first thing is to check the host machine/hosting provider and what is going on when you executeDockerfile
. Including Docker version which was mentioned many times on this forum. -