empty VOLUME is very restricted: root:root 700

[SvenDowideit]

Is there really no way to set ownership and permissions of a VOLUME?

~ $ docker build -t test -
FROM ubuntu
RUN mkdir /data ; chmod 777 /data
VOLUME ["/data"]
RUN chmod 755 /data

Uploading context 2048 bytes
Step 1 : FROM ubuntu
 ---> 8dbd9e392a96
Step 2 : RUN mkdir /data ; chmod 777 /data
 ---> Using cache
 ---> 5e2d567c32ef
Step 3 : VOLUME ["/data"]
 ---> Using cache
 ---> d2832c4afd2c
Step 4 : RUN chmod 755 /data
 ---> Running in 34b05587ce60
 ---> 7c4d94ba6eed
Successfully built 7c4d94ba6eed
~ $ docker run -t -i test ls -la /data
total 8
drwx------  2 root root 4096 Nov 30 09:25 .
drwxr-xr-x 37 root root 4096 Nov 30 09:25 ..

I'm making a container which will run something that does not want to run as root, so 700 is particularly frustrating.

somewhat related to #1742 and #2088

[SvenDowideit]

it seems that so long as you create a file in the dir, the VOLUME gets the permission you want - I think thats a reasonably simple small bug - and clearly a stack of buildfile_test tests needed

docker build -t test .
Uploading context 10240 bytes
Step 1 : FROM ubuntu
 ---> 8dbd9e392a96
Step 2 : RUN mkdir /data
 ---> Using cache
 ---> db1322ff4655
Step 3 : RUN chmod 555 /data
 ---> Using cache
 ---> 005372af3b9a
Step 4 : RUN echo ttt > /data/ttt
 ---> Using cache
 ---> a981801d33c9
Step 5 : RUN chmod 666 /data/ttt
 ---> Using cache
 ---> de66db385699
Step 6 : VOLUME ["/data"]
 ---> Using cache
 ---> a0682696f924
Step 7 : USER www-data
 ---> Running in f701b23626ae
 ---> a55a446b1d5c
Step 8 : CMD ls -la /data
 ---> Running in fdecd4714f63
 ---> 5db5753c6cb9
Successfully built 5db5753c6cb9
test-volume(master) $ docker run test
total 12
dr-xr-xr-x  2 root root 4096 Nov 30 11:35 .
drwxr-xr-x 50 root root 4096 Nov 30 11:37 ..
-rw-rw-rw-  1 root root    4 Nov 30 11:35 ttt

[SvenDowideit]

see graphdriver/vfs/driver.go line 51 - the mkdir uses a hardcoded perm, and (i presume there is no parent to copy from if the parent is empty)

[jpetazzo]

Right! I also wonder if having the VOLUME command before or after might change something.
If you add some tests for that, it might be interesting to check that case too?

[ndarilek]

Could this be related to #2049 as well? I hit a very similar issue when attempting to put non-root-owned directories inside volumes.

[SvenDowideit]

@jpetazzo ouch - the tests in the PR above show a number of failures, including

FROM {IMAGE}
VOLUME ["/data"]
RUN mkdir /data ; chmod 777 /data ; chown 1000:1001 /data
RUN echo ttt > /data/ttt
RUN chmod 666 /data/ttt
CMD stat /data -c '%s %f %F %G %U %a %n'

returns

        The command [/bin/sh -c chmod 666 /data/ttt] returned a non-zero code: 1

[shykes]

@SvenDowideit should we use the current value of USER in the Dockerfile and set the ownership of the volume to that?

[SvenDowideit]

it seems like what the user would expect - that setting the USER is like su -

which is also why people ask about $HOME :/