New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mounting a volume with rootless with always assign ownership to root #45919
Comments
That's not a volume, but a bind mount. Can you please share the subuid/subgid maps ( |
|
Okay, so what's going on here is that UIDs do not match inside and outside the container. When you specify a From the perspective of the container userns, In order to achieve what you intend here, you would need to align the UID/GID of a user expected to own the files outside the container with the effective UID/GID that will be observed in the host userns. It's also worth considering if you need a bind mount, given the name ( We don't currently have anything along the lines of Podman's different UID/GID mapping modes (https://www.redhat.com/sysadmin/rootless-podman-user-namespace-modes; it generates the subuid/subgid maps on the fly) and I'm not an expert in how hard it would be to implement some/all of them. @AkihiroSuda do we have a tracking issue for dynamic uid/gid mapping that's appropriate for features equivalent to those Podman options? |
@neersighted, in this case My ideal case would be to not require As an aside, why does the bind mount not translate the uid/gid from the host userns to the container userns? |
It should be created with ownership corresponding to If you're okay with running with root inside the container and rootless outside the container, you could rather straightforwardly give your outer ( With regard to your last point, Linux Containers are a technology built on top of primitives provided by the Linux kernel. What you are asking after is ID-mapped mounts, a feature recently merged (https://lwn.net/Articles/837566/; https://lwn.net/Articles/896255/) and not yet supported widely in the ecosystem (opencontainers/runc#2821). I suggest you add your 👍 (but not a "me too" comment) and watch related issues. |
Thank you for responding & clarifying everything for me, I really appreciate it. It feels pretty unintuitive when I'm new to Docker, but at least I understand why and what a more robust path is. :) |
I appreciate your understanding! Moby (Docker) is not a monolith, but in fact is part of an ecosystem and stands on the shoulders of giants. While we do not have full control over every aspect of the technology in this repository, building on standard abstractions provided by the Linux kernel is part of the magic, and is indeed what allows us to work "everywhere" (most modern systems, including embedded), in a consistent and reliable fashion that has enabled the widespread adoption of containers. Likewise, the increasing modularization and re-use of components/code, while confusing to those who are not yet used to working in/around the ecosystem, has enabled the diverse set of tooling, opinions, and higher level constructs that have grown up in the last decade, including Podman, Kubernetes, and alternate managed services like ECS, in competition with or as alternatives to solutions provided here, like the 'heavy' daemon or Docker Swarm. I'm going to close this issue for now, but if you have further thoughts, please feel free to continue the discussion here for the benefit of those who might discover this later. |
@neersighted, I appreciate all of your input here. I'm experiencing a related issue and hoping you can help. I'm trying to get your suggestion below working:
I'm using Docker-in-Docker. ControlMy control test is running these two commands: docker run --name=dind -e DOCKER_HOST="unix:///run/user/1000/docker.sock" --rm -it --privileged docker:dind-rootless
docker exec -it dind sh -c 'mkdir -p ~/xdir && ls -ld ~/xdir && docker run --user $(id -u):$(id -g) -it --rm -v ~/xdir:/tmp/test alpine:latest stat -c "%u" /tmp/test' This results in the following output, which was reported in the original comment
Attempt 1The first attempt I made was to try building the official diff --git a/24/dind-rootless/Dockerfile b/24/dind-rootless/Dockerfile
index 766214d..a1237fb 100644
--- a/24/dind-rootless/Dockerfile
+++ b/24/dind-rootless/Dockerfile
@@ -15,7 +15,7 @@ RUN mkdir /run/user && chmod 1777 /run/user
# create a default user preconfigured for running rootless dockerd
RUN set -eux; \
- adduser -h /home/rootless -g 'Rootless' -D -u 1000 rootless; \
+ adduser -h /home/rootless -g 'Rootless' -D -u 100000 rootless; \
echo 'rootless:100000:65536' >> /etc/subuid; \
echo 'rootless:100000:65536' >> /etc/subgid The image builds successfully, but I get the following error message when I try to run it:
Attempt 2The next thing I tried was extending the image to alter the FROM docker:dind-rootless
# the subid file looks like this:
# dockremap:165536:65536
# rootless:1000:65536
COPY subid /etc/subuid
COPY subid /etc/subgid Again, the image builds successfully, but I get a similar error message when I try to run it:
Do you have any thoughts? Is what I'm trying to achieve here possible? Appreciate all the context you've provided so far. |
Adjusting the maps inside the container is not enough; the dind container's UID mapping is bounded by the subuid/subgid of the root namespace (the "host"). You might want to review https://man7.org/linux/man-pages/man7/user_namespaces.7.html to understand which errors are returned when and what the semantics for uidmapping are. |
@neersighted opencontainers/runc#3717 is merged and is now available in 1.2.0-rc.1. Any chance you could revisit implementing this feature? |
Description
When mount a volume for a
docker run
running against a rootless docker, it will always assignroot
ownership to the volume. This is independent of theUSER
in the Dockerfile, the--user
passed todocker run
, and the ownership of the directory. When it's mounted on a non rootless docker, the original uid ownership will be persisted.Reproduce
Expected behavior
$(id -u)
, e.g. 1001, but instead it produces 0 when run against rootless docker.docker version
docker info
Additional Info
If you pass in
--user $(id -u):$(id -g)
there's effectively no way to reliably mount a directory that that user can write to without marking the directory asa+w
.The text was updated successfully, but these errors were encountered: