Docker - failed to open stream permission denied

[dschmag]

I tried docker-compose-viz

$ docker run --rm -it --name dcv -v $(pwd):/input pmsipilot/docker-compose-viz render -m image docker-compose.yml
Warning: file_put_contents(/input/docker-compose.png): failed to open stream: Permission denied in /dcv/src/application.php on line 138

Linux myserver 5.4.0-77-generic #86-Ubuntu SMP Thu Jun 17 02:35:03 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Docker version 20.10.7, build 20.10.7-0ubuntu1~20.04.1

[rahedges]

I am having this issue too. Any ideas on how to fix this?

[rahedges]

This issue is caused by different user ids on the host and in the container. Some user manipulation at the command line might work.

A quick work around is to create an empty output file, set the permissions to match the user in the container and then force-write the generated image over the dummy image.

1. Run the container and list the id of the user in the container:

docker run --rm -it --name dcv pmsipilot/docker-compose-viz id
uid=1000(dcv) gid=1000(dcv) groups=1000(dcv)

2. On the host, create an empty file with the name of the output

touch docker-compose.png

3. Change the owner of the empty output file to match the docker uid and gid found above (1000:1000)

sudo chown 1000:1000 docker-compose.png

4. Run the container and generate the image as in the original post, but add the --force option to allow the container to overwrite the empty file.

 docker run --rm -it --name dcv -v $(pwd):/input pmsipilot/docker-compose-viz  render -m image --force  docker-compose.yml

[umer936]

I fixed this by just giving write permissions to the entire project folder

[Tazoeur]

another workaround that is a bit cleaner IMHO: run the container with the --user option

docker run --rm -it --user $UID:$GID --name dcv -v "$(pwd):/input" pmsipilot/docker-compose-viz render -m image docker-compose.yml 

[nguyenvulong]

it's because your dir is not writeable by docker. Try this

ls -ld $(pwd)  # Check current permissions
chmod 777 $(pwd)  # Temporarily set full permissions (for testing)

[berkes]

Temporarily set full permissions (for testing)

This is crucial. And therefore rather unusable. It merely helps with diagnosing, but there are far better ways to do this - higher in the thread there's commands running id that will tell you the same: this is a user/permission issue.

"Temporarily" means that you must run it right before each time of running the docker and then reverting right after - but there's no example on how to revert. Leaving it chmod 777 not only is a security issue, it can and will cause docker to write files that will break backups, that make moving and even searching this dir hard or impossible. It's, overall, bad advise.

TL;DR: don't use this chmod 777.

[nguyenvulong]

This repo is already allowing inevitable access to host from container by such a design.

I'd rather create an empty and harmless testing directory with permissive permissions just for retrieving the visualization image and tear it down after use. 777 is there for a reason if you know to use it to make your work convenient without security tradeoff.

Now it's weird if you plan to put your critical files in there.

edited: out -> put

[berkes]

out your critical files in there

The main issue is that files inside this dir are not owned by you, but by root. You cannot move, backup, cleanup or archive your project without root. Search, grep, and anything that hits this file will flunk or even break.

There are several options proposed in this exact thread which work fine and have non of these downsides. "Chmod 777" to solve docker issues is almost never the right solution.

One more, that doesn't involve chmodding nor any other commands, is to output to /tmp/ (tmp is designed to be writable and readable by all users)

docker run --rm -it --name dcv -v "$(pwd):/input" pmsipilot/docker-compose-viz render -m image docker-compose.yml --output-file /tmp/docker-compose.png