-
Notifications
You must be signed in to change notification settings - Fork 287
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Volumes' filesystems should be owned by the user which the corresponding container will run as #34
Comments
Definitely not necessary for first release. |
Note that user is recorded symbolically, and may not be a user that exists on the host system (or may have a different UID on the host-system. |
If the Docker image is configured with username... the knowledge of which uid it corresponds to is available elsewhere within the Docker image. So maybe we could launch a process inside a container using that image which will extract the UID in advance of starting the real container. Unfortunately then there's images like the official MongoDB one, where it switches users inside the script it runs (https://github.com/docker-library/mongo/blob/master/2.7/docker-entrypoint.sh) so the information is not available for introspection. |
An alternative approach might work depending on how the binding works. If |
Yeah, that works:
|
So it looks like only thing we need to do is set |
What does docker do with the permissions on the volume? |
We are moving our development planning to JIRA. This issue is now being tracked at https://clusterhq.atlassian.net/browse/FLOC-34. You are welcome to file additional issues in GitHub if that's easier for you. |
Replaced by https://clusterhq.atlassian.net/browse/FLOC-34
The process running in a container runs as a specific user. E.g. http://docs.docker.io/reference/api/docker_remote_api_v1.11/#22-images - "Inspect an image" API includes user name the image will run under. The filesystem mounter for the container must therefore be writeable by this user.
Our current solution is
chmod 777
, but that's not secure. Better to chown the filesystem to (or maybe tell ZFS about) the appropriate user.The text was updated successfully, but these errors were encountered: