Docker error "Errno:EACCES" only occurs for uid other than 1000

I’ve tested this a couple of times using a Boxes VM with Fedora 37 installed and updated sudo dnf upgrade --refresh

Steps to reproduce are:

  1. As uid 1000 follow the instructions to install Docker: Install Docker Engine on Fedora | Docker Docs
  2. Test with Docker Hello World sudo docker run hello-world — WORKS!
  3. Attempt to create a new Jekyll project using the Docker Jekyll container:

export site_name=“my-blog”
sudo docker run --rm
–volume=“$PWD:/srv/jekyll”
-it jekyll/jekyll
sh -c “chown -R jekyll /usr/gem/ && jekyll new $site_name”
&& cd $site_name

This also WORKS!

  1. Using the Graphical Environment create a new user of “Administrator” account type.
  2. Login as the new user (e.g. uid=1001) and test Docker using Hello World sudo docker run hello-world — still WORKS!
  3. Up to this point no errors have occurred. Now run the Docker Jekyll container for this user:

export site_name=“my-blog”
sudo docker run --rm
–volume=“$PWD:/srv/jekyll”
-it jekyll/jekyll
sh -c “chown -R jekyll /usr/gem/ && jekyll new $site_name”
&& cd $site_name

and the following error appears:

[test@fedora ~]$ export site_name=“my-blog”
[test@fedora ~]$ sudo docker run --rm --volume=“$PWD:/srv/jekyll” -it jekyll/jekyll sh -c “chown -R jekyll /usr/gem/ && jekyll new $site_name” && cd $site_name
ruby 3.1.1p18 (2022-02-18 revision 53f5fc4236) [x86_64-linux-musl]
jekyll 4.2.2 | Error: Permission denied @ dir_s_mkdir - /srv/jekyll/my-blog
/usr/local/lib/ruby/3.1.0/fileutils.rb:243:in mkdir': Permission denied @ dir_s_mkdir - /srv/jekyll/my-blog (Errno::EACCES) from /usr/local/lib/ruby/3.1.0/fileutils.rb:243:in fu_mkdir’
from /usr/local/lib/ruby/3.1.0/fileutils.rb:221:in block (2 levels) in mkdir_p' from /usr/local/lib/ruby/3.1.0/fileutils.rb:219:in reverse_each’
from /usr/local/lib/ruby/3.1.0/fileutils.rb:219:in block in mkdir_p' from /usr/local/lib/ruby/3.1.0/fileutils.rb:211:in each’
from /usr/local/lib/ruby/3.1.0/fileutils.rb:211:in mkdir_p' from /usr/gem/gems/jekyll-4.2.2/lib/jekyll/commands/new.rb:28:in process’
from /usr/gem/gems/jekyll-4.2.2/lib/jekyll/commands/new.rb:19:in block (2 levels) in init_with_program' from /usr/gem/gems/mercenary-0.4.0/lib/mercenary/command.rb:221:in block in execute’
from /usr/gem/gems/mercenary-0.4.0/lib/mercenary/command.rb:221:in each' from /usr/gem/gems/mercenary-0.4.0/lib/mercenary/command.rb:221:in execute’
from /usr/gem/gems/mercenary-0.4.0/lib/mercenary/program.rb:44:in go' from /usr/gem/gems/mercenary-0.4.0/lib/mercenary.rb:21:in program’
from /usr/gem/gems/jekyll-4.2.2/exe/jekyll:15:in <top (required)>' from /usr/gem/bin/jekyll:25:in load’
from /usr/gem/bin/jekyll:25:in `’

Can someone please help me to understand if there is a bug here or if I’m missing a step at the user creation stage or doing something else wrong? I’ve also tried with selinux in passive mode and that didn’t change anything. Happy to file a bug report if this is a bug, but I’m also not sure what part of the OS is responsible for this error and which package to file it against.

I guess your problem has to do with the rootless installation (see documentation):

Use Docker as a non-privileged user, or install in rootless mode?

The installation script requires root or sudo privileges to install and use Docker. If you want to grant non-root users access to Docker, refer to the post-installation steps for Linux. You can also install Docker without root privileges, or configured to run in rootless mode. For instructions on running Docker in rootless mode, refer to run the Docker daemon as a non-root user (rootless mode).

Apologies, I see in my “steps to reproduce” I didn’t copy and paste that I am using sudo to run the docker command (i’ve edited my post to fix that now)

In essence:

sudo docker for uid 1000

and

sudo docker for uid 1001

produce different results when (from what I can tell) all other aspects of the two user id’s are the same.

This does not appear correct to me. I expect commands to work identically for different user id’s when those users have been created with the same privileges. But it appears that user id 1000 in Fedora is somehow special?

The difference between user 1000 and 1001 is that the first one is the default user you had when you installed your system.

1001 is the next user you created after the installation.

Did you give a try with podman and rootless for jekyll-docker as explained in the manual?

Thanks for the suggestion, however, I haven’t yet tried with podman or rootless (in any serious attempt) as I would first like to solve this issue I’m seeing with the sudo command and this discrepancy between running the same command across different uid’s.

I’ve dug a little further this time using the /tmp and including the root (uid=0) user for my tests.

With docker installed and running I test with the below command line or a slight variation of it i.e. I change the test directory name.

export site_name="testdir";sudo docker run --rm --volume="$PWD:/srv/jekyll:Z" -it jekyll/jekyll sh -c "chown -R jekyll /usr/gem/ && jekyll new $site_name" && cd $site_name

My test results are:

uid=0
location /root - fails
location /tmp - succeeds
location /tmp/test - fails (after first as root creating and cd’ing into the test dir)

uid=1000
location home directory - succeeds
location /tmp - succeeds
location /tmp/test0 - succeeds (after first uid=1000 creating and cd’ing into the test0 dir)

uid=1001
location home directory - fails
location /tmp - succeeds
location /tmp/test1 - fails (after first as uid=1001 creating cd’ing into the test1 dir)

It seems to me that at another level something is controlling which processes can write where on the operating system and for uid=1000 some rule applies to except that id whereas for root (uid=0) and other users (e.g. uid=1001) the rule applies.

I think this might be a ruby error or a container error that related to the user id, I’ve found a closely related issue here: Errno::EACCES: Permission denied @ rb_file_s_rename · Issue #303 · envygeeks/jekyll-docker · GitHub

Not a Fedora issue.

The container needs to run with the UID and GID suitable for writing to the target directory. There are some environment variables available to enable this:

export site_name="testsite"; sudo docker run --rm -e JEKYLL_UID="1001" -e JEKYLL_GID="1001" --volume="$PWD:/srv/jekyll" -it jekyll/jekyll sh -c "chown -R jekyll /usr/gem/ && jekyll new $site_name" && cd $site_name

sorry for the noise and thanks @ilikelinux for the help!

1 Like