NB_USER does not have permissions to mounted directory

Question

NB_USER does not have permissions to mounted directory

392781 opened this issue 4 months ago · comments

Ronald Lencevičius commented 4 months ago

What docker image(s) are you using?

r-notebook

Host OS system

AlmaLinux 9.3

Host architecture

x86_64

What Docker command are you running?

I am using VS Code devcontainers to build/launch the container:

podman run --sig-proxy=false -a STDOUT -a STDERR --mount source=/home/ronaldas/test-container,target=/home/jovyan/work,type=bind,z --mount type=volume,src=vscode,dst=/vscode -l devcontainer.local_folder=/home/ronaldas/test-container -l devcontainer.config_file=/home/ronaldas/test-container/.devcontainer/devcontainer.json --entrypoint /bin/sh vsc-test-container-bc7457f93a43ce2cbef1ed1d19744dfca76e614fb93113d79e027bf157c0f35e -c echo Container started

How to Reproduce the problem?

Dockerfile:

FROM docker.io/jupyter/r-notebook:r-4.3.1

devcontainer.json:

{
    "name": "test",
    "build": {
        "dockerfile": "Dockerfile"
    },

    "workspaceMount": "source=${localWorkspaceFolder},target=/home/jovyan/work,type=bind,z",
    "workspaceFolder": "/home/jovyan/work",
}

Run run command (or launch via VS Code devcontainers)
ls -la in /home/jovyan/work/ shows that all the elements of the mounted workspace are owned by root and not jovyan.

Command output

jovyan > ls -la
total 12
drwxrwxr-x. 3 root   root    85 Feb  8 04:36 ./
drwsrws---. 1 jovyan users   58 Feb  8 17:45 ../
drwxrwxr-x. 2 root   root    49 Jan 30 04:40 .devcontainer/
-rw-rw-r--. 1 root   root   197 Feb  8 01:22 test.py
-rw-r--r--. 1 root   root     9 Feb  8 04:36 test.txt
jovyan > ls -la ../
drwsrws---. 1 jovyan users   58 Feb  8 17:45 .
drwxr-xr-x. 1 root   root    20 Oct 20 01:46 ..
-rw-rw-r--. 1 jovyan users  220 Jan  6  2022 .bash_logout
-rw-rw-r--. 1 jovyan users 3823 Oct 20 01:46 .bashrc
drwsrwsr-x. 1 jovyan users   30 Oct 20 01:50 .conda
-rw-r--r--. 1 jovyan users  290 Feb  8 17:45 .gitconfig
drwsrws---. 2 jovyan users   38 Oct 20 01:50 .jupyter
drwsrwsr-x. 3 jovyan users   19 Oct 20 01:50 .npm
-rw-rw-r--. 1 jovyan users  807 Jan  6  2022 .profile
drwxr-sr-x. 2 jovyan users   25 Feb  8 17:45 .ssh
drwxr-sr-x. 5 jovyan users   47 Feb  8 17:45 .vscode-server
-rw-rw-r--. 1 jovyan users  171 Oct 20 01:46 .wget-hsts
drwxrwxr-x. 3 root   root    85 Feb  8 04:36 work

Note that test.py and test.txt were created outside the container. Creating files inside ~/work is not possible since it is owned by root.

Expected behavior

jovyan should have ownership of mounted directory.

Actual behavior

root has ownership of mounted directory.

Anything else?

No response

Latest Docker version

I've updated my Docker version to the latest available, and the issue persists

Ayaz Salikhov · Answer 1 · Fri Feb 09 2024 02:10:30 GMT+0800 (China Standard Time)

Could you please reproduce your problem using a simple docker run command?

Ayaz Salikhov · Answer 2 · Fri Feb 09 2024 02:11:38 GMT+0800 (China Standard Time)

Also, we have a nice guide to resolve issues when mounting volumes, please, take a look.
https://jupyter-docker-stacks.readthedocs.io/en/latest/using/troubleshooting.html#permission-denied-when-mounting-volumes

Ronald Lencevičius · Answer 3 · Fri Feb 09 2024 02:12:50 GMT+0800 (China Standard Time)

Running as root with CHOWN_HOME makes it so that conda/pip/install.packages() have broken permissions and no access to /opt/conda and it's subdirectories.

Olivier Benz · Answer 4 · Fri Feb 09 2024 02:14:00 GMT+0800 (China Standard Time)

@392781 Why not use my Data Science Dev Containers?

Ronald Lencevičius · Answer 5 · Fri Feb 09 2024 02:15:48 GMT+0800 (China Standard Time)

@392781 Why not use my Data Science Dev Containers?

Because we're using jupyter stacks...?

Ayaz Salikhov · Answer 6 · Fri Feb 09 2024 02:21:22 GMT+0800 (China Standard Time)

Running as root with CHOWN_HOME makes it so that conda/pip/install.packages() have broken permissions and no access to /opt/conda and it's subdirectories.

You also need to run with `-e CHOWN_HOME_OPTS='-R'``, so the chown is recursive for the home folder.

Any chance you could make your example more reproducible? I don't use VS Code devcontainers and I would really like some simple docker run command which I can run on my machine and reproduce.

Ronald Lencevičius · Answer 7 · Fri Feb 09 2024 02:21:53 GMT+0800 (China Standard Time)

Could you please reproduce your problem using a simple docker run command?

Here's the simplified command which also does not work:

podman run --mount source=/home/ronaldas/test-container,target=/home/jovyan/work,type=bind,z docker.io/jupyter/r-notebook:r-4.3.1

Ronald Lencevičius · Answer 8 · Fri Feb 09 2024 02:26:29 GMT+0800 (China Standard Time)

Running as root with CHOWN_HOME makes it so that conda/pip/install.packages() have broken permissions and no access to /opt/conda and it's subdirectories.

You also need to run with `-e CHOWN_HOME_OPTS='-R'``, so the chown is recursive for the home folder.

Any chance you could make your example more reproducible? I don't use VS Code devcontainers and I would really like some simple docker run command which I can run on my machine and reproduce.

Is CHOWN_HOME/CHOWN_HOME_OPTS necessary depending on system? Jupyter Stacks docs makes it seem that running as root is not necessary for the images to have the correct permissions... I'll give this another shot, I've been at this for over a week now trying to fix the permission issues on the system we are working on.

Ronald Lencevičius · Answer 9 · Fri Feb 09 2024 02:32:39 GMT+0800 (China Standard Time)

@mathbunnyru So CHOWN_HOME{_OPTS} finally worked! Thank you for that, it's strange because it hasn't worked in the past (maybe I had some other config issue though).

However, I am still running into permission issues when it comes to conda/pip/install.packages... I do not have access to /home/jovyan/.cache/pip for instance. I also get warnings about installing additional packages as root...

Ayaz Salikhov · Answer 10 · Fri Feb 09 2024 02:40:46 GMT+0800 (China Standard Time)

As far as I remember you can manually chown your host dir /home/ronaldas/test-container to have permissions 1000:100 (this is the default for our images) and then mount the volume.
This way files will have correct permissions inside the container.

Olivier Benz · Answer 11 · Fri Feb 09 2024 03:01:01 GMT+0800 (China Standard Time)

@392781 Why not use my Data Science Dev Containers?

Because we're using jupyter stacks...?

@392781 Your choice. Nonetheless, you should check them out. See also

Olivier Benz · Answer 12 · Fri Feb 09 2024 03:09:43 GMT+0800 (China Standard Time)

@392781 Regarding the Data Science Dev Containers:

Similar project

rocker-org/devcontainer-images

What makes this project different:

Multi-arch: linux/amd64, linux/arm64/v8
ℹ️ Runs on Apple M series using Docker Desktop.

Base image: Debian instead of Ubuntu
ℹ️ CUDA-enabled images are Ubuntu-based.

IDE: JupyterLab next to VS Code

Just Python – no Conda / Mamba

CUDA-enabled images:

Derived from nvidia/cuda:11.8.0-cudnn8-runtime-ubuntu22.04

TensortRT and TensorRT plugin libraries

– Data Science Dev Containers > Similar projects

Olivier Benz · Answer 13 · Fri Feb 09 2024 03:14:14 GMT+0800 (China Standard Time)

P.S.: Use quay.io/jupyter/r-notebook instead of docker.io/jupyter/r-notebook.

Ronald Lencevičius · Answer 14 · Fri Feb 09 2024 11:52:07 GMT+0800 (China Standard Time)

@mathbunnyru This seems to fix all permission issues. The only thing is, only the 1st two of the uidmap and gidmap commands are necessary for podman to work fine with permissions.

I should mention that the documentation that is listed there is not very clear about the uidmap and gidmap commands or why it is necessary to use them 3 times. I understand mapping uid 1000:0 and gid 100:0 but I do not understand mapping 0:1 1000 times for uid and 100 for gid?

Ronald Lencevičius · Answer 15 · Fri Feb 09 2024 11:54:15 GMT+0800 (China Standard Time)

I think this answers my question: https://stackoverflow.com/a/70774211

Ronald Lencevičius · Answer 16 · Fri Feb 09 2024 15:25:24 GMT+0800 (China Standard Time)

Thank you for your help everyone!