Python remote interpreter docker-compose permission denied
Answered
I tried to adding docker compose project as written in https://blog.jetbrains.com/pycharm/2017/03/docker-compose-getting-flask-up-and-running/.
I can run the project from Run configuration without issues. Also if I choose as remote interpreter just Dockerfile it works fine.
If I try to add python remote interpreter docker compose following happens:
Failed to run single Docker Compose service web: .IOError: [Errno 13] Permission denied: '/home/filip/work/videmi/videmi/docker-compose.yml'
Versions:
$ docker --version
Docker version 1.13.1, build 7f1fa5c-unsupported
$ docker-compose --version
docker-compose version 1.17.1, build 6d101fb
PyCharm 2017.3.3 (Professional Edition)
Build #PY-173.4301.16, built on January 11, 2018
Licensed to Filip Dobrovolný
Subscription is active until January 16, 2019
JRE: 1.8.0_152-release-1024-b11 amd64
JVM: OpenJDK 64-Bit Server VM by JetBrains s.r.o
Linux 4.15.16-300.fc27.x86_64
Docker compose
version: "3"
services:
db:
image: postgres
restart: always
environment:
POSTGRES_PASSWORD: psql_passwd
ports:
- "5432:5432"
redis:
restart: always
image: redis:alpine
expose:
- "6379"
web:
build:
context: .
dockerfile: Dockerfile.dev
image: videmi_app:latest
command: yarn start
volumes:
- .:/code:Z
ports:
- "3000:3000"
- "3001:3001"
- "8000:8000"
environment:
- DEBUG=true
- DATABASE_URL=postgres://postgres:psql_passwd@db:5432/postgres
- REDIS_URL=redis://redis
depends_on:
- db
- redis
Please sign in to leave a comment.
Hi,
Could you please try the latest PyCharm version, which is currently 2018.1.3?
Previous PyCharm versions used the Docker Compose image and they mounted docker-compose.yml configuration files into the Docker Engine, which in some cases may have caused an IOError.
I have 2018.3.3 and the same problem:
I have the same problem as well - same like Paulo.
For anyone with permission denied error - please try to create a file in /home/<your_current_user>/.PyCharm2018.3/system/tmp/docker
Just any file, to test the access permission, using the same user you're running PyCharm from.
I can create files in `/home/<your_current_user>/.PyCharm2018.3/system/tmp/docker` - it's not obvious where the permission error is coming from.
I'm able to start and stop docker-compose from the command-line. I'm using the latest version of PyCharm.
I get the exact same error with the EAP version of PyCharm, so I wonder if it's something odd about how Docker runs on my Ubuntu PC.
I think this is a problem with the version of Docker Compose installed via Snap.
I fixed this problem by uninstalling the Snap version of Docker, re-installing Docker-CE (from the instructions on Docker's web-page), and then installing the latest version of docker-compose via Pip.
Salim Fadhley, I think my case is what you're describing.
Currently, I have installed docker-compose 1.25.5 and even when I can run the container correctly with
sudo docker-compose -f local.yml up
I'm really struggling to run it with pycharm.
I even tried to run the same command as pycharm, but in a different terminal and with sudo:
sudo /snap/bin/docker-compose -f local.yml -f ~/.Pycharm2018.1/system/tmp/docker-compose.override.92.yml
But still having the same output:
ERROR: PermissionError: [Errno 13] Permission denied: '...'
Which is unexpected, as you said maybe problem with the docker-compose version
Any help, most appreciated.
Thanks
Ok, I've been reading some extra information and digging deeper. As far as I understand, seems that the apparmor profile snap.docker.compose is blocking the access to the .yml file, I tried to add that directory to the homedirs of apparmor with
sudo dpk-reconfigure apparmor
But nothing changed, app armor profile still blocking this, as I can see on the last dmsg messages
[16251.386145] audit: type=1400 audit(1593655743.132:1282): apparmor="DENIED" operation="open" profile="snap.docker.compose" name="/home/karosuo/.PyCharm2018.1/system/tmp/docker-compose.override.195.yml" pid=27810 comm="python3" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Just trying to relate information here, so maybe helps someone else.
Also I saw here https://forum.snapcraft.io/t/docker-fails-with-permission-denied-inside-containers/17602/16
that Salim was, again, right on uninstalling the snap docker version and installing the CE version.
Salim has pointed out a part of the solution to this problem. The problem is with the apparmor profile snap.docker.compose used by snap to run docker-compose which is too restrictive (that's kind of a good thing, but it will lead to a permission denied in intellij and pycharm as described in issue description).
Apparmor is well documented here with instructions on how to debug:
https://ubuntu.com/server/docs/security-apparmor
Workaround 2 (almost'):
The idea would be to update `snap.docker.compose` apparmor profile to allow personal-files or specific files (such as `~/.cache`)
Note: it would be nice, but I did not manage to do it (yet)
all in all, it's a good idea to restrict access to personal files. I don't want docker to access my ssh keys you know. That's why we're getting this error with the docker version installed from snap.
In my case, error was the following:
See Profile customization section in https://help.ubuntu.com/community/AppArmor
I didn't manage to find where to customize it, but digging a bit more, I found this:
https://snapcraft.io/docs/home-interface
So I went on a journey to find https://github.com/docker-snap/docker-snap/blob/main/snap/snapcraft.yaml#L10-L12
Turns out the snap has the home plug already. so does compose as seen here: https://github.com/docker-snap/docker-snap/blob/main/snap/snapcraft.yaml#L97
So digging yet a bit more and I found the following nice comment:
https://github.com/docker-snap/docker-snap/issues/7#issuecomment-702884534
So solution would probably be to manage to add `personal-files` plug to the docker-snap or find a way to specify which folder we want to access, but from what I've read so far, this can be done by snap creators and not actual users. I would have liked to be able to tell something like hey docker-snap, I authorize you to access `~/.cache/JetBrains`.
Instead, I must uninstall that snap, lose these great security concepts I just learned about and install docker using official docs and know that docker can have access to personal files without any limitations.