Geek Answers Handbook

Problem trying to write to a mounted volume from inside the container as a non-root user

I work with the container on which ZooKeeper will be running, but I have problems with permissions on the host volumes that I mount in my container.

This is my setup:

On the host machine (Ubuntu 14.04):

  • Created a user of the system "zookeeper" (id = 106) and a group (id = 111).
  • Created the directory "/ var / log / zookeeper" and set its ownership of zookeeper (for example, chown zookeeper: zookeeper). This is the directory that I will install in my container.

Inside the container (Ubuntu 14.04):

  • Also created a user of the system "zookeeper" (id = 102) and group (id = 105), which I use as the user from which the command is executed in ENTRYPOINT.
  • Create the same directory "/ var / log / zookeeper" that will be installed, and also set its ownership of zookeeper: zookeeper (although I don't think that matters).

As soon as I start my container with mount / var / log / zookeeper, and I open the shell inside the container as the user zookeeper (which was created inside the container), I find that I get "Permission Denied" "if I try to create a file in mounted directory / var / log / zookeeper. When I do "ls -l" to look at the ownership of this directory (still inside the container), it looks something like this:

drwxr-xr-x 2 106 111 4096 Jun 30 17:18 zookeeper

106 and 111 in this case correspond to the zookeeper user and the group IDs of the host machine, which, in my opinion, are where the problem is. I tried to open the shell inside the container, but this time I logged in as the root user, and the script described above worked fine, only this root was the owner of the created file (which was expected).

From this, I came to the conclusion that I need:

(a) Run the application inside my container as a regular root user instead of the zookeeper user that I create.

(b) Create a user and a zookeeper group, both on my host computer and inside the container whose identifiers match exactly.

None of the options are perfect, because for (a) running the application as root can have potential security problems (from what I read anyway), and for (b) it can be very difficult to get an identifier so that match due to the fact that they may already be made by other users that have been created (which you have no control over).

Has anyone ever dealt with something like this before? Are there any other possible solutions that I could ignore?

+5
source share
2 answers

As far as I know, the user ID and group ID inside the container and on the host machine must match to allow the host machine to grant you permissions for the shared directory.

+3
source

It is very important to see the difference between the start of production and the development container. Afaik, there is no real problem if your Docker container is running as root, even in production. However, you will never want or want to set the volume of production. If you want to run it as a zookeeper, feel free to do it.

// Edit: the more I read, the more I am convinced that there really can be a security problem when running the application with root privileges, so it’s better not to do this in production.

The decision to try and match uid and gid is only viable for a small / local project - this really makes it unsportsmanlike. You can try to set an arbitrary high uid and gid, and then do the same on each of your devs machines, but that does not mean that everything will be fine.

tl; dr: In development, run chmod -R 0777 in existing files and then umask 0000 to set permissions on files and directories created later. Then you can mount and edit your files as you like, regardless of which user created it.

0
source

More articles:


All Articles