According to Allow non-root users to write to stdout/stderr - #3 by jerome, Fly creates pipes for stdout and stderr that are owned by the user and group that the container image’s main process starts as. However, that does not appear to be the case for me.
I built an image using the Paketo builder. My fly.toml has this:
[build] builder = "paketobuildpacks/builder:full" [build.args] BP_PHP_SERVER = "httpd" BP_PHP_WEB_DIR = "web" BPE_DEFAULT_PORT = 8080
I don’t think the build args are even relevant for reproducing the behavior, because if I add my own
Procfile which runs a different process than Apache HTTPD as follows:
web: whoami && ls -l /dev/stdout && ls -l /proc/self/fd/1 && stat -L /proc/self/fd/1
Then when the machine starts, I see the following in
[info] cnb [info] lrwxrwxrwx 1 root root 15 Jan 26 17:18 /dev/stdout -> /proc/self/fd/1 [info] l-wx------ 1 cnb cnb 64 Jan 26 17:18 /proc/self/fd/1 -> pipe: [info] File: /proc/self/fd/1 [info] Size: 0 Blocks: 0 IO Block: 4096 fifo [info] Device: ch/12d Inode: 4356 Links: 1 [info] Access: (0600/prw-------) Uid: ( 0/ root) Gid: ( 0/ root) [info] Access: 2023-01-26 17:18:20.276300235 +0000 [info] Modify: 2023-01-26 17:18:20.380300231 +0000 [info] Change: 2023-01-26 17:18:20.380300231 +0000 [info] Birth: -
Looks like the
/proc/self/fd/1 symlink has write permission by the “cnb” user, but the pipe it links to is owned by root and doesn’t grant write permission to anyone else.
And if I change my Procfile to:
whoami >> /dev/stdout
Then in my logs I get:
[info] bash: /dev/stdout: Permission denied
So it looks like the container’s main process can write to its own stdout (“whoami” works) but cannot write to /dev/stdout (“whoami >> /dev/stdout” gets the permission denied).
This is a problem because the way Apache HTTPD is configured to log is with something like:
Is the above a Fly bug or expected behavior? If expected behavior, what is the proper way for an image running as a non-root user to log?
In case it’s relevant, I ran into this with Fly Machines. I have not tried this on a Nomad app, so do not know if it’s the same or different on there.