Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

File access is mapped to host user, not root. #117

Closed
jtilander opened this issue Aug 4, 2016 · 6 comments

Comments

@jtilander
Copy link

commented Aug 4, 2016

Expected behavior

When I run as root in the container, my files created on a mapped volume should also be owned by root in macosx.

Actual behavior

When I mount volumes from the host, they seem to be silently translated to the host user logged into my mac, as opposed to the user that I run in the container (e.g. root). This causes havoc when trying to perform various operations, e.g. chown, since they are not owned.

Information

Diagnostic ID: A00B5996-AD37-4A1A-AD44-F0A8F7755937
Docker for Mac: 1.12.0 (Build 10871)
macOS: Version 10.11.5 (Build 15F34)
[OK] docker-cli
[OK] app
[OK] moby-syslog
[OK] disk
[OK] virtualization
[OK] system
[OK] menubar
[OK] osxfs
[OK] db
[OK] slirp
[OK] moby-console
[OK] logs
[OK] vmnetd
[OK] env
[OK] moby
[OK] driver.amd64-linux

Steps to reproduce

  1. ...
  2. ...

@dsheets dsheets added the area/mounts label Aug 4, 2016

@dsheets

This comment has been minimized.

Copy link
Contributor

commented Aug 4, 2016

Docker for Mac runs as a normal, unprivileged user except for a single small process which requires superuser privileges to configure networking. Unprivileged users are able to use Docker for Mac without needing root access. See https://docs.docker.com/docker-for-mac/osxfs/#/ownership for an explanation of the ownership model for -v bind mounts between OS X and Docker containers. In particular, chown (and stat) inside containers should work as expected.

Could you elaborate on your specific use case where this ownership model causes havoc?

@jtilander

This comment has been minimized.

Copy link
Author

commented Aug 5, 2016

If you pull this repository and just type "make" you should see a whole lot of errors in the log if you run under docker for mac, but it works fine under docker-machine for a vmware host on a mac (as well as on just native linux hosts).

@jtilander

This comment has been minimized.

Copy link
Author

commented Aug 5, 2016

(seems the URL got eaten)

https://github.com/jtilander/docker-p4

@dsheets dsheets added the kind/bug label Aug 5, 2016

@dsheets

This comment has been minimized.

Copy link
Contributor

commented Aug 5, 2016

The cause of this issue is that the file is read-only (400) but is having chown run on it. This should work on POSIX-compliant file systems and does not with osxfs due to the way that ownership information is persisted in extended attributes (xattrs). OS X does not allow users to change xattrs on files to which they don't have write access.

The fix is to do permissions juggling while holding a lock so that other accessors cannot see the intermediate state. The workaround is to chown only files to which you have write permission.

I've filed an internal issue to track that work.

Thanks for your report!

@jtilander

This comment has been minimized.

Copy link
Author

commented Aug 10, 2016

Oh, nice. Thanks for looking at it!

@dsheets

This comment has been minimized.

Copy link
Contributor

commented Oct 26, 2016

This should be fixed in the just-released Beta 29. Sorry for the delay in resolving the issue -- we had a couple of false starts on the design but now we use an ACL entry to make xattrs (containing ownership metadata) behave like inode metadata in most circumstances. Please give it a try and let us know how it works (or doesn't) for you. I'm going to close this issue but if you find related problems, please feel free to re-open. If you find un-related problems, please open a new issue. :-)

Thanks for using Docker for Mac!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.