resolv.conf should be world-readable

I have two apps, one PHP and one Node, that flat out refuse to resolve its database hosts. Turns out they drop privileges to a non-root user (and do not use the system resolver?), making them unable to read the nameserver from resolv.conf.

Fly writes /etc/resolv.conf in the container with 700 permissions, while it should be 644.

We actually create /etc/resolv.conf with 0644 mode.
Can you share your Dockerfile or base image? Are you running some startup scripts?

Interesting! One of the apps is GitHub - outline/outline: The fastest knowledge base for growing teams. Beautiful, realtime collaborative, feature packed, and markdown compatible.

We run it straight from dockerhub with

  image = "outlinewiki/outline"

Not seeing the same behavior locally. Noticed both apps run Alpine as base image

I can’t seem to reproduce this with their image. With this Dockerfile:

FROM outlinewiki/outline:latest

CMD sleep inf

I get correct /etc/resolv.conf permissions after deploy:

$  fly m exec 7811170a911208 "ls -l /etc/resolv.conf"
-rw-r--r--    1 root     root            20 May  1 12:04 /etc/resolv.conf

Whatever is running as default CMD in their Docker image shouldn’t be able to change the permissions as well, as it’s running under nodejs user.

Can you share more info? App name, fly.toml, step you use to deploy it?

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.