Join Log in
Score:0
avatar Server

Linux file ACLs are not kept using Docker for new files/containers created by Docker daemon

cn flag
Javier Cortejoso

I am trying to grant read permissions to group grafana-cloud to files under /var/lib/docker/containers:

#> ls  /var/lib/docker/containers/ | head -n1
0515ccad974eb0e4577c7b35a0c517ab889db95d996e6188e9d0377cfa2265d4

#> setfacl -Rdm g:grafana-agent:rx /var/lib/docker/containers
#> setfacl -Rm g:grafana-agent:rx /var/lib/docker/containers

Executing this snippet, it grants permissions to all the files and folders that already exists.

#> getfacl /var/lib/docker/containers/0515ccad974eb0e4577c7b35a0c517ab889db95d996e6188e9d0377cfa2265d4
getfacl: Removing leading '/' from absolute path names
# file: var/lib/docker/containers/0515ccad974eb0e4577c7b35a0c517ab889db95d996e6188e9d0377cfa2265d4
# owner: root
# group: root
user::rwx
group::---
group:grafana-agent:r-x
mask::r-x
other::---
default:user::rwx
default:group::---
default:group:grafana-agent:r-x
default:mask::r-x
default:other::---

If I create a new file or folder inside /var/lib/docker/containers, the acls are correctly kept:

#> mkdir /var/lib/docker/containers/foo
#> getfacl /var/lib/docker/containers/foo
getfacl: Removing leading '/' from absolute path names
# file: var/lib/docker/containers/foo
# owner: root
# group: root
user::rwx
group::---
group:grafana-agent:r-x
mask::r-x
other::---
default:user::rwx
default:group::---
default:group:grafana-agent:r-x
default:mask::r-x
default:other::---

The problem comes when a new container is created, where the acls seems that are not applied as I'm expecting:

#> docker run -d busybox
70216a6debce117563d2273da01a1219edc9e1357864cde5026076548b7169e8
#> getfacl /var/lib/docker/containers/70216a6debce117563d2273da01a1219edc9e1357864cde5026076548b7169e8/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/docker/containers/70216a6debce117563d2273da01a1219edc9e1357864cde5026076548b7169e8/
# owner: root
# group: root
user::rwx
group::---
group:grafana-agent:r-x     #effective:---
mask::---
other::---
default:user::rwx
default:group::---
default:group:grafana-agent:r-x
default:mask::r-x
default:other::---

#> su - grafana-agent -c "ls /var/lib/docker/containers/70216a6debce117563d2273da01a1219edc9e1357864cde5026076548b7169e8/"
ls: cannot open directory '/var/lib/docker/containers/70216a6debce117563d2273da01a1219edc9e1357864cde5026076548b7169e8/': Permission denied

If now I run again the setfacl command, the acls are applied to the new container file tree and user can read the files:

#> setfacl -Rm g:grafana-agent:rx /var/lib/docker/containers/70216a6debce117563d2273da01a1219edc9e1357864cde5026076548b7169e8/
#> su - grafana-agent -c "ls /var/lib/docker/containers/70216a6debce117563d2273da01a1219edc9e1357864cde5026076548b7169e8/"
70216a6debce117563d2273da01a1219edc9e1357864cde5026076548b7169e8-json.log  checkpoints  config.v2.json  hostconfig.json  hostname  hosts  mounts  resolv.conf  resolv.conf.hash
#> getfacl /var/lib/docker/containers/70216a6debce117563d2273da01a1219edc9e1357864cde5026076548b7169e8
getfacl: Removing leading '/' from absolute path names
# file: var/lib/docker/containers/70216a6debce117563d2273da01a1219edc9e1357864cde5026076548b7169e8
# owner: root
# group: root
user::rwx
user:grafana-agent:r-x
group::---
group:grafana-agent:r-x
mask::r-x
other::---
default:user::rwx
default:user:grafana-agent:r-x
default:group::---
default:group:grafana-agent:r-x
default:mask::r-x
default:other::---

Is there something wrong in my process? It seems acls are not applied in first place as we can read #effective:--- next to the grafana-agent user, but I could not find any I've tried granting the acls to the users instead of the group with same results.

Thank you.

220
0 + 0
gb flag
tcurdt
Did you get this working? Or did you cave and use the cadvisor integration instead?
0
Reply
Score:1
julid avatar Server
tv flag
julid

ACLs only extend the standard POSIX permissions. The effective permission here is --- because the POSIX permissions for the group are --- and the (default) ACL mask is also ---.

You could instead do the following:

  1. Change the ownership of the directory: e.g. chown root:grafana-agent /var/lib/docker/containers
  2. Set its permissions with the s bit such that all new files (and directories) created inside will belong to the same group which is the owner of the directory: e.g. chmod g+rs /var/lib/docker/containers

You may need to change the group permissions for /var/lib/docker too: chmod o+x /var/lib/docker (this will allow every "other" user to list files in the directory and thus to access the containers subfolder)

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.