I am trying out the userns-remap feature of Docker to create a file inside a container as root
user and have the owner of this file as test
user on the host.
I've added the following to the /etc/docker/daemon.json
{
"userns-remap": "test:test"
}
The remapping seems to have taken place based on the daemon logs
User namespaces: ID ranges will be mapped to subuid/subgid ranges of: test:test
and the entries test:100000:65536
and test:100000:65536
have been added to /etc/subuid
and /etc/subgid/
files, respectively.
But when I start a container and try to create a file in the working dir, it fails
test@box:~$ docker run -v /home/test/tmp:/somedir -w /somedir -it ubuntu:16.04 /bin/bash
root@11ff6c42ffe1:/somedir# touch file.txt
touch: cannot touch 'file.txt': Permission denied
root@11ff6c42ffe1:/somedir# ls -l
total 0
-rw-rw-r-- 1 nobody nogroup 0 Mar 23 21:39 already_existing_file.txt
root@11ff6c42ffe1:/somedir# id root
uid=0(root) gid=0(root) groups=0(root)
root@11ff6c42ffe1:/somedir# touch /file.txt
Creating the file in some other directory that is not mounted from the host works as expected.
Also, if 777 permission is granted to the mounted directory, in this case /home/test/tmp on the host, file can be created successfully from inside the container. However, the newly created file has the following permissions on the host:
ls -l /home/test/tmp
total 0
-rw-r--r-- 1 165536 165536 0 march 29 01:36 file.txt
User with id 165536 is not present in the /etc/passwd which brings us back to the start. I would expect that the root user inside the container has the same permissions as the test user on the host and that the files created by root user in the container have the owner on the host that is mapped using userns-remap, i.e. test.
It is stated in the docs that
...if volumes are mounted from the host, file ownership must be pre-arranged need read or write access to the volume contents.
... One notable restriction is the inability to use the mknod command. Permission is denied for device creation within the container when run by the root user.
Does this mean that root user inside the container cannot create files/directories inside the mounted directory, even though the owner of the mounted directory is the user that root maps to using userns-remap, in this case test?
Any ideas how to make the working directory also writable by the user inside the container?
Docker version: 18.03.0
Ubuntu version: 16.04.1
Kernel version: 4.13.0-36-generic
Steps to reproduce
sudo adduser test
sudo usermod -aG docker test
sudo echo '{ "userns-remap": "test"}' >> /etc/docker/daemon.json
service docker restart
su - test
mkdir tmp
docker run -v /home/test/tmp:/somedir ubuntu:16.04 touch /somedir/file.txt
Here are some similar questions, but not quite the same, as I would like to make this work without modifying the Dockerfile:
- Docker and --userns-remap, how to manage volume permissions to share data between host and container? - exactly what is asked in this question, too, but there was no answer for 2 years, so keeping this question open
- docker non-root bind-mount permissions, WITH --userns-remap
- Can I control the owner of a bind-mounted volume in a docker image?
- Docker can't write to directory mounted using -v unless it has 777 permissions
to answer your question, the best way is to use 'user namespace' feature of the docker engine.
here's an example of how to use. let's say your host user is
myuser
with id3000
add
myuser:3000:65536
to your /etc/subuid and /etc/subgid filesupdate your /etc/docker/daemon.json with this:
don't forget to restart your docker engine :)
and that's it , all files belonging to your
myuser
local account will belong to id0
is your container and the opposite will true as well.This should help you fix your issue.
Let me know