#docker (2020-09)

docker

All things docker Archive: https://archive.sweetops.com/docker/

2020-09-17

2020-09-15

2020-09-13

2020-09-11

bradym avatar
bradym

I’ve got a dockerfile we’re using for local development. I’m installing npm modules in the dockerfile and marking node_modules as a volume so when the code is mounted in without a node_modules folder, we’ll use what’s in the image. This is working nicely, but after a docker run the node_modules folder exists on the host owned by root.

Is there any way to avoid the node_modules folder on the host being owned by root? I assume it would require running the docker daemon as another user, but thought I’d check.

bradym avatar
bradym

Relevant Dockerfile snippet

WORKDIR /app

RUN --mount=type=secret,id=build-secrets source /run/secrets/build-secrets  && \
    npm install                                                             && \
    rm -rf /root/.npm

VOLUME /app/node_modules

Using a volume to load code into container for hot-reloading while working:

docker run -v "$(pwd)":/app imageName
roth.andy avatar
roth.andy

Instead of doing that, you can first COPY your package.json, then RUN npm install, then copy in your app code. That way your node_modules will only change if your package.json changes

bradym avatar
bradym

Yeah, I’m doing that.

roth.andy avatar
roth.andy

relying on node_modules from a mount means the container isn’t self-contained, which is an anti-pattern

bradym avatar
bradym

Exactly

bradym avatar
bradym

The dockerfile in question is only used locally. I want to load the code into the container so the developers can have hot-reloading (this works).

bradym avatar
bradym

The problem is that even if I don’t have a node_modules folder in the directory I mount, after the docker run command, the host has the node_modules folder. Which makes sense, docker copies it into place at runtime.

bradym avatar
bradym

The problem is it is owned by root instead of my user that executed the docker run command.

bradym avatar
bradym

This means I have to sudo rm -rf node_modules if I want to get rid of it. And I’d like to avoid my devs getting in the habit of using sudo to delete stuff.

roth.andy avatar
roth.andy

It will be owned by whichever user is being used inside the dockerfile. you can use USER change to a different user, but that probably won’t fix your problem.

bradym avatar
bradym

Hmm, thought I tried that. But apparently not. I’ll give that a try.

bradym avatar
bradym

Nope Inside the container ownership is correct but not outside.

Jonathan Marcus avatar
Jonathan Marcus

• When you did the USER command, did you assign by (string) username or by (numeric) uid?

• Do you do USER in the dockerfile, or do you do --user={uid}:{gid} in your docker run command?

• Is this under Linux, or do you need to also support Mac/Windows/WSL/WSL2?

bradym avatar
bradym

Sorry was out yesterday and not checking slack.

The docker file has this:

ARG UID=1000
ARG GID=1000
RUN usermod -u $UID node && groupmod -g $GID node
USER node

I’m setting UID and GID using --build-arg on the docker run command.

I need to support Linux and Mac.

Dzhuneyt avatar
Dzhuneyt

Does the “host machine user” have indeed an ID of 1000? Keep in mind that Ubuntu sets it to 1000 by default but on Mac it was something like 501. You should resolve that through a script programmatically and pass it to the docker build command.

Dzhuneyt avatar
Dzhuneyt

It’s something I’m already doing for a project.

Dzhuneyt avatar
Dzhuneyt

I suggest you try to change the UID of the “root” user itself inside the container, instead of changing the user to “node”. That is, unless the standard NodeJS docker image uses the “node” user. In that case, disregard my comment.

bradym avatar
bradym

Yeah, my docker run command includes --build-arg UID=$(id -u) and --build-arg GID=$(id -g)

Amusingly, the one person on our team who has run into issues with this is using Ubuntu. For whatever reason his user id is 1001, it’s a dell so I blame them.

There’s apparently something in docker for mac that does some sort of translation, cause those on mac have never had issues editing files inside containers without any special handling.

bradym avatar
bradym

And yeah, the nodejs docker image uses the node user.

2020-09-09

2020-09-08

2020-09-07

Jonathan Marcus avatar
Jonathan Marcus

Does anyone here use Docker BuildKit as opposed to the original Docker build? The docs seem to imply it’s experimental, but the developers seem to be putting all their effort behind it so it has all the great new features. What are your thoughts on using it in production?

bradym avatar
bradym

We’re using it in our CI pipelines. Primary reason for switching was to use the --secret flag so we can run npm install to get private packages without having NPM_TOKEN baked into the image. That part works great.

We have run into some issues with caching though. Specifically https://github.com/moby/moby/issues/41219. The good news is the fix has been merged to master, but they have not yet released a stable version with the fix - only betas.

Image built from cached layers is missing data · Issue #41219 · moby/moby

Description I built an image on one machine using DOCKER_BUILDKIT=1 docker build . –build-arg BUILDKIT_INLINE_CACHE=1 –build-arg platform=generic –tag nubots/nubots:buildkit –no-cache I then pu…

bradym avatar
bradym

So for now I’m still doing docker pull for the images I want to use as --cache-from values. Once the next version of docker is released that should be unnecessary.

Jonathan Marcus avatar
Jonathan Marcus

Interesting, thanks! So far we’re only using BuildKit in a very specific case where I need the feature from https://github.com/moby/moby/issues/12886, and I hope this bug won’t hit me. The --secret flag will also be quite nice, so maybe I’ll dip my toes in further

Add support for specifying .dockerignore file with -i/--ignore · Issue #12886 · moby/moby

As several people have mentioned (@thaJeztah, @duglin) in #9707, it would be great to be able specify the .dockerignore file using -i/–ignore in conjunction with named dockerfiles. It is often dif…

Jonathan Marcus avatar
Jonathan Marcus

It turns out that the feature mentioned in this issue is kinda flaky, so I will hold off on using BuildKit. Just an FYI in case anyone else has similar problems.

    keyboard_arrow_up