NB_USER does not have permissions to mounted directory
392781 opened this issue · comments
What docker image(s) are you using?
r-notebook
Host OS system
AlmaLinux 9.3
Host architecture
x86_64
What Docker command are you running?
I am using VS Code devcontainers to build/launch the container:
podman run --sig-proxy=false -a STDOUT -a STDERR --mount source=/home/ronaldas/test-container,target=/home/jovyan/work,type=bind,z --mount type=volume,src=vscode,dst=/vscode -l devcontainer.local_folder=/home/ronaldas/test-container -l devcontainer.config_file=/home/ronaldas/test-container/.devcontainer/devcontainer.json --entrypoint /bin/sh vsc-test-container-bc7457f93a43ce2cbef1ed1d19744dfca76e614fb93113d79e027bf157c0f35e -c echo Container started
How to Reproduce the problem?
Dockerfile:
FROM docker.io/jupyter/r-notebook:r-4.3.1
devcontainer.json:
{
"name": "test",
"build": {
"dockerfile": "Dockerfile"
},
"workspaceMount": "source=${localWorkspaceFolder},target=/home/jovyan/work,type=bind,z",
"workspaceFolder": "/home/jovyan/work",
}
- Run run command (or launch via VS Code devcontainers)
ls -la
in/home/jovyan/work/
shows that all the elements of the mounted workspace are owned byroot
and notjovyan
.
Command output
jovyan > ls -la
total 12
drwxrwxr-x. 3 root root 85 Feb 8 04:36 ./
drwsrws---. 1 jovyan users 58 Feb 8 17:45 ../
drwxrwxr-x. 2 root root 49 Jan 30 04:40 .devcontainer/
-rw-rw-r--. 1 root root 197 Feb 8 01:22 test.py
-rw-r--r--. 1 root root 9 Feb 8 04:36 test.txt
jovyan > ls -la ../
drwsrws---. 1 jovyan users 58 Feb 8 17:45 .
drwxr-xr-x. 1 root root 20 Oct 20 01:46 ..
-rw-rw-r--. 1 jovyan users 220 Jan 6 2022 .bash_logout
-rw-rw-r--. 1 jovyan users 3823 Oct 20 01:46 .bashrc
drwsrwsr-x. 1 jovyan users 30 Oct 20 01:50 .conda
-rw-r--r--. 1 jovyan users 290 Feb 8 17:45 .gitconfig
drwsrws---. 2 jovyan users 38 Oct 20 01:50 .jupyter
drwsrwsr-x. 3 jovyan users 19 Oct 20 01:50 .npm
-rw-rw-r--. 1 jovyan users 807 Jan 6 2022 .profile
drwxr-sr-x. 2 jovyan users 25 Feb 8 17:45 .ssh
drwxr-sr-x. 5 jovyan users 47 Feb 8 17:45 .vscode-server
-rw-rw-r--. 1 jovyan users 171 Oct 20 01:46 .wget-hsts
drwxrwxr-x. 3 root root 85 Feb 8 04:36 work
Note that test.py
and test.txt
were created outside the container. Creating files inside ~/work
is not possible since it is owned by root
.
Expected behavior
jovyan
should have ownership of mounted directory.
Actual behavior
root
has ownership of mounted directory.
Anything else?
No response
Latest Docker version
- I've updated my Docker version to the latest available, and the issue persists
Could you please reproduce your problem using a simple docker run
command?
Also, we have a nice guide to resolve issues when mounting volumes, please, take a look.
https://jupyter-docker-stacks.readthedocs.io/en/latest/using/troubleshooting.html#permission-denied-when-mounting-volumes
Running as root with CHOWN_HOME makes it so that conda/pip/install.packages() have broken permissions and no access to /opt/conda
and it's subdirectories.
@392781 Why not use my Data Science Dev Containers?
@392781 Why not use my Data Science Dev Containers?
Because we're using jupyter stacks...?
Running as root with CHOWN_HOME makes it so that conda/pip/install.packages() have broken permissions and no access to
/opt/conda
and it's subdirectories.
You also need to run with `-e CHOWN_HOME_OPTS='-R'``, so the chown is recursive for the home folder.
Any chance you could make your example more reproducible? I don't use VS Code devcontainers and I would really like some simple docker run
command which I can run on my machine and reproduce.
Could you please reproduce your problem using a simple
docker run
command?
Here's the simplified command which also does not work:
podman run --mount source=/home/ronaldas/test-container,target=/home/jovyan/work,type=bind,z docker.io/jupyter/r-notebook:r-4.3.1
Running as root with CHOWN_HOME makes it so that conda/pip/install.packages() have broken permissions and no access to
/opt/conda
and it's subdirectories.You also need to run with `-e CHOWN_HOME_OPTS='-R'``, so the chown is recursive for the home folder.
Any chance you could make your example more reproducible? I don't use VS Code devcontainers and I would really like some simple
docker run
command which I can run on my machine and reproduce.
Is CHOWN_HOME
/CHOWN_HOME_OPTS
necessary depending on system? Jupyter Stacks docs makes it seem that running as root is not necessary for the images to have the correct permissions... I'll give this another shot, I've been at this for over a week now trying to fix the permission issues on the system we are working on.
@mathbunnyru So CHOWN_HOME{_OPTS} finally worked! Thank you for that, it's strange because it hasn't worked in the past (maybe I had some other config issue though).
However, I am still running into permission issues when it comes to conda/pip/install.packages... I do not have access to /home/jovyan/.cache/pip
for instance. I also get warnings about installing additional packages as root...
As far as I remember you can manually chown your host dir /home/ronaldas/test-container
to have permissions 1000:100
(this is the default for our images) and then mount the volume.
This way files will have correct permissions inside the container.
@392781 Why not use my Data Science Dev Containers?
Because we're using jupyter stacks...?
@392781 Your choice. Nonetheless, you should check them out. See also
@392781 Regarding the Data Science Dev Containers:
Similar project
What makes this project different:
- Multi-arch:
linux/amd64
,linux/arm64/v8
ℹ️ Runs on Apple M series using Docker Desktop.- Base image: Debian instead of Ubuntu
ℹ️ CUDA-enabled images are Ubuntu-based.- IDE: JupyterLab next to VS Code
- Just Python – no Conda / Mamba
CUDA-enabled images:
- Derived from
nvidia/cuda:11.8.0-cudnn8-runtime-ubuntu22.04
- TensortRT and TensorRT plugin libraries
P.S.: Use quay.io/jupyter/r-notebook
instead of docker.io/jupyter/r-notebook
.
@mathbunnyru This seems to fix all permission issues. The only thing is, only the 1st two of the uidmap
and gidmap
commands are necessary for podman to work fine with permissions.
I should mention that the documentation that is listed there is not very clear about the uidmap
and gidmap
commands or why it is necessary to use them 3 times. I understand mapping uid 1000:0 and gid 100:0 but I do not understand mapping 0:1 1000 times for uid and 100 for gid?
I think this answers my question: https://stackoverflow.com/a/70774211
Thank you for your help everyone!