-
Notifications
You must be signed in to change notification settings - Fork 1.3k
1.3.0 - Only root can write to OSX volumes / Can't change permissions within #581
Comments
I think I'm having the same issue (latest versions of everything, installed today). In the container, in a directory shared with the host (i.e. mounted through the virtualbox VM):
Is that normal or not? (i.e. I did something wrong) |
So means if I create a cache folder for example that writes new files and folders to disk during execution, I cannot do this right now? Cause I experience the same problem as @mnapoli does.. |
I wrote up a simple test case. Let me know if there's anything else I can do to make this bug easier to fix. First, I create a Dockerfile:
Then create a host volume that I'll mount into the Docker instance at runtime:
When I run the container, I see
Obviously when I then run the docker instance as
I'd imagine if people are trying to boot services in Docker on Mac, they'd want to be able to setup a volume that a service user can write to for persistence. |
Mounting a VBox share as UID 999 will allow the created container user to write as it's usually 999. This is just a fragile hack on the hack but it does allow writing…
|
So can I use this command to set the /Users share to be writeable? |
/Users is a bit special as it's mounted by the boot2docker script (any share matching the names listed in release notes), changing it requires customising the code. I just created a custom share anyway as I don't want to share the whole /Users structure with containers.
|
Thanks for the workaround. |
@tianon ? |
This is bizarre - do we need to tweak something about the way we mount the share? There's nothing special about what we do: https://github.com/boot2docker/boot2docker/blob/master/rootfs/rootfs/etc/rc.d/automount-shares (just |
Indeed, I've just tested here: docker@boot2docker:~$ ls -lAF /
...
drwxr-xr-x 1 docker staff 12288 Oct 23 16:37 Users/
...
docker@boot2docker:~$ echo test > /Users/test
docker@boot2docker:~$ cat /Users/test
test
docker@boot2docker:~$ rm -v /Users/test
rm: remove '/Users/test'? y
docker@boot2docker:~$ So I definitely need more information about what's going wrong if we're going to figure out how to fix it. 😄 |
@tianon Now try with a different user and it will not work. The big problem is that usually, Nginx or MySQL or whatever will run as a different user (www-data, mysql…) so it's impossible to use Docker at all (at least in those situations). |
Right, but how can we fix it? Permissions with volume mounts are one of those "gotchas" that's always a sticky point, so I don't see a good fix for the general case (besides Docker handling the volume sharing more directly, and thus smoothing permissions issues somehow), especially since once you've got it working for "just this one container", you're going to want to spin up another, and it will probably have different UIDs altogether (think |
@tianon above in your example you're running as the docker user in the VM. It'll work just fine there but the container and added users are a different story.
Here's some testing I did with my custom uid=999,gid=50 vboxsf: Test "postgres" container
New container
VM
Now, as you said, it's very difficult to come up with a general fix. And this is actually not that different from the situation of running docker on a Linux host without boot2docker or any other virtualisation layer. Issues with volume folder rights are a challenge there as well. Currently the vboxsf mount is UID / GID 1000:50. That's docker:staff in the VM and, no-one:staff or first user to default group in a container. I changed this to 999:50 which matches the new group and user scenario by UID. GID is still 50 and this allows the VM docker user access and also the container root user is fine. The web server I mount a volume for uses the new group and user scenario as well so it works for me. I don't know… maybe there's a better / more general UID / GID combination but I've seen 999:999 mentioned already a couple times in the Hub for containers' documentation. No surprise as they add both group and a user. But YMMV and that's why I've just done this in bootlocal.sh instead of a pull request. And maybe we need something completely different [from vboxsf] to solve this.
|
Yeah, in the general Linux case this is easier because the permissions Maybe making the exact uid/gid configurable via the persistent storage |
tbh, the right place to do all this is in docker client - which would be the one to create a new share every time, and then the vm mount would be specific to the container - aaaand, for that we need help writing code :) |
Are there any news on this? |
I might be wrong but I don't think there is really much that can be done on the boot2docker side very soon. Every container's needs are going to be different and getting the automatic vbox share working with them all is quite difficult. If the apache2 container does not need to make hard links to the bind mounted volume you should be able to use a custom share with access rights suitable for the apache user. Above you can find my override of the default share but you could also add another one for use with apache
For multiple bind mounts, and different containers, there might need to be multiple different shares depending on the needed UIDs. I've added my version of number 2 to the bootlocal.sh in the VM so it's done automatically on boot. I don't have the script handy now but I can add it here later. |
yup, @vmaatta has it baout right - you could do this by hand, but you probably should consider that you might be better off working out a different way to acheive it - like using volume containers. |
@vmaatta Would be awesome if you could share your script. @SvenDowideit Volume containers is no real option as we use fig for the development process and only some people use macs. So it would make the process more painful for the non-mac users. |
@lukaswelte Here's my
@SvenDowideit I'm probably missing the point but… Volume containers are great and should always be used where they make sense. But with regards to bind mounting something from the host they don't change anything. They suffer from the same problems any other container does. |
@vmaatta yeah - you get around that atm by creating your data container like:
and then you need to copy that data to your local machine using another container. I use samba containers for a reason :) |
Has anyone worked out a simple - StackOverflow style - solution to this problem yet? I've tried all the conventional solutions, such as:
The only 'feasible' solution I see is a custom project created by @dgraziotin, which deviates from the main MySQL / MariaDB docker images (https://github.com/dgraziotin/osx-docker-mysql). This hardly seems like an optimal solution, especially if Docker is to get even more rapid adoption throughout the community. |
@ababushkin using docker-machine-nfs worked for me. |
With docker-library/mysql#161 you should be able to run mysql as the owner of the directory in question: docker run -d -e MYSQL_ROOT_PASSWORD=foobar1234 --user 1000:50 -v /Users/my-user/mysql-data/:/var/lib/mysql/ mysql:5.7 This will fix the permissions problem, but I cannot guarantee that mysql will always run on a VirtualBox Shared Folder. MongoDB for example cannot run on the shared folder since the file system does not support everything it needs. |
@ababushkin I have read reports from users of native Docker for Mac that they no longer need any workaround. I created the permissions script to make it work on Docker Toolbox. |
@ababushkin I confirm that with Docker v1.12.0 for Mac, there is no need to use my ugly workaround anymore :-) @motin |
@dgraziotin @motin Ouch, looks like I'm still running Docker v1.11.0. I'll upgrade and give it a whirl. @yosifkit thanks for the tip! |
@ernestom did you notice any performance improvement for disk sync when using that solution? Symfony runs really poorly for me at the moment. I have the same issue when using Vagrant and VirtualBox shared volumes and worked around it by using an NFS mount. Update: I just noticed that the new version of docker has its own VM and a new OSX dedicated file system layer. I'll try this out to see if there are still performance issues :) |
@ababushkin I didn't notice any significant impact in performance with NFS for Docker, and I've been using it for years on my vagrant/vbox projects without issues. |
@ababushkin I have been using Docker for Mac for a couple of months now, and unfortunately performance issues still there for me. My case is - project on local, mounted inside container, running inside container. For example some project on Symfony, I run some heavy with high I/O app/console command and waiting tens of minutes or even hours to complete instead of up to 10 minutes on pure local. |
@ernestom @krasilich Thats a bummer. @ernestom do you have a boilerplate docker-compose file that's using the NFS solution by any chance? |
So just to follow-up here, the issue seems to be gone on the Mac if you install the native Docker beta (use beta channel here). That obviously doesn't solve the problem much for automated scenarios, but works well for local dev. |
@dend Yup thats correct, permission issues are fixed with Docker for Mac. You don't need to install the beta version, the stable release fixes it as well. Unfortunately performance issues have not been fixed. At this stage I've been getting around performance issues by doing smarter builds of my images (e.g. mounting volumes that don't need lots of read/write operations by the app) |
Just trying back to use Docke for mac with a web project, the ownership issue is still here.. Any idea ? I tried to use USER www-data before starting the apache process but as you know, www-data doesn't have the privilege to start the apache service.. Feel stuck :( |
Due to a bug in Docker Machine for MAC, only container root can access files on mounted volumes. See original issue discussion: boot2docker/boot2docker#581 Signed-off-by: Dmitry Fleytman <dmitry@daynix.com>
Ran into this issue as well. @vmaatta was right in his breakdown, and I'd like to add that the "issue" is the -r option in groupadd/useradd versus adding users without that specific option. The -r option creates system users, which by default (set in /etc/adduser.conf) "starts" with UID/GID 999. (Last in range.)
For regular users, these would be added starting UID/GID 1000 (matching the UID for the boot2docker docker user), which is fine for a single user. This also has the implication that if another user were to be added in a container, that a user with UID 1001 wouldn't be able to access files through vboxsf. Right now, I don't know how this could be solved easily, but I'm going to look into this. Recap: Images create system users that don't match the UID of the docker user in boot2docker. |
Example work-around for rabbitmq: Dockerfile:
|
@TyIsI, many of the images provided by Docker Official Images (like $ docker run -d -v /Users/myuser/rabbitdir/:/var/lib/rabbitmq/ --user 1000:50 rabbitmq:3-managment Some notable exceptions that don't work with the VirtualBox shared folder are MongoDB (docker-library/mongo#74 (comment)) and MariaDB 10.1 (docker-library/percona#42 (comment)). |
Currently only root inside the container is able to modify mounted volumes. Also permissions changed from within have no effect. I'm unsure as to whether
cannot be managed dynamically
on the blog post refers to any of this.I would suggest updating the readme to let users know about the existence of native support for volumes and also its limitations (especially if this is one of them).
The text was updated successfully, but these errors were encountered: