System.UnauthorizedAccessException in chiseled image when writing to file.

[lzandman]

I'm trying to run a .Net Core web app in the mcr.microsoft.com/dotnet/nightly/aspnet:7.0-jammy-chiseled chiseled container. It works fine when run in the regular mcr.microsoft.com/dotnet/aspnet:7.0 container. It also runs fine in the chiseled container when I use docker run -u root. But when run without -u root, I get an exception:

Unhandled exception. System.UnauthorizedAccessException: Access to the path '/ServerMock/my.key' is denied.
 ---> System.IO.IOException: Permission denied
   --- End of inner exception stack trace ---
   at Interop.ThrowExceptionForIoErrno(ErrorInfo errorInfo, String path, Boolean isDirError)
   at Microsoft.Win32.SafeHandles.SafeFileHandle.Open(String path, OpenFlags flags, Int32 mode, Func`4 createOpenException)
   at Microsoft.Win32.SafeHandles.SafeFileHandle.Open(String fullPath, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize, UnixFileMode openPermissions, Int64& fileLength, UnixFileMode& filePermissions, Func`4 createOpenException)
   at System.IO.File.OpenHandle(String path, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize)
   at System.IO.File.WriteToFile(String path, FileMode mode, String contents, Encoding encoding)
   at 

...

   at Program.<Main>$(String[] args) in /src/Program.cs:line 38

I think it should also be able to run as the non-root user (whose UID is 101, if I understand correctly).

I'm copying my app files using the --chown 101 argument and on the non-chiseled container I can see all permissions getting set properly. So the folder /ServerMock and its contents are owned by UID 101. That folder is also the current working directory. However, on the chiseled container there's no shell and no easy way, that I know of, to check file permissions.

Does anybody know a fix?

[mthalman]

https://github.com/wagoodman/dive is a great tool for inspecting the file system, including permissions. That will allow you to target your chiseled container image.

Can you show how your Dockerfile is configured?

[biapar]

Try this:

WORKDIR /app
COPY --from=publish /app/publish .
USER root
RUN chown -R $APP_UID:$APP_UID /app
USER $APP_UID
ENTRYPOINT ["dotnet", "xxxx.dll"]