Mounting volumes and mapping host user to docker user

[smyth64]

I want to start a docker container (postgres) and mount the folder /var/lib/postgres/data to my local system.

docker run -e POSTGRES_PASSWORD=123456 -v `pwd`/postgres:/var/lib/postgresql/data postgres

On my Host: ./postgres has the right owner. Nice!
But inside Container: /var/lib/postgresql/data has the owner root:root. the postgres user cannot access the /var/lib/postgresql/data folder...

Now my question.

How can I tell docker, to map my local user smith:staff to the postgres:postgres user inside the container?

btw: i also tried it with

docker run -u postgres:postgres -e POSTGRES_PASSWORD=123456 -v `pwd`/postgres:/var/lib/postgresql/data postgres

Using this command, my postgres won't start at all.
#21702

Client:
 Version:      1.11.0
 API version:  1.23
 Go version:   go1.5.4
 Git commit:   4dc5990
 Built:        Wed Apr 13 19:36:04 2016
 OS/Arch:      darwin/amd64

Server:
 Version:      1.11.0
 API version:  1.23
 Go version:   go1.5.4
 Git commit:   a5315b8
 Built:        Mon Apr 18 19:19:21 2016
 OS/Arch:      linux/amd64

Output of docker info:

Containers: 3
 Running: 3
 Paused: 0
 Stopped: 0
Images: 10
Server Version: 1.11.0
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 154
 Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: null host bridge
Kernel Version: 4.4.6
Operating System: Alpine Linux v3.3
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 1.956 GiB
Name: docker
ID: IY64:5E2P:FPZB:G3DH:32BS:5IXL:EHF6:5XC6:HL7D:HKU6:7OBK:U3J4
Docker Root Dir: /var/lib/docker
Debug mode (client): false
Debug mode (server): true
 File Descriptors: 29
 Goroutines: 70
 System Time: 2016-04-22T17:15:36.809782696Z
 EventsListeners: 2
Registry: https://index.docker.io/v1/

Additional environment details (AWS, VirtualBox, physical, etc.):
Docker Beta for OSX

Steps to reproduce the issue:
1.
2.
3.

Describe the results you received:

Describe the results you expected:

Additional information you deem important (e.g. issue happens only occasionally):

[cpuguy83]

The issue is the entrypoint script is expecting root access when it first starts up: https://github.com/docker-library/postgres/blob/master/9.5/docker-entrypoint.sh
So when you start with -u postgres:postgres it can't startup.

In the short term it would be best to use an image that's ready to go with the correct uid/gid.

[donnykurnia]

I also want to know how to make volume mapping possible in docker-beta. When using docker-machine, I use nfs mount in the docker-machine's boot2docker. How can I mount nfs inside Alpine?

[blafasel42]

Hi, i was facing the same problem lately. any news here? Would like to mount a host volume and make sure all files there belong to my developer user, not some unidentified user 1000.

[cpuguy83]

@blafasel42 (generally) users on the host match users in the container. If you want the host dir to have a particular UID/GID you need to set it.

[cpuguy83]

docker4mac is a slightly difference case since it does map UID/GID into the UID/GID that the container process was started with.

[smyth64]

I wrote a script which lets you map your userid/groupid to any user inside docker.

This is a fully working example.
https://github.com/schmidigital/permission-fix

Please try and let me know, if you have any questions :)

[mga0]

@smith64fx it should not be possible to map the hosts userID to the root one's from the docker image, right (1000=>0)?

I get into trouble with the script at this point:
Changing the ID of root user to 1000 usermod: user root is currently used by process 1

[petecog]

spotted this, but not tried it yet. Looks like it might work https://denibertovic.com/posts/handling-permissions-with-docker-volumes/

[Vanuan]

I have a similar issue:

When I mount host directory and create some files/directories in it under docker it is created with a root owner.
It means that I must use sudo if I want to delete it. This causes problems, especially in CI when CI user can't clean workspace.

To resolve the issue I've created all the folders and files that are created in the mounted directory, so that they have the host user owner. In addition I have to provide user: $(id -u):$(id -g) but unfortunately docker compose file doesn't support command interpolation, so it requires an additional shell script. And finally, $HOME should be adjusted to point to the mounted directory.

Alternatively, /root should be owned by that user, but that would require providing build arguments to the Dockerfile.

Also, we can use adduser/addgroup under root and then su to the newly created user. But that would require a script that will check whether user is already created.

As you can see, mounting volumes is not without issues, as linux filesystems tend to store owner on the disk and there's no way to abstract that away using containers.

[cuongtransc]

This problem can be solved by using docker-entrypoint.sh

1. Using variable like MAP_USERID.
2. When running Docker Container, the first command to be run is docker-entrypoint.sh, will run usermod and chown directory.

# Set default WWW_DATA_USERID if not exist
# password is limited by 8 characters
: ${WWW_DATA_USERID:=33}

usermod -u $WWW_DATA_USERID www-data
groupmod -g $WWW_DATA_USERID www-data

chown -R www-data:www-data /var/www/html

exec "$@"

https://github.com/cuongtransc/docker-training/blob/master/images/wordpress/docker-entrypoint.sh#L220-L229

Reference: https://eggclub.org/thay-doi-owner-cua-mount-volume-khi-dev-voi-docker/

[arnegroskurth]

FYI: http://docker-sync.io/ seems to be a good substitution for bind-mounts for as long as the ownership translation is not supported by docker natively.

[programster]

Wow, I really would have thought there would be something native in the docker-compose for mapping a host user to a container user. e.g. something like:

version: "3"

users:
  1000:1002
  1001:1003

networks:
  backend:
    driver: bridge
...

... where this would mean the host user with uid 1000 would get mapped to the container user 1002, and host user 1001 would get mapped to container user 1002. This is following the convention of always doing host:container with things like docker cp, and docker volume definitions.

Correct me if I'm wrong and there is nothing native yet...

[thaJeztah]

Correct me if I'm wrong and there is nothing native yet...

no it's not there as part of regular linux installs of the docker engine; keep an eye on #2259 (most notably #2259 (comment) and the comments after that), and upvote docker/roadmap#39 with a "thumbs up" on the first comment, to prioritise "Docker Desktop for Linux" in Docker's roadmap (which would include features like this)

[zimbatm]

The best solution I found so far is this: https://github.com/lebokus/docker-volume-bindfs . It's a docker plugin that uses FUSE to rewrite the user/group IDs.

[andrew-aladjev]

I have resolved this issue for me passing hardcoded well known UID and GID:

RUN addgroup --gid "999" "runner" && \
  adduser --uid "991" --ingroup "runner" --home "/home/runner" --disabled-password "runner"

USER runner:runner
WORKDIR /home/app

COPY --chown=runner:runner . .

999:991 is gitlab-runner user and group. It will be the same across different systems and it will allow gitlab-runner to provide its data as volumes to container.