Can't change permissions on /run directory

I’m running an app based on the trafex/alpine-nginx-php7 image, which by default runs nginx and supervisord as nobody. This seems to work perfectly fine within docker when testing locally, however, when pushed to Fly it can’t change the ownership on /run to be able to write out pid files.

Even manually ssh’ing in and trying to change permissions or ownership fails.

I assume this is a side-effect of the firecracker VM. Is this something that can be changed, or should I look into rebuilding the base image to run as root?

1 Like

That would be a consequence of the init program we inject into VMs to create a clean startup sequence.

We do not encourage people to run their programs as root. I’d suggest writing a custom entrypoint for your image, running as root, that creates the structure you want in /run with the permissions you need. Then switch to the proper user and exec your CMD.

For example:

entrypoint.sh

#!/bin/bash

# assume you're root
chown -R nobody:nobody /run

# switch back to nobody user
su - nobody

# exec the original CMD
exec "$@"

Dockerfile

FROM trafex/alpine-nginx-php7
# ...
COPY ./entrypoint.sh /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
USER root

I see the Dockerfile for trafex/alpine-nginx-php7 modifies the ownership of /run during build. We might be able to do detect that and keep the current ownership and permissions.

In the meantime, something like the example I provided should work.

3 Likes

That would be awesome as a long term solution. I tried creating an entrypoint, but ran into some other issues that are outside the scope of Fly. The quick fix was to just modify all the configs to write pid files to /tmp

Thanks for your help!