Error: error resolving dockerfile path: copying dockerfile: creating file: open /kaniko/Dockerfile: permission denied #1363
Comments
yashcodecollab
changed the title
|
@yashcodecollab please specify Does that make sense? |
|
Edit: Moved my bug to #1381. I suspect the problem for @yashcodecollab is that the |
|
I got this exact same error
The problem in my case was I am trying to run the kaniko container under non-root user. After changing back to root, it run fine. |
|
@adhikasp Kaniko is supposed to work with non-root user. |
|
Internally, Kaniko copies the given Dockerfile to So either the container in question was faulty and |
|
I am suffering from this problem as well. The only user/UID than can write in And this folder is a constant (If I read the code correctly:): https://github.com/GoogleContainerTools/kaniko/blob/main/pkg/constants/constants.go#L31 |
|
Hi I am still running into the same issue. Is there a resolution for this, running the kaniko container under non-root user. opts.DockerfilePath = constants.DockerfilePath |
|
Basically, kaniko expects to run as root inside the container. There are a bunch of things that don't work as expected if that's not satisfied, including apparently this. |
|
So what exactly is supposed to be the solution to this problem? As far as my understanding goes, kaniko was supposed to work without root privileges. I believe making the constant mentioned by @lvarin configurable would solve the issue, as users then could configure their own paths which ARE writable by non-root users. |
The solution to the problem is for someone to investigate this issue and fix it. It could even be you! 😄 This has also been requested in #1945, and as far as I know it should be possible. My main concern would be testing this path well end-to-end, since I wouldn't be surprised if there are lots of corners of the code that subtly assume |
|
I don't think #1945 solves this issue, because even if you can move the KanikoDir, it'll still be owned by root in the published container image, per https://github.com/GoogleContainerTools/kaniko/blob/main/deploy/Dockerfile. Although the README says that Kaniko (the binary) can run as a non-root user if you don't need it to do 'root-only' things, the same document strongly recommends to use Kaniko via the published container image, which does require running kaniko as root just to process the Dockerfile. A solution for this ticket might be to simply change the Dockerfiles so that /kaniko is writable by all users. |
That seems like an easy and worthwhile change. If someone sends me a PR I'll approve it 👍 |
Create /kaniko directory with world permission to allow the creation of sub directories by any user when the executor is run as non root. This can lower the security but shouldn't have any impact in a container. The tar unpack is the only way I found to have a directory with specific permission as the image is created from "scratch" which doesn't have any tool to change the permission otherwise. Fixes GoogleContainerTools#1363
Create /kaniko directory with world permission to allow the creation of sub directories by any user when the executor is run as non root. This can lower the security but shouldn't have any impact in a container. The tar unpack is the only way I found to have a directory with specific permission as the image is created from "scratch" which doesn't have any tool to change the permission otherwise. Fixes GoogleContainerTools#1363
|
Still have the same issue |
* Fix the /kaniko directory permissions in container Create /kaniko directory with world permission to allow the creation of sub directories by any user when the executor is run as non root. This can lower the security but shouldn't have any impact in a container. The tar unpack is the only way I found to have a directory with specific permission as the image is created from "scratch" which doesn't have any tool to change the permission otherwise. Fixes #1363 * Avoid blackbox tar file creation Use the Makefile to create the tar file use to create kaniko directory in scratch container. This avoid having a "blackbox" binary file with the empty directory.
Hi I am still running into the same issue. Is there a resolution for this @tejal29
Error: error resolving dockerfile path: copying dockerfile: creating file: open /kaniko/Dockerfile: permission denied
The text was updated successfully, but these errors were encountered: