all: flailing around trying to get bind-mount permissions working.
My goal is to bind mount a volume in a container, so that:
- (a) the container does NOT run the entry point as root user
- (b) the docker-daemon is configured with --userns-remap, so that container doesn't have root on the host
- (c) I can bind-mount and read/write a volume read-writable by my ordinary user (UID:GID 1000 on the host ) using a container
- (d) when the files are created, they all have permissions as my regular host user, not root or nobody.
From a security perspective, we want to avoid containers having root on the host-- that's kind of a no-brainer -- that's requirement (b). Requirements a,c,and d come from the desire to send container logs to a bind-mounted dir on the filesystem, so they can be digested by splunk. This configuration is/will be the preferred way to do logging on kubernetes ( see here for more detail on that ).
Does anyone have a way to get all 4 of the requirements above?
Here is the easiest way to see the problem. Run Docker with --userns-remap:
DOCKER_OPTS="--userns-remap=1000:1000"
Start container alpine, run it as root. Observe permissions on foo.txt are nobody. I expec them to be either root or 1000:1000 since thats what they are on the filesystem:
dcowden@ubuntu:~/gitwork/file-perm-stuff$ docker run --rm -it -v /home/dcowden/gitwork/file-perm-stuff/testlogs:/logs alpine /bin/sh
/ # ls -ln /logs
total 0
-rw-rw-r-- 1 65534 65534 0 Aug 20 19:08 foo.txt
/ # exit
Exit container, and look at files. observe they are 1000:1000 owned, so userns remap has screwed them up:
dcowden@ubuntu:~/gitwork/file-perm-stuff$ ls -ln testlogs
total 0
-rw-rw-r-- 1 1000 1000 0 Aug 20 15:08 foo.txt
dcowden@ubuntu:~/gitwork/file-perm-stuff$ ls -ln .
total 8
-rw-rw-r-- 1 1000 1000 248 Aug 20 16:07 Dockerfile
drwxrwxr-x 2 1000 1000 4096 Aug 20 16:09 testlogs
A more sophisticated Dockerfile, trying to create a non-priveliged container user also fails, though that's pretty clear since it already doesnt work with root. It is not as complex as the dynamic solution from 2, but it still fails :
FROM alpine:3.4
ENV USER_ID=1000
ENV USER_NAME="appuser"
RUN addgroup -g $USER_ID -S $USER_NAME
RUN adduser -u $USER_ID -S -G $USER_NAME $USER_NAME
RUN mkdir /logs && chown $USER_NAME:$USER_NAME /logs
VOLUME /logs
WORKDIR /logs
USER $USER_NAME
I am aware of this similar question, but it doesn't provide an answer. In fact, simply using --userns-remap=1000:1000 produces a suitable /etc/subuid configuration without any manual edits required, but still does not work with the bind mount.
I am also aware of this answer, and this one too but i appear to have matched the userids as both suggest, without a suitable result.
I followed the instructions here, and I achieved a setup that meets all requirements except (b) above-- that it, it works great when i'm not using userns-remap
When I add this line to DOCKER_OPTS ( enabling userns-remap):
--userns-remap=1000:1000
Then the whole thing stops working, and nothing I do seems to work. The bind-mounted volume appears to be owned by nobody. I've tried the following things, none of which have any affect:
- add Z option to the end of the volume mapping
- run this command in the host: 'chcon -Rt svirt_sandbox_file_t /path/to/volume' ( from here
My guess is that something is going wrong due to the fact that i'm simultaneously telling docker to map the container root user to my UID (1000), and ALSO creating another user with that same UID:GUID explicitly. That should be fine-- in the container, root is 0:0, and I create UID:GUI 1000:1000 also. when files are created, both root and non-root should create files with ownership 1000:1000. When running the image as both non-root and root, this is in fact the case.
It's just that everything fails when trying to write to a bind-mounted volume.
Here's my setup:
Docker 1.12 Ubuntu 14.04 Unprivileged UID:GID on host: 1000:1000
Docker info:
Containers: 1
Running: 0
Paused: 0
Stopped: 1
Images: 41
Server Version: 1.12.1
Storage Driver: aufs
Root Dir: /var/lib/docker/100000.100000/aufs
Backing Filesystem: extfs
Dirs: 25
Dirperm1 Supported: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: host null bridge overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: apparmor
Kernel Version: 3.13.0-83-generic
Operating System: Ubuntu 14.04.4 LTS
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 7.785 GiB
Name: ubuntu
ID: 2OO6:ESDJ:WGQ2:UGEQ:5ULF:MXNY:E5XC:WWWN:KJGJ:X2GT:I6VV:V2DN
Docker Root Dir: /var/lib/docker/100000.100000
Debug Mode (client): false
Debug Mode (server): false
Username: dcowden
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
Insecure Registries:
127.0.0.0/8
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 狗以群分 的文章《docker non-root bind-mount permissions, WITH --use》','https://www.manongdao.com/article-1007122.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}