/dev/stderr: Permission denied

brody-next-tms · November 4, 2022, 6:59am

Hey everyone

I’m adapting a docker-compose.yml (from Authentik) to a Fly app, and while deploying I receive the error /dev/stderr: Permission denied. It appears to come from a shell script in the container that is redirecting its output, specifically echo "something" > /dev/stderr.

I was about to ask the developers of the Docker image but while building a bug report, I’m realizing it might be more specific to Fly and/or the Firecracker microVM.

The output looks like:

2022-11-04T06:41:58Z   [info]Mounting /dev/vdc at /media w/ uid: 1000, gid: 1000 and chmod 0755
2022-11-04T06:41:58Z   [info]Preparing to run: `/usr/local/bin/dumb-init -- /lifecycle/ak server` as 1000
2022-11-04T06:41:58Z   [info]{"event": "Loaded config", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1667544118.5806997, "file": "/authentik/lib/default.yml"}
2022-11-04T06:41:58Z   [info]{"event": "Loaded environment variables", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1667544118.5810668, "count": 14}
2022-11-04T06:41:58Z   [info]{"event": "Starting authentik bootstrap", "level": "info", "logger": "authentik.lib.config", "timestamp": 1667544118.581239}
2022-11-04T06:41:59Z   [info]{"event": "Finished authentik bootstrap", "level": "info", "logger": "authentik.lib.config", "timestamp": 1667544119.6543643}
2022-11-04T06:41:59Z   [info]/lifecycle/ak: line 3: /dev/stderr: Permission denied

The file it references: /lifecycle/ak

I keep seeing a uid/gid of 1000. Is that a non-privileged user that might not have access to /dev/stderr in Firecracker machines?

senyo · November 4, 2022, 8:50am

I had a look at the Authentik Dockerfile. There’s a custom user (1000) set (authentik/Dockerfile at f61786cd721e127454c7135574c33362fc25f763 · goauthentik/authentik · GitHub) which is why you’re seeing the uid/gid 1000. So you’re right, it’s an unprivileged user that doesn’t have access to /dev.

You can either give that user permissions, set the USER directive to root or remove the directive entirely.

Hope that helps!

brody-next-tms · November 8, 2022, 6:27pm

I ended up circumventing this error by disabling debug logging. If I have time I’ll come back, re-enable it and see if I can workaround that issue with your solutions.

I think when I posted this I was in a hurry and skipped over noticing that in the Dockerfile.

Thanks for investigating this!

Topic		Replies	Views
Non-root user lost permissions to write to /dev/stdout	8	422	October 13, 2021
Deploying remix/run blues-stack app, docker/login-action@ fails: Error response from daemon: login attempt to https://registry.fly.io/v2/ failed with status: 401 Unauthorized Build debugging	2	448	March 15, 2023
Permission denied during installation	15	1390	March 12, 2023
Kernel panic running without /etc/passwd	5	265	September 14, 2021
Logs displayed by `flyctl deploy` are missing lines logs	4	423	August 22, 2022

/dev/stderr: Permission denied

Related Topics