Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

File access is mapped to host user, not root. #117

Closed
jtilander opened this issue Aug 4, 2016 · 7 comments
Closed

File access is mapped to host user, not root. #117

jtilander opened this issue Aug 4, 2016 · 7 comments

Comments

@jtilander
Copy link

Expected behavior

When I run as root in the container, my files created on a mapped volume should also be owned by root in macosx.

Actual behavior

When I mount volumes from the host, they seem to be silently translated to the host user logged into my mac, as opposed to the user that I run in the container (e.g. root). This causes havoc when trying to perform various operations, e.g. chown, since they are not owned.

Information

Diagnostic ID: A00B5996-AD37-4A1A-AD44-F0A8F7755937
Docker for Mac: 1.12.0 (Build 10871)
macOS: Version 10.11.5 (Build 15F34)
[OK] docker-cli
[OK] app
[OK] moby-syslog
[OK] disk
[OK] virtualization
[OK] system
[OK] menubar
[OK] osxfs
[OK] db
[OK] slirp
[OK] moby-console
[OK] logs
[OK] vmnetd
[OK] env
[OK] moby
[OK] driver.amd64-linux

Steps to reproduce

  1. ...
  2. ...
@dsheets
Copy link
Contributor

dsheets commented Aug 4, 2016

Docker for Mac runs as a normal, unprivileged user except for a single small process which requires superuser privileges to configure networking. Unprivileged users are able to use Docker for Mac without needing root access. See https://docs.docker.com/docker-for-mac/osxfs/#/ownership for an explanation of the ownership model for -v bind mounts between OS X and Docker containers. In particular, chown (and stat) inside containers should work as expected.

Could you elaborate on your specific use case where this ownership model causes havoc?

@jtilander
Copy link
Author

If you pull this repository and just type "make" you should see a whole lot of errors in the log if you run under docker for mac, but it works fine under docker-machine for a vmware host on a mac (as well as on just native linux hosts).

@jtilander
Copy link
Author

(seems the URL got eaten)

https://github.com/jtilander/docker-p4

@dsheets
Copy link
Contributor

dsheets commented Aug 5, 2016

The cause of this issue is that the file is read-only (400) but is having chown run on it. This should work on POSIX-compliant file systems and does not with osxfs due to the way that ownership information is persisted in extended attributes (xattrs). OS X does not allow users to change xattrs on files to which they don't have write access.

The fix is to do permissions juggling while holding a lock so that other accessors cannot see the intermediate state. The workaround is to chown only files to which you have write permission.

I've filed an internal issue to track that work.

Thanks for your report!

@jtilander
Copy link
Author

Oh, nice. Thanks for looking at it!

@dsheets
Copy link
Contributor

dsheets commented Oct 26, 2016

This should be fixed in the just-released Beta 29. Sorry for the delay in resolving the issue -- we had a couple of false starts on the design but now we use an ACL entry to make xattrs (containing ownership metadata) behave like inode metadata in most circumstances. Please give it a try and let us know how it works (or doesn't) for you. I'm going to close this issue but if you find related problems, please feel free to re-open. If you find un-related problems, please open a new issue. :-)

Thanks for using Docker for Mac!

@docker-robott
Copy link
Collaborator

Closed issues are locked after 30 days of inactivity.
This helps our team focus on active issues.

If you have found a problem that seems similar to this, please open a new issue.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows.
/lifecycle locked

@docker docker locked and limited conversation to collaborators Jun 18, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

4 participants