/dev/stderr: Permission denied

brody-next-tms · November 4, 2022, 6:59am

Hey everyone

I’m adapting a docker-compose.yml (from Authentik) to a Fly app, and while deploying I receive the error /dev/stderr: Permission denied. It appears to come from a shell script in the container that is redirecting its output, specifically echo "something" > /dev/stderr.

I was about to ask the developers of the Docker image but while building a bug report, I’m realizing it might be more specific to Fly and/or the Firecracker microVM.

The output looks like:

2022-11-04T06:41:58Z   [info]Mounting /dev/vdc at /media w/ uid: 1000, gid: 1000 and chmod 0755
2022-11-04T06:41:58Z   [info]Preparing to run: `/usr/local/bin/dumb-init -- /lifecycle/ak server` as 1000
2022-11-04T06:41:58Z   [info]{"event": "Loaded config", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1667544118.5806997, "file": "/authentik/lib/default.yml"}
2022-11-04T06:41:58Z   [info]{"event": "Loaded environment variables", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1667544118.5810668, "count": 14}
2022-11-04T06:41:58Z   [info]{"event": "Starting authentik bootstrap", "level": "info", "logger": "authentik.lib.config", "timestamp": 1667544118.581239}
2022-11-04T06:41:59Z   [info]{"event": "Finished authentik bootstrap", "level": "info", "logger": "authentik.lib.config", "timestamp": 1667544119.6543643}
2022-11-04T06:41:59Z   [info]/lifecycle/ak: line 3: /dev/stderr: Permission denied

The file it references: /lifecycle/ak

I keep seeing a uid/gid of 1000. Is that a non-privileged user that might not have access to /dev/stderr in Firecracker machines?

senyo · November 4, 2022, 8:50am

I had a look at the Authentik Dockerfile. There’s a custom user (1000) set (authentik/Dockerfile at f61786cd721e127454c7135574c33362fc25f763 · goauthentik/authentik · GitHub) which is why you’re seeing the uid/gid 1000. So you’re right, it’s an unprivileged user that doesn’t have access to /dev.

You can either give that user permissions, set the USER directive to root or remove the directive entirely.

Hope that helps!

brody-next-tms · November 8, 2022, 6:27pm

I ended up circumventing this error by disabling debug logging. If I have time I’ll come back, re-enable it and see if I can workaround that issue with your solutions.

I think when I posted this I was in a hurry and skipped over noticing that in the Dockerfile.

Thanks for investigating this!

Topic		Replies	Views
Non-root user lost permissions to write to /dev/stdout	8	547	October 13, 2021
Unable to run "svg-sprite" in Dockerfile: "Permission denied" Build debugging	3	341	October 12, 2022
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock Questions / Help	2	2221	September 1, 2021
Container (non-root) user can't write to /dev/stdout or /dev/stderr	25	6026	February 20, 2023
Permission denied @ dir_s_mkdir - /rails/tmp/sockets (Errno::EACCES)	5	1776	July 3, 2023

/dev/stderr: Permission denied

Related topics