Volumes' filesystems should be owned by the user which the corresponding container will run as

[itamarst]

Replaced by https://clusterhq.atlassian.net/browse/FLOC-34

The process running in a container runs as a specific user. E.g. http://docs.docker.io/reference/api/docker_remote_api_v1.11/#22-images - "Inspect an image" API includes user name the image will run under. The filesystem mounter for the container must therefore be writeable by this user.

Our current solution is chmod 777, but that's not secure. Better to chown the filesystem to (or maybe tell ZFS about) the appropriate user.

[itamarst]

Definitely not necessary for first release.

[tomprince]

Note that user is recorded symbolically, and may not be a user that exists on the host system (or may have a different UID on the host-system.

[itamarst]

If the Docker image is configured with username... the knowledge of which uid it corresponds to is available elsewhere within the Docker image. So maybe we could launch a process inside a container using that image which will extract the UID in advance of starting the real container.

Unfortunately then there's images like the official MongoDB one, where it switches users inside the script it runs (https://github.com/docker-library/mongo/blob/master/2.7/docker-entrypoint.sh) so the information is not available for introspection.

[itamarst]

An alternative approach might work depending on how the binding works. If /flocker is only RWX by root, and /flocker/myvolume is world RWX that means /flocker/myvolume is still protected on the host, and it's possible that's once it's bound into the container namespace it's only the permissions on /flocker/myvolume that matter.

[itamarst]

Yeah, that works:

$ sudo ls -ld /tmp/protected/
drwx------ 3 root root 4096 Oct  9 14:42 /tmp/protected/
$ sudo ls -ld /tmp/protected/volume
drwxrwxrwx 2 itamarst itamarst 4096 Oct  9 14:44 /tmp/protected/volume
$ sudo docker run --rm --user=nobody -v /tmp/protected/volume:/myvolume busybox touch /myvolume/hello
$ ls /tmp/protected/volume/hello
ls: cannot access /tmp/protected/volume/hello: Permission denied
$ sudo ls /tmp/protected/volume/hello
/tmp/protected/volume/hello

[itamarst]

So it looks like only thing we need to do is set /flocker to be only readable/writeable/executable by root, and we're good.

[tomprince]

What does docker do with the permissions on the volume?

[adamtheturtle]

We are moving our development planning to JIRA. This issue is now being tracked at https://clusterhq.atlassian.net/browse/FLOC-34. You are welcome to file additional issues in GitHub if that's easier for you.