colima icon indicating copy to clipboard operation
colima copied to clipboard

Published 20 hours ago verified publisher icon abiosoft

Volume mount issue (permission denied)

Open zaremba-tomasz opened this issue 3 years ago • 2 comments

Description

Hi,

we're now running a POC of Docker for Desktop replacement and we've reached a problem while using nodemon with Colima. Volume mount that is used to hot-swap the code within the container something that is working with original Docker is not working in Colima (sample code for reproduction attached).

From what I've seen mounted files have different users and group assigned in the container's filesystem:

Docker:

ls -la /app/backend

backend  | drwxr-xr-x    8 node     node           256 Jul  8 05:48 .
backend  | drwxr-xr-x    1 root     root          4096 Jul  7 07:58 ..
backend  | -rw-r--r--    1 node     node          6148 Jul  8 05:48 .DS_Store
backend  | -rw-r--r--    1 node     node            31 Jul  7 07:43 .nodemonrc
backend  | -rw-r--r--    1 node     node           532 Jul  7 13:19 index.js
backend  | drwxr-xr-x    3 node     node            96 Jul  7 13:26 lib
backend  | -rw-r--r--    1 node     node         54680 Jul  7 13:25 package-lock.json
backend  | -rw-r--r--    1 node     node           266 Jul  8 06:13 package.json

Colima:

ls -la /app/backend

backend  | drwxr-xr-x    9 501      dialout        288 Jul  8 06:14 .
backend  | drwxr-xr-x    1 root     root          4096 Jul  8 06:18 ..
backend  | -rw-r--r--    1 501      dialout       6148 Jul  8 05:48 .DS_Store
backend  | -rw-r--r--    1 501      dialout         31 Jul  7 07:43 .nodemonrc
backend  | -rw-r--r--    1 501      dialout        532 Jul  7 13:19 index.js
backend  | drwxr-xr-x    3 501      dialout         96 Jul  7 13:26 lib
backend  | drwxr-xr-x   78 501      dialout       2496 Jul  8 06:14 node_modules
backend  | -rw-r--r--    1 501      dialout      54680 Jul  8 06:14 package-lock.json
backend  | -rw-r--r--    1 501      dialout        266 Jul  8 06:13 package.json

Is this something that is a problem with our configuration or with the tool itself?

Regards, Tomasz.

Version

Colima Version: 0.4.4 (git commit: 8bb1101a861a8b6d2ef6e16aca97a835f65c4f8f) Lima Version: 0.11.1 Qemu Version: 7.0.0

Operating System

  • [ ] macOS Intel
  • [X] macOS M1
  • [ ] Linux

Reproduction Steps

  1. Please unzip the attached source code
  2. colima start --mount-type 9p
  3. docker-compose up --build

Expected behaviour

Instead of ending up with EACCESS it should work as with Docker for Desktop.

Additional context

ZIP with source code for issue reproduction (docker-compose.yml + Dockerfile + Fastify-based hello-world application using nodemon): colima-issue-reproduction.zip

zaremba-tomasz avatar Jul 08 '22 06:07 zaremba-tomasz

Thanks for giving Colima a try.

File permissions are more strict with 9p protocol and it gets tricker when the container user is a non-root user.

It might be easier in your case as I can see in the docker compose file you are specifying the user/group. Specifying your host's uid and gid should fix the issue for you.

version: '3.9'
services:
  backend:
    container_name: backend
    build:
      context: ./
      dockerfile: Backend.dockerfile
      target: source
    ports:
      - "3000:3000"
    volumes:
      - ./pkg-svcs/backend:/app/backend
    command: "npm run start:container"
-   user: "1000:1000"
+   user: "501:20"

abiosoft avatar Jul 14 '22 09:07 abiosoft

After trying out the provided zip file, I realised the official node image is quite strict and does not permit running with any user other than the node user with uid 1000.

You can either use sshfs or extend the docker image to run as root user.

abiosoft avatar Jul 14 '22 13:07 abiosoft

Just wanted to add my discoveries here too @abiosoft I'm having a similar problem here using QEMU and SSHFS, except the mounted files have permissions 503:dialout instead.

We have a container we use in order to ensure a consistent environment, from which we run various tooling. We mount the current working directory when running the container:

docker run -it --rm --volume "$PWD":/mountpoint --workdir /mountpoint <container name> /bin/bash

The permissions look like this when running:

$ ls -al | grep mountpoint
drwxr-xr-x   1  503 dialout ? 1216 Jan 13 09:14 mountpoint

As the PWD we are mounting contains a Git repository, we also see this error:

$ git status
fatal: detected dubious ownership in repository at '/mountpoint'
To add an exception for this directory, call:

	git config --global --add safe.directory /mountpoint

If I run this same container under macOS Virtualisation Framework and virtiofs then everything seems to be ok, and the permissions look like this instead:

$ ls -al | grep mountpoint
drwxr-xr-x  40 root root 1280 Jan 16 17:35 mountpoint

And Git works normally:

$ git status
Refresh index: 100% (5191/5191), done.
On branch main
Your branch is up to date with 'origin/main'.

nothing to commit, working tree clean

I'm happy to recommend everyone switch to macOS Virtualisation Framework, but unfortunately not everyone in my team is able to upgrade to Ventura right away, so I'm raising in the hopes that there is a known workaround :)

Thanks!

Rylon avatar Jan 16 '23 17:01 Rylon

I am using viritiofs with the macos virtualisation framework and evne there I sometimes get the fatal: detected dubious ownership in repository at error using git. However, not always .Most times it works fine but sometimes it occurs there as well, which can be a bit annoying. Rerunning the same command often works. Though not sure if it is indeed a colima issue or more how the git check works, e.g. as the user ids are different between macos/colima vm and docker container. Tried this in combination with --mount-inotify, maybe that also has an impact, but not sure. from what I can see in various vscode issues, this might not be a colima issue but more a general issue due to the git change.

AndreasA avatar May 26 '23 09:05 AndreasA