/dev/stderr: Permission denied

Hey everyone :wave:

I’m adapting a docker-compose.yml (from Authentik) to a Fly app, and while deploying I receive the error /dev/stderr: Permission denied. It appears to come from a shell script in the container that is redirecting its output, specifically echo "something" > /dev/stderr.

I was about to ask the developers of the Docker image but while building a bug report, I’m realizing it might be more specific to Fly and/or the Firecracker microVM.

The output looks like:

2022-11-04T06:41:58Z   [info]Mounting /dev/vdc at /media w/ uid: 1000, gid: 1000 and chmod 0755
2022-11-04T06:41:58Z   [info]Preparing to run: `/usr/local/bin/dumb-init -- /lifecycle/ak server` as 1000
2022-11-04T06:41:58Z   [info]{"event": "Loaded config", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1667544118.5806997, "file": "/authentik/lib/default.yml"}
2022-11-04T06:41:58Z   [info]{"event": "Loaded environment variables", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1667544118.5810668, "count": 14}
2022-11-04T06:41:58Z   [info]{"event": "Starting authentik bootstrap", "level": "info", "logger": "authentik.lib.config", "timestamp": 1667544118.581239}
2022-11-04T06:41:59Z   [info]{"event": "Finished authentik bootstrap", "level": "info", "logger": "authentik.lib.config", "timestamp": 1667544119.6543643}
2022-11-04T06:41:59Z   [info]/lifecycle/ak: line 3: /dev/stderr: Permission denied

The file it references: /lifecycle/ak

I keep seeing a uid/gid of 1000. Is that a non-privileged user that might not have access to /dev/stderr in Firecracker machines?

I had a look at the Authentik Dockerfile. There’s a custom user (1000) set (authentik/Dockerfile at f61786cd721e127454c7135574c33362fc25f763 · goauthentik/authentik · GitHub) which is why you’re seeing the uid/gid 1000. So you’re right, it’s an unprivileged user that doesn’t have access to /dev.

You can either give that user permissions, set the USER directive to root or remove the directive entirely.

Hope that helps!

I ended up circumventing this error by disabling debug logging. If I have time I’ll come back, re-enable it and see if I can workaround that issue with your solutions.

I think when I posted this I was in a hurry and skipped over noticing that in the Dockerfile. :laughing:

Thanks for investigating this!