You are not logged in.
I'm working on a Docker container that builds and processes PDF files. The container needs to work consistently across all platforms (lin/win/mac) allowing users to run scripts without installing numerous dependencies on their local systems.
Here's my (draft) Dockerfile:
FROM alpine:latest AS po4a-builder
ARG PO4A_VERSION=0.73
ENV PO4A_GH_URL=https://github.com/mquinson/po4a/releases/download
RUN apk add --no-cache wget && \
wget --quiet ${PO4A_GH_URL}/v${PO4A_VERSION}/po4a-${PO4A_VERSION}.tar.gz && \
mkdir -p /po4a && \
tar -xf po4a-${PO4A_VERSION}.tar.gz -C /po4a --strip-components=1 && \
rm po4a-${PO4A_VERSION}.tar.gz
FROM alpine:latest
ENV PATH="/opt/texlive/texdir/bin/x86_64-linuxmusl:/opt/po4a:${PATH}" \
PERL5LIB="/opt/po4a/lib"
COPY --from=po4a-builder /po4a /opt/po4a
COPY texlive.profile /
COPY texlive_pgp_keys.asc /
RUN apk --no-cache add \
bash \
curl \
fontconfig \
ghostscript \
gnupg \
git \
grep \
imagemagick \
inkscape \
make \
perl \
poppler-utils \
tar \
wget \
xz \
perl-unicode-linebreak \
perl-yaml \
gettext \
gettext-dev \
perl-dev \
opensp \
&& apk add --no-cache --virtual .build-deps \
build-base \
perl-app-cpanminus \
&& wget -q https://cpan.metacpan.org/authors/id/R/RA/RAAB/SGMLSpm-1.1.tar.gz \
&& tar -xzf SGMLSpm-1.1.tar.gz \
&& cd SGMLSpm-1.1 \
&& perl Makefile.PL \
&& make install \
&& cd .. \
&& rm -rf SGMLSpm-1.1 SGMLSpm-1.1.tar.gz \
&& CFLAGS="-I/usr/include" LIBS="-L/usr/lib -lintl" cpanm --no-wget Locale::gettext \
&& cpanm --no-wget Text::WrapI18N \
&& cpanm --no-wget Term::ReadKey \
&& cpanm --no-wget Pod::Parser \
&& cpanm --no-wget YAML::Tiny \
&& cpanm --no-wget Unicode::GCString \
&& apk del .build-deps
RUN mkdir -p /tmp/install-tl && \
cd /tmp/install-tl && \
MIRROR_URL="$(curl -fsS -w "%{redirect_url}" -o /dev/null https://mirror.ctan.org/)" && \
echo "Using mirror: ${MIRROR_URL}" && \
curl -fsSOL "${MIRROR_URL}systems/texlive/tlnet/install-tl-unx.tar.gz" && \
curl -fsSOL "${MIRROR_URL}systems/texlive/tlnet/install-tl-unx.tar.gz.sha512" && \
curl -fsSOL "${MIRROR_URL}systems/texlive/tlnet/install-tl-unx.tar.gz.sha512.asc" && \
gpg --import /texlive_pgp_keys.asc && \
gpg --verify ./install-tl-unx.tar.gz.sha512.asc ./install-tl-unx.tar.gz.sha512 && \
sha512sum -c ./install-tl-unx.tar.gz.sha512 && \
mkdir -p /tmp/install-tl/installer && \
tar --strip-components 1 -zxf /tmp/install-tl/install-tl-unx.tar.gz -C /tmp/install-tl/installer && \
/tmp/install-tl/installer/install-tl --profile=/texlive.profile --scheme=small && \
/opt/texlive/texdir/bin/*/tlmgr install \
adjustbox \
bigfoot \
catchfile \
changepage \
collection-binextra \
collection-fontsrecommended \
collection-latex \
collection-latexrecommended \
collection-pictures \
enumitem \
etexcmds \
footmisc \
fullwidth \
imakeidx \
multirow \
nth \
oberdiek \
outlines \
paracol \
pdfcol \
placeins \
soul \
sttools \
svg \
tcolorbox \
titlesec \
tocloft \
transparent \
varwidth \
wrapfig \
xstring \
zref \
tools && \
/opt/texlive/texdir/bin/*/tlmgr path add && \
/opt/texlive/texdir/bin/*/mktexlsr
RUN mkdir -p /etc/fonts/conf.d && \
ln -s /opt/texlive/texdir/texmf-var/fonts/conf/texlive-fontconfig.conf /etc/fonts/conf.d/09-texlive.conf && \
fc-cache -fv && \
mkdir -p /root/.texlive2025/texmf-var /root/texmf-var/luatex-cache/generic /root/texmf-var/fonts/cache && \
chmod -R 777 /root/.texlive2025 /root/texmf-var && \
chmod -R 777 /opt/texlive/texdir/texmf-var
RUN rm -rf \
/opt/texlive/texdir/install-tl \
/opt/texlive/texdir/install-tl.log \
/opt/texlive/texdir/texmf-dist/doc \
/opt/texlive/texdir/texmf-dist/source \
/opt/texlive/texdir/texmf-var/web2c/tlmgr.log \
/texlive.profile \
/texlive_pgp_keys.asc \
/tmp/install-tl && \
git config --global --add safe.directory /data
WORKDIR /data
CMD ["/bin/bash"]When I run the container normally (as root), everything works fine:
$ docker run --rm -v "$(pwd):/data" container:tag script-on-host.sh It works, but all the files produced by the container are root:root owned (which is expected but not ideal). However, if I map user and group ID, I would expect it to work just the same, but produce the files with the same user and group as the one that ran the docker command. Instead, I just get this:
$ docker run --rm -v "$(pwd):/data" --user $(id -u):$(id -g) container:tag script-on-host.sh
env: can't execute 'bash': Permission deniedI've tried chmoding 777 on various directories and files within the container, but I keep encountering different permission issues.
What's particularly confusing is that when I asked someone else to build and run the same container on their machine, it worked perfectly fine with the --user flag. Additionally, when I rebuilt the container using Debian instead of Alpine, it also worked with user mapping - but the image size increased from 1GB to 5GB, which is too much of a trade-off.
As the issue manifests itself only on my OS, why would it occur only with an Alpine-based image and not with Debian-based ones? Are there any specific troubleshooting steps I could take to identify the exact permission problems? Any insights would be greatly appreciated.
Offline
Side note: podman thanks to its daemonless nature worked like a charm without any group/mapping nonsense. This is the way, I guess. I'll create a wrapper script which chooses the engine depending on what's installed on the host OS. It's a shame I couldn't get docker to work, though.
Offline