Join Log in
Score:0
AKS avatar Server

Wrong OWNER USER on folder/file: docker run -v :/ not working for user defined in Dockerfile

in flag
AKS

Host OS: Red Hat Enterprise Linux Server release 7.9 (Maipo)

Guest OS i.e. a Docker container running: OpenSuse 15.2

Docker Version (on Host): Docker version 19.03.5, build 633a0ea

On host, when I git clone a repository "utilities_scripts" I have valid access for the user (due to umask).

  • I think the issue here is not permission related but WHY the USER defined in the Dockerfile is not getting set as the owner of folders/files (which are getting mounted) inside the docker container, when I issue the following docker run ... command. Setting 755/775 etc is not an option as I can't chown inside the container as target docker user and setting 777 is bad practice.

NOTE:

  1. When I try the same docker image from a different Linux machine, the folder/files are mounted as the user "docker_non_root_user" which is defined in the Dockerfile as USER docker_non_root_user.
  2. docker build ... runs successfully and creates an image, and the container works on a different machine (when I mount the git clone repos inside the container using -v <host>:<container> docker CLI option syntax.

Code snippet from Dockerfile is:

# Define any mount points references
VOLUME ["/home/docker_non_root_user/git"]

USER docker_non_root_user
WORKDIR /home/docker_non_root_user/git

This is what I see on the host where I have the Dockerfile USER ... ownership issue:

[gigauser@jenkins-projectABC bitbucket_workspace]$ whoami
gigauser
[gigauser@jenkins-projectABC bitbucket_workspace]$ id
uid=gigauser(gigauser) gid=21520(jenkins) groups=21520(jenkins),3000(ectx)

[gigauser@jenkins-projectABC bitbucket_workspace]$ umask
0077
[gigauser@jenkins-projectABC bitbucket_workspace]$ ls -l
total 12
drwx------  5 gigauser jenkins 4096 Feb  3 16:36 utilities_scripts
[gigauser@jenkins-projectABC bitbucket_workspace]$


[gigauser@jenkins-projectABC bitbucket_workspace]$ sudo docker image ls
Active Directory Password:
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
project-im-opensuse   15.2                0c9ee31464cd        43 hours ago        2.39GB
[gigauser@jenkins-projectABC bitbucket_workspace]$

[gigauser@jenkins-projectABC bitbucket_workspace]$
[gigauser@jenkins-projectABC bitbucket_workspace]$ sudo docker run -v $PWD/utilities_scripts:/home/docker_non_root_user/git/utilities_scripts/ -it project-im-opensuse:15.2 bash -c "whoami; id; which bash; bash --version; ls -l; echo; ls -l utilities_scripts; ls -l /home/docker_non_root_user/git/utilities_scripts; id gigauser; echo"

WARNING: IPv4 forwarding is disabled. Networking will not work.


docker_non_root_user
uid=1000(docker_non_root_user) gid=487(docker_non_root_user) groups=487(docker_non_root_user),100(users)

/bin/bash
GNU bash, version 4.4.23(1)-release (x86_64-suse-linux-gnu)
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
total 8
drwx------ 5 gigauser 21520 4096 Feb  4 00:36 utilities_scripts

ls: cannot open directory 'utilities_scripts': Permission denied
ls: cannot open directory '/home/docker_non_root_user/git/utilities_scripts': Permission denied
id: 'gigauser': no such user

[gigauser@jenkins-projectABC bitbucket_workspace]$

When I run the same command on other Linux machine, I see the mounted utilities_scripts folder's owner is docker_non_root_user.

Question: WHY I'm seeing the USER-ID of host's user (where I'm running docker run command) is getting set inside docker container on the folder utilities_scripts, when no such user ID was created in Dockerfile/exists inside the container? (see 2nd last line in the above output above). It's currently getting the same host's owner and folder level permissions inside the docker container.

gigauser i.e. host's user, is not there in docker container but the file ls -l output shows gigauser is the owner of utilities_scripts folder/files in the container. This issue is not coming on other host machine.

I even checked /etc/subuid file, looks ok to me. Changing the value inside to docker's user didn't help. Also I don't see anything related to this in /etc/docker/daemon.json file.

$ cat /etc/subuid
gigauser:165536:65536

Running the same docker run ....options command above from the other Linux host machine, it shows the folder ownership inside docker container as:

drwx------ 5 docker_non_root_user 1000  272 Jan 26 21:52 utilities_scripts
53
0 + 0
Score:0
avatar Server
cn flag
shearn89

I'm not entirely sure I follow your question as it's a little unclear to me. But, from what I can understand:

Your gigauser numeric ID is not 1000, it looks like it might be 21520. It works on another host because there your local user probably has the numeric ID 1000.

You see the user ID of the host because you're mounting the folder, not copying it. When you mount it, it gets shared into the container with exactly the same permissions/IDs as set on the host - because it's on the host. Containers aren't like VMs with totally separate resources, and even on a VM if you mount something like an NFS directory you'll get numeric IDs that may or may not match your local IDs.

Using /etc/subuid requires passing a flag to the run command, and you'd have to do maths to work out the offsets for your user.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.