Python remote interpreter docker-compose permission denied

Answered

I tried to adding docker compose project as written in https://blog.jetbrains.com/pycharm/2017/03/docker-compose-getting-flask-up-and-running/.

I can run the project from Run configuration without issues. Also if I choose as remote interpreter just Dockerfile it works fine.

If I try to add python remote interpreter docker compose following happens:

 



Failed to run single Docker Compose service web: .IOError: [Errno 13] Permission denied: '/home/filip/work/videmi/videmi/docker-compose.yml'

Versions:

$ docker --version
Docker version 1.13.1, build 7f1fa5c-unsupported
$ docker-compose --version
docker-compose version 1.17.1, build 6d101fb

 

PyCharm 2017.3.3 (Professional Edition)
Build #PY-173.4301.16, built on January 11, 2018
Licensed to Filip Dobrovolný
Subscription is active until January 16, 2019
JRE: 1.8.0_152-release-1024-b11 amd64
JVM: OpenJDK 64-Bit Server VM by JetBrains s.r.o
Linux 4.15.16-300.fc27.x86_64

Docker compose

version: "3"
services:
db:
image: postgres
restart: always
environment:
POSTGRES_PASSWORD: psql_passwd
ports:
- "5432:5432"
redis:
restart: always
image: redis:alpine
expose:
- "6379"
web:
build:
context: .
dockerfile: Dockerfile.dev
image: videmi_app:latest
command: yarn start
volumes:
- .:/code:Z
ports:
- "3000:3000"
- "3001:3001"
- "8000:8000"
environment:
- DEBUG=true
- DATABASE_URL=postgres://postgres:psql_passwd@db:5432/postgres
- REDIS_URL=redis://redis
depends_on:
- db
- redis

 

9 comments
Comment actions Permalink

Hi,

Could you please try the latest PyCharm version, which is currently 2018.1.3?

Previous PyCharm versions used the Docker Compose image and they mounted docker-compose.yml configuration files into the Docker Engine, which in some cases may have caused an IOError.

0
Comment actions Permalink

I have 2018.3.3 and the same problem:

0
Comment actions Permalink

I have the same problem as well - same like Paulo.

0
Comment actions Permalink

For anyone with permission denied error - please try to create a file in /home/<your_current_user>/.PyCharm2018.3/system/tmp/docker

Just any file, to test the access permission, using the same user you're running PyCharm from.

0
Comment actions Permalink

I can create files in `/home/<your_current_user>/.PyCharm2018.3/system/tmp/docker` - it's not obvious where the permission error is coming from.

I'm able to start and stop docker-compose from the command-line. I'm using the latest version of PyCharm.

I get the exact same error with the EAP version of PyCharm, so I wonder if it's something odd about how Docker runs on my Ubuntu PC.

0
Comment actions Permalink

I think this is a problem with the version of Docker Compose installed via Snap.

I fixed this problem by uninstalling the Snap version of Docker, re-installing Docker-CE (from the instructions on Docker's web-page), and then installing the latest version of docker-compose via Pip.

2
Comment actions Permalink

Salim Fadhley, I think my case is what you're describing.

Currently, I have installed docker-compose 1.25.5 and even when I can run the container correctly with

sudo docker-compose -f local.yml up

I'm really struggling to run it with pycharm.
I even tried to run the same command as pycharm, but in a different terminal and with sudo:

sudo /snap/bin/docker-compose -f local.yml -f ~/.Pycharm2018.1/system/tmp/docker-compose.override.92.yml

But still having the same output:

ERROR: PermissionError: [Errno 13] Permission denied: '...'

Which is unexpected, as you said maybe problem with the docker-compose version

 

Any help, most appreciated.

Thanks

0
Comment actions Permalink

Ok, I've been reading some extra information and digging deeper. As far as I understand, seems that the apparmor profile snap.docker.compose is blocking the access to the .yml file, I tried to add that directory to the homedirs of apparmor with

sudo dpk-reconfigure apparmor

But nothing changed, app armor profile still blocking this, as I can see on the last dmsg messages

[16251.386145] audit: type=1400 audit(1593655743.132:1282): apparmor="DENIED" operation="open" profile="snap.docker.compose" name="/home/karosuo/.PyCharm2018.1/system/tmp/docker-compose.override.195.yml" pid=27810 comm="python3" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

Just trying to relate information here, so maybe helps someone else.
Also I saw here https://forum.snapcraft.io/t/docker-fails-with-permission-denied-inside-containers/17602/16 

that Salim was, again, right on uninstalling the snap docker version and installing the CE version.

0
Comment actions Permalink

Salim has pointed out a part of the solution to this problem. The problem is with the apparmor profile snap.docker.compose used by snap to run docker-compose which is too restrictive (that's kind of a good thing, but it will lead to a permission denied in intellij and pycharm as described in issue description).

Apparmor is well documented here with instructions on how to debug:
https://ubuntu.com/server/docs/security-apparmor

We can see the error in `journalctl -xef` or `dmesg` as shown in Karosu's post.
 
Workaround 1:
uninstall docker and docker-compose from snap and install using docker-ce and docker-compose from pip.
snap remove docker
then follow command line instructions as shown in https://docs.docker.com/engine/install/ubuntu/ and install docker-compose with pip:
pip install docker-compose

Workaround 2 (almost'):

The idea would be to update `snap.docker.compose` apparmor profile to allow personal-files or specific files (such as `~/.cache`)

Note: it would be nice, but I did not manage to do it (yet)

all in all, it's a good idea to restrict access to personal files. I don't want docker to access my ssh keys you know. That's why we're getting this error with the docker version installed from snap.

In my case, error was the following:

.PermissionError: [Errno 13] Permission denied: '/home/gableroux/.cache/JetBrains/IntelliJIdea2021.1/tmp/docker-compose.override.yml'

Process finished with exit code 1

See Profile customization section in https://help.ubuntu.com/community/AppArmor

I didn't manage to find where to customize it, but digging a bit more, I found this:

https://snapcraft.io/docs/home-interface

So I went on a journey to find https://github.com/docker-snap/docker-snap/blob/main/snap/snapcraft.yaml#L10-L12

Turns out the snap has the home plug already. so does compose as seen here: https://github.com/docker-snap/docker-snap/blob/main/snap/snapcraft.yaml#L97

So digging yet a bit more and I found the following nice comment:

https://github.com/docker-snap/docker-snap/issues/7#issuecomment-702884534

So solution would probably be to manage to add `personal-files` plug to the docker-snap or find a way to specify which folder we want to access, but from what I've read so far, this can be done by snap creators and not actual users. I would have liked to be able to tell something like hey docker-snap, I authorize you to access `~/.cache/JetBrains`.

Instead, I must uninstall that snap, lose these great security concepts I just learned about and install docker using official docs and know that docker can have access to personal files without any limitations.

0

Please sign in to leave a comment.