Docker userns-remap cannot write to mounted direct

2020-03-19 05:02发布

问题:

I am trying out the userns-remap feature of Docker to create a file inside a container as root user and have the owner of this file as test user on the host.

I've added the following to the /etc/docker/daemon.json

{
  "userns-remap": "test:test"
}

The remapping seems to have taken place based on the daemon logs

User namespaces: ID ranges will be mapped to subuid/subgid ranges of: test:test

and the entries test:100000:65536 and test:100000:65536 have been added to /etc/subuid and /etc/subgid/ files, respectively.

But when I start a container and try to create a file in the working dir, it fails

test@box:~$ docker run -v /home/test/tmp:/somedir -w /somedir -it ubuntu:16.04 /bin/bash
root@11ff6c42ffe1:/somedir# touch file.txt
touch: cannot touch 'file.txt': Permission denied

root@11ff6c42ffe1:/somedir# ls -l
total 0
-rw-rw-r-- 1 nobody nogroup 0 Mar 23 21:39 already_existing_file.txt

root@11ff6c42ffe1:/somedir# id root
uid=0(root) gid=0(root) groups=0(root)

root@11ff6c42ffe1:/somedir# touch /file.txt

Creating the file in some other directory that is not mounted from the host works as expected.

Also, if 777 permission is granted to the mounted directory, in this case /home/test/tmp on the host, file can be created successfully from inside the container. However, the newly created file has the following permissions on the host:

ls -l /home/test/tmp
total 0
-rw-r--r-- 1 165536 165536 0 march 29 01:36 file.txt 

User with id 165536 is not present in the /etc/passwd which brings us back to the start. I would expect that the root user inside the container has the same permissions as the test user on the host and that the files created by root user in the container have the owner on the host that is mapped using userns-remap, i.e. test.

It is stated in the docs that

...if volumes are mounted from the host, file ownership must be pre-arranged need read or write access to the volume contents.

... One notable restriction is the inability to use the mknod command. Permission is denied for device creation within the container when run by the root user.

Does this mean that root user inside the container cannot create files/directories inside the mounted directory, even though the owner of the mounted directory is the user that root maps to using userns-remap, in this case test?

Any ideas how to make the working directory also writable by the user inside the container?


Docker version: 18.03.0
Ubuntu version: 16.04.1
Kernel version: 4.13.0-36-generic

Steps to reproduce

sudo adduser test
sudo usermod -aG docker test
sudo echo '{ "userns-remap": "test"}' >> /etc/docker/daemon.json
service docker restart
su - test
mkdir tmp
docker run -v /home/test/tmp:/somedir ubuntu:16.04 touch /somedir/file.txt

Here are some similar questions, but not quite the same, as I would like to make this work without modifying the Dockerfile:

  • Docker and --userns-remap, how to manage volume permissions to share data between host and container? - exactly what is asked in this question, too, but there was no answer for 2 years, so keeping this question open
  • docker non-root bind-mount permissions, WITH --userns-remap
  • Can I control the owner of a bind-mounted volume in a docker image?
  • Docker can't write to directory mounted using -v unless it has 777 permissions

回答1:

to answer your question, the best way is to use 'user namespace' feature of the docker engine.

here's an example of how to use. let's say your host user is myuser with id 3000

add myuser:3000:65536 to your /etc/subuid and /etc/subgid files

update your /etc/docker/daemon.json with this:

{
  "userns-remap": "myuser"
} 

don't forget to restart your docker engine :)

and that's it , all files belonging to your myuser local account will belong to id 0 is your container and the opposite will true as well.

This should help you fix your issue.

Let me know