docker-registry
docker-registry copied to clipboard
docker-archive
Running registry as non-root user fails.
I am trying to get the containerized docker-registry to run as non-root user. It runs perfectly fine as root, however I would prefer to have it run under a non-root UID. I think the problem is that the process is trying to create a file under /docker-registry Is there any way to force the files inside the container to be owned by a non-root user. Or get the locks created elsewhere.
Versions:
[root@talabosoreg01 containers]# docker version Client version: 1.3.2 Client API version: 1.15 Go version (client): go1.3.3 Git commit (client): 39fa2fa/1.3.2 OS/Arch (client): linux/amd64 Server version: 1.3.2 Server API version: 1.15 Go version (server): go1.3.3 Git commit (server): 39fa2fa/1.3.2 [root@talabosoreg01 containers]# docker images REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE registry latest 6bf57ff4720d 6 days ago 418.6 MB
Path referenced below is properly owned by non-root user id: [root@talabosoreg01 storage]# ls -lath total 0 drwxr-x---. 2 10001 10001 6 Jan 28 19:52 . drwxr-xr-x. 3 10001 10001 20 Jan 28 19:52 ..
Failed Run:
[root@talabosoreg01 containers]# docker run \
> --name private_registry \
> -e SETTINGS_FLAVOUR=local \
> -e STORAGE_PATH=/registry-storage -e GUNICORN_OPTS=[--preload] \
> -v /data/docker/private-registry/storage:/registry-storage \
> -p 5000:5000 \
> -u 1001 \
> registry
29/Jan/2015:02:25:45 +0000 WARNING: Cache storage disabled!
29/Jan/2015:02:25:45 +0000 WARNING: LRU cache disabled!
29/Jan/2015:02:25:45 +0000 DEBUG: Will return docker-registry.drivers.file.Storage
Traceback (most recent call last):
File "/usr/local/bin/gunicorn", line 11, in <module>
sys.exit(run())
File "/usr/local/lib/python2.7/dist-packages/gunicorn/app/wsgiapp.py", line 74, in run
WSGIApplication("%(prog)s [OPTIONS] [APP_MODULE]").run()
File "/usr/local/lib/python2.7/dist-packages/gunicorn/app/base.py", line 185, in run
super(Application, self).run()
File "/usr/local/lib/python2.7/dist-packages/gunicorn/app/base.py", line 71, in run
Arbiter(self).run()
File "/usr/local/lib/python2.7/dist-packages/gunicorn/arbiter.py", line 57, in __init__
self.setup(app)
File "/usr/local/lib/python2.7/dist-packages/gunicorn/arbiter.py", line 113, in setup
self.app.wsgi()
File "/usr/local/lib/python2.7/dist-packages/gunicorn/app/base.py", line 66, in wsgi
self.callable = self.load()
File "/usr/local/lib/python2.7/dist-packages/gunicorn/app/wsgiapp.py", line 65, in load
return self.load_wsgiapp()
File "/usr/local/lib/python2.7/dist-packages/gunicorn/app/wsgiapp.py", line 52, in load_wsgiapp
return util.import_app(self.app_uri)
File "/usr/local/lib/python2.7/dist-packages/gunicorn/util.py", line 356, in import_app
__import__(module)
File "/usr/local/lib/python2.7/dist-packages/docker_registry/wsgi.py", line 27, in <module>
from .search import * # noqa
File "/usr/local/lib/python2.7/dist-packages/docker_registry/search.py", line 14, in <module>
INDEX = index.load(cfg.search_backend.lower())
File "/usr/local/lib/python2.7/dist-packages/docker_registry/lib/index/__init__.py", line 82, in load
return db.SQLAlchemyIndex()
File "/usr/local/lib/python2.7/dist-packages/docker_registry/lib/index/db.py", line 86, in __init__
self._setup_database()
File "/usr/local/lib/python2.7/dist-packages/docker_registry/toolkit.py", line 325, in wrapper
lock_file = open(lock_path, 'w')
IOError: [Errno 13] Permission denied: './registry._setup_database.lock'
Here are the files inside /docker-registry in the container after running as root.
[root@talabosoreg01 storage]# docker exec private_registry ls -lath /docker-registry total 152K drwxr-xr-x. 23 root root 4.0K Jan 29 02:30 .. drwxr-xr-x. 10 root root 4.0K Jan 22 17:47 . drwxr-xr-x. 8 root root 4.0K Jan 22 17:47 .git drwxr-xr-x. 2 root root 4.0K Jan 22 07:47 config drwxr-xr-x. 4 root root 4.0K Jan 22 07:47 contrib drwxr-xr-x. 8 root root 4.0K Jan 22 07:47 docker_registry drwxr-xr-x. 2 root root 4.0K Jan 22 07:47 requirements drwxr-xr-x. 2 root root 4.0K Jan 22 07:47 scripts drwxr-xr-x. 5 root root 4.0K Jan 22 07:47 tests -rw-r--r--. 1 root root 13K Jan 6 06:15 README.md -rw-r--r--. 1 root root 1.4K Jan 5 23:48 tox.ini -rw-r--r--. 1 root root 2.7K Jan 5 20:25 CHANGELOG.md -rw-r--r--. 1 root root 96 Jan 5 20:07 circle.yml drwxr-xr-x. 3 root root 4.0K Dec 31 22:23 depends -rw-r--r--. 1 root root 3.4K Dec 27 20:39 setup.py -rw-r--r--. 1 root root 676 Dec 15 07:18 DRIVERS.md -rw-r--r--. 1 root root 1.1K Dec 12 21:53 Dockerfile -rw-r--r--. 1 root root 12K Dec 10 18:09 LICENSE -rw-r--r--. 1 root root 900 Dec 4 21:11 .travis.yml -rw-r--r--. 1 root root 4.0K Dec 2 21:36 AUTHORS -rw-r--r--. 1 root root 1.5K Nov 19 18:49 DEBUGGING.md -rw-r--r--. 1 root root 1.1K Nov 19 18:49 FAQ.md -rw-r--r--. 1 root root 8.5K Nov 18 13:32 ADVANCED.md -rw-r--r--. 1 root root 909 Oct 31 18:57 .mailmap -rw-r--r--. 1 root root 73 Oct 31 18:39 .update-copyright.conf -rw-r--r--. 1 root root 3.5K Oct 10 19:06 CONTRIBUTING.md -rw-r--r--. 1 root root 236 Aug 20 23:33 .gitignore -rw-r--r--. 1 root root 452 Aug 7 13:46 setup.cfg -rw-r--r--. 1 root root 56 Jul 8 2014 .coveragerc -rw-r--r--. 1 root root 125 May 30 2014 MANIFEST.in -rw-r--r--. 1 root root 293 May 13 2014 .editorconfig
So, the lock file issue needs to change path.
You can try to get past it by disabling search.
This error hits me too, it's a rather critical issue for me. Would saving the lock-file in /tmp a possible fix for this?
Until we get search for registry v2.0, we got around this by extending the image (magic sauce is the WORKDIR):
FROM registry:0.9.1
#https://github.com/docker/docker-registry/issues/892
ENV GUNICORN_OPTS ["--preload"]
RUN adduser --system registry \
&& addgroup registry \
&& chown -R registry:registry /docker-registry
USER registry
#https://github.com/docker/docker-registry/issues/915
WORKDIR /docker-registry
CMD ["docker-registry"]
