Docker non root container permission denied for the first run binary extraction

[yoleksandr]

Hello and thank you for the great application.

I have an interesting situation with a non-root docker container.
When I use non-root container (user in a container not have root access) i get error:

Command Error: /usr/local/bundle/gems/wkhtmltopdf-binary-0.12.6.5/bin/wkhtmltopdf:55:in initialize': Permission denied @ rb_sysopen - /usr/local/bundle/gems/wkhtmltopdf-binary-0.12.6.5/bin/wkhtmltopdf_debian_10_amd64 (Errno::EACCES) from /usr/local/bundle/gems/wkhtmltopdf-binary-0.12.6.5/bin/wkhtmltopdf:55:in open'

As a workaround, I can use gunzip in Dockerfile or set write permissions for my user for bin directory, but maybe we need to add this into the documentation as a note or use binary without compress.

[henriquesml]

Hey @yoleksandr

Can you share your soluction, please?

[codingwaysarg]

This is how I fixed it on my Dockerfile:

RUN chmod -R 777 $(rvm-exec gemdir)/gems/wkhtmltopdf-binary-0.12.6.5/bin
RUN ln -s $(rvm-exec gemdir)/bin/wkhtmltopdf /usr/bin

Make sure to replace 0.12.6.5 with your version listed on your Gemfile.lock

[thooams]

The solution for me:

....
# https://github.com/zakird/wkhtmltopdf_binary_gem/issues/139#issuecomment-1448842925
RUN chmod -R 777 "${BUNDLE_PATH}"/ruby/*/gems/wkhtmltopdf-binary-*/bin
...

Here the dockerfile:

# syntax=docker/dockerfile:1
# check=error=true

# This Dockerfile is designed for production, not development. Use with Kamal or build'n'run by hand:
# docker build -t toto .
# docker run -d -p 80:80 -e RAILS_MASTER_KEY=<value from config/master.key> --name toto toto

# For a containerized dev environment, see Dev Containers: https://guides.rubyonrails.org/getting_started_with_devcontainer.html

# Make sure RUBY_VERSION matches the Ruby version in .ruby-version
ARG RUBY_VERSION=3.3.6
FROM docker.io/library/ruby:$RUBY_VERSION-slim AS base

# Rails app lives here
WORKDIR /rails

# Install base packages
RUN apt-get update -qq && \
  apt-get install --no-install-recommends -y curl libjemalloc2 libvips libpq-dev postgresql imagemagick && \
  rm -rf /var/lib/apt/lists /var/cache/apt/archives

# Set production environment
ENV RAILS_ENV="production" \
  BUNDLE_DEPLOYMENT="1" \
  BUNDLE_PATH="/usr/local/bundle" \
  BUNDLE_WITHOUT="development test"

# Throw-away build stage to reduce size of final image
FROM base AS build

# Install packages needed to build gems
RUN apt-get update -qq && \
  apt-get install --no-install-recommends -y build-essential git pkg-config \
  curl build-essential  wget unzip && \
  rm -rf /var/lib/apt/lists /var/cache/apt/archives

# Install aws-cli à travers wget
RUN wget https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip && \
  unzip awscli-exe-linux-x86_64.zip && ./aws/install

# Install application gems
COPY Gemfile Gemfile.lock ./
RUN bundle install && \
  rm -rf ~/.bundle/ "${BUNDLE_PATH}"/ruby/*/cache "${BUNDLE_PATH}"/ruby/*/bundler/gems/*/.git && \
  bundle exec bootsnap precompile --gemfile

# https://github.com/zakird/wkhtmltopdf_binary_gem/issues/139#issuecomment-1448842925
RUN chmod -R 777 "${BUNDLE_PATH}"/ruby/*/gems/wkhtmltopdf-binary-*/bin

# Copy application code
COPY . .

# Precompile bootsnap code for faster boot times
RUN bundle exec bootsnap precompile app/ lib/

# Precompiling assets for production without requiring secret RAILS_MASTER_KEY
RUN RAILS_ENV=production SECRET_KEY_BASE_DUMMY=1 ./bin/rails assets:precompile




# Final stage for app image
FROM base

# Copy built artifacts: gems, application
COPY --from=build "${BUNDLE_PATH}" "${BUNDLE_PATH}"
COPY --from=build /rails /rails

# Run and own only the runtime files as a non-root user for security
RUN groupadd --system --gid 1000 rails && \
  useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \
  chown -R rails:rails db log storage tmp
USER 1000:1000

# Entrypoint prepares the database.
ENTRYPOINT ["/rails/bin/docker-entrypoint"]

# Start server via Thruster by default, this can be overwritten at runtime
EXPOSE 80
CMD ["./bin/thrust", "./bin/rails", "server"]