I am on a remote server where I am a user in the group docker. I created two volumes:
docker create volume conan && docker create volume code`
I am using the docker image called conanio/gcc10, so I run:
docker run --rm \
-v code:/home/conan/.code \
-v conan:/home/conan/.conan \
-it conanio/gcc10 /bin/bash
Then in the container environment I have:
drwxr-xr-x 2 conan 1001 4096 Jun 23 01:58 .conan/
drwxr-xr-x 2 root root 4096 Jun 23 01:58 .code/
why they have different owner? .code's owner is root and .conan's owner is conan?
I tried different names and all are the same, only .conan's owner is conan.
I also tried other images as well. Is that because the conan volume matches the user name in the container???
is there a way to use conan for other mounted volume as well?
Related
I want to provide write access to a non-root user in a docker container for a volume mounted on the host. I have the same non-root user and group inside container and host as well.
While running the container, I mount a host volume to it -v /some/folder:/some/folder. I am doing this because my application running inside the docker container needs to write files to the mounted host folder. But since I am running my application as a non-root user, it doesn’t have permission to write to that folder.
Also, I this mounted folder permission is got changed inside the container automatically.
I have given assigned below user and group as an owner to this folder on the host:
“nonrootuser1:nonrootgroup1”
For 'rootful' docker it works fine, but if it's rootless inside the container it is showing below user and group as an owner to this folder:
“root:nobody”
Steps to reproduce this:
Add user and group on the host
groupadd -g 1015 nonrootgroup1
useradd -u 1099 nonrootuser1
Create dir which will be assigned to osquery groupadd on the host:
sudo su
mkdir -p /var/osquery/sock
echo "hello world" > /var/osquery/sock/file.txt
chown root:nonrootgroup1 /var/osquery/sock
chmod g+s /var/osquery/sock/
Create Dockerfile in the home directory :
FROM alpine:3.14
RUN addgroup -g 1015 -S nonrootgroup1
RUN adduser -D nonrootuser1 -u 1099
USER nonrootuser1:nonrootgroup1
CMD ["tail", "-f", "/dev/null"]
Run docker container :
docker run --rm -d --name sample-app -v /var/osquery/sock:/var/osquery/sock $(docker build . -q)
Check the user id of the container :
dmytro#dmytro:~/dev/sample-image$ docker exec sample-app id
uid=1099(nonrootuser1) gid=1015(nonrootgroup1) groups=1015(nonrootgroup1)
check the permissions to the /var/osquery/sock dir inside the container :
Directory /var/osquery/sock is assigned to group 'nobody' instead of 'nonrootgroup1' group
dmytro#dmytro:~/dev/sample-image$ docker exec sample-app ls -lah /var/osquery
total 12K
drwxr-xr-x 3 root root 4.0K Dec 28 10:47 .
drwxr-xr-x 1 root root 4.0K Dec 28 10:47 ..
drwxr-s--- 2 nobody nobody 4.0K Dec 28 09:34 sock
Host details are mentioned below:
Kernel Version: 5.4.0-135-generic
Operating System: Ubuntu 20.04.5 LTS
Storage Driver: overlay2
Please suggest.
Thanks!
I tried to setup in the daemon.json "userns-remap" config, but docker daemon doesn't start with it, because it lacks permission to create dockremap user and group.
So far I have not had this problem. I am running a container image in a remote workstation. Different than normal, this workstation is not connected to the internet and I had to initiate the docker deamon manually. (for reference)
After this to run the container I tried to do
docker run -it -t --rm --gpus all --env CUDA_VISIBLE_DEVICES -v "/mnt/disco/projects/ThisProject/:/home/ThisProject/" -w "/
home/ThisProject/" container_image:latest /bin/bash
When I do this I got into the container on folder /home/ThisProject with root user but I cannot ls here. I do cd .. and ls -l and I can see that the ThisProject folder has this
drwxrws--- 7 nobody nogroup 4096 Jul 21 07:30 ThisProject
As you can see the owner is "nobody"
What can I do to correct this?
I'm mounting my hosts /tmp/docker to /home/vault/tmp/ in my container but the user vault in my container does not have write permissions even though on my host, /tmp/docker is set to 777 and the uid and gid values are set to the same in the host & the container too. How can I fix this and make sure that my user vault has write/owner permissions?
HOST
$ ls -la /tmp/docker/
total 8
drwxrwxrwx 2 ron ron 4096 Feb 5 19:34 .
drwxrwxrwt 12 root root 4096 Feb 13 09:49 ..
ron#ENGDEV:~/novax-prs/docker$ id -u; id -g
1003
1003
GUEST
$ ls -la /home/vault/tmp/
total 8
drwxr-xr-x 2 root root 4096 Feb 13 06:47 .
drwxr-xr-x 1 vault vault 4096 Feb 13 18:06 ..
vault#novax_prs_build:~$ id -u; id -g
1003
1003
bind mount
docker run -it \
-e LOCAL_USER_ID=`id -u` \
--user "$(id -u):$(id -g)" \
-v ${dir}:/home/vault/ccimx6ulstarter \
-v /tmp/docker:/home/vault/tmp:Z \
${name}
funny enough, the /home/vault/ccimx6ulstarter/ directory has user the permissions set correctly in the container.
Your /tmp folder probably uses tmpfs which behaves differently than for example ext4, especially when it comes to SELinux labeling (with the :Z option).
Try using a folder which lies on an ext4 filesystem.
created a ~/tmp_docker/ in the host user's home directory and bind mounted that with -v, got the correct permissions in the container and will use this and can use this as ~/tmp/ in my container!
Saying this, I'm not sure why my host's /tmp/docker/ would not bind with the correct permissions.
I'm trying to understand when containers copy preexisting files into a mounted volume on the same directory. For example
FROM ubuntu
RUN mkdir /testdir
RUN echo "Hello world" > /testdir/file.txt
running:
#docker create volume vol
#docker run -dit -v vol:/testdir myimage
#docker exec -it 900444b7ab86 ls -la /testdir
drwxr-xr-x 2 root root 4096 May 11 18:43 .
drwxr-xr-x 1 root root 4096 May 11 18:43 ..
-rw-r--r-- 1 root root 6 May 11 17:53 file.txt
The image for example also has files in:
# docker exec -it 900444b7ab86 ls -la /etc/cron.daily
total 20
drwxr-xr-x 2 root root 4096 Apr 26 21:17 .
drwxr-xr-x 1 root root 4096 May 11 18:43 ..
-rwxr-xr-x 1 root root 1478 Apr 20 10:08 apt-compat
-rwxr-xr-x 1 root root 1176 Nov 2 2017 dpkg
-rwxr-xr-x 1 root root 249 Jan 25 15:09 passwd
But for example when I run it with
docker run -it 900444b7ab81 -v vol:/etc/cron.daily
The directory is now empty..
Why don't the files get copied this time?
#docker run -dit -v vol:/testdir
That is not a valid docker command, there's no image reference included, so there's nothing for docker to run.
docker run -it 900444b7ab81 -v vol:/etc/cron.daily
This will attempt to run the image 900444b7ab81 with the command -v vol:/etc/cron.daily. Before you had a container id with a very similar id, so it's not clear that you aren't trying to do a run with a container id instead of an image id. And the command -v likely doesn't exist inside the container.
The order of these arguments is important, the first thing after the run that isn't an option or arg to the previous option is treated as the image reference. After that reference, anything else passed is a command to run in the container. So if you wanted to mount the volume, you need to move that option before the image id.
I'm trying to understand when containers copy preexisting files into a mounted volume on the same directory.
With named volumes, docker initializes an empty named volume upon creation of the container with the contents of the image at that location. Once the volume has files in it, it will be mapped as is into the container on any subsequent usage, so changes to the image at the same location will not be seen.
Is there any way to mount a named volume as a non-root user? I am trying to avoid having to run a chown in each Dockerfile but I need the mount to be writable by a non-root user to be able to write the artifacts created by a build in the image
This is what I'm trying
docker run --rm -it -v /home/bob/dev/:/src/dev -v builds:/mnt/build --name build hilikus/build /bin/bash
but for the second mount I get
[user#42f237282128 ~]$ ll /mnt
total 4
drwxr-xr-x 2 root root 4096 Sep 18 19:29 build
My other mount (/src/dev/) is owned by user, not by root so it gives what I need; however, I haven't been able to do the same with the named volume.
The named volume initializes to the contents of your image at that location, so you need to set the permissions inside your Dockerfile:
$ cat df.vf-uid
FROM busybox
RUN mkdir -p /data && echo "hello world" > /data/hello && chown -R 1000 /data
$ docker build -t test-vf -f df.vf-uid .
Sending build context to Docker daemon 23.06 MB
Step 1 : FROM busybox
---> 2b8fd9751c4c
Step 2 : RUN mkdir -p /data && echo "hello world" > /data/hello && chown -R 1000 /data
---> Using cache
---> 41390b132940
Successfully built 41390b132940
$ docker run -v test-vol:/data --rm -it test-vf ls -alR /data
/data:
total 12
drwxr-xr-x 2 1000 root 4096 Sep 19 15:26 .
drwxr-xr-x 19 root root 4096 Sep 19 15:26 ..
-rw-r--r-- 1 1000 root 12 Aug 22 11:43 hello
If you use the new --mount syntax instead of the old -v/--volume syntax it is supposedly possible to assign a uid to the volume's contents via docker volume create somename --opt -o=uid=1000 or something similar.
See https://docs.docker.com/engine/reference/commandline/volume_create/#driver-specific-options
I haven't fully tested this to run as non-root or using the dockremap dynamic user with the userns-map option but hope to soon.