Incorrect owner on volume inside bind mount

[corporal9736]

Description

I use a docker-compose file:

services:
  node:
    image: node:latest
    user: 1000:1000
    build:
      context: .
    volumes:
      - ".:/app"
      - "/app/modules"
      - "/app/uploads"

and a Dockerfile:

FROM node:latest

WORKDIR /app
RUN mkdir modules && chown node:node -R modules
CMD ["tail", "-f", "/dev/null"]

When the docker compose is up, two new folder(modules, uploads) will be created on host (not inside docker) with root:root permission, which is not expected. And inside docker, modules will have node:node permission, and uploads will have root:root permission.
And when I change owner inside container with docker compose exec -u root node chown node:node -R uploads, the owner on the host will not change, and the owner in container changed correctly.
note: the node:latest image will create a user node(1000:1000) by default. My host user(corporal) is also 1000:1000

Reproduce

1. docker compose up -d
2. ls -l
3. docker compose exec node ls -l
   

Expected behavior

The folders on host should be created with 1000:1000 permission

docker version

Client:
 Version:           25.0.4
 API version:       1.44
 Go version:        go1.22.1
 Git commit:        1a576c50a9
 Built:             Sat Mar 23 06:16:47 2024
 OS/Arch:           linux/amd64
 Context:           default

Server:
 Engine:
  Version:          25.0.4
  API version:      1.44 (minimum version 1.24)
  Go version:       go1.22.1
  Git commit:       061aa95809be396a6b5542618d8a34b02a21ff77
  Built:            Sun Mar 24 05:32:47 2024
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          v1.7.14
  GitCommit:        dcf2847247e18caba8dce86522029642f60fe96b
 runc:
  Version:          1.1.12
  GitCommit:        51d5e94601ceffbbd85688df1c928ecccbfa4685
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad007797e0dcd8b7126f27bb87401d224240

docker info

Client:
 Version:    25.0.4
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  0.13.1
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.26.1
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 10
  Running: 5
  Paused: 0
  Stopped: 5
 Images: 77
 Server Version: 25.0.4
 Storage Driver: overlay2
  Backing Filesystem: btrfs
  Supports d_type: true
  Using metacopy: true
  Native Overlay Diff: false
  userxattr: false
 Logging Driver: journald
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 nvidia runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: dcf2847247e18caba8dce86522029642f60fe96b
 runc version: 51d5e94601ceffbbd85688df1c928ecccbfa4685
 init version: de40ad007797e0dcd8b7126f27bb87401d224240
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.8.6-cachyos-x86_64
 Operating System: Gentoo Linux
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: 31.02GiB
 Name: corporal
 ID: ab6ab66f-5b5a-4b07-982d-a9366104a510
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 No Proxy: k3d.local
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

Additional Info

I wonder if this can be set in someway, or are there any workaround? Thanks in advance!

[AkihiroSuda]

When the docker compose is up, two new folder(modules, uploads) will be created on host (not inside docker) with root:root permission, which is not expected.

This is the designed behavior.
For compatibility it is unlikely that the default behavior can be changed, but probably it is ok to add the UID and GID fields in BindOptions

moby/api/types/mount/mount.go

Lines 84 to 93 in b7c0598

	type BindOptions struct {
	Propagation Propagation `json:",omitempty"`
	NonRecursive bool `json:",omitempty"`
	CreateMountpoint bool `json:",omitempty"`
	// ReadOnlyNonRecursive makes the mount non-recursively read-only, but still leaves the mount recursive
	// (unless NonRecursive is set to true in conjunction).
	ReadOnlyNonRecursive bool `json:",omitempty"`
	// ReadOnlyForceRecursive raises an error if the mount cannot be made recursively read-only.
	ReadOnlyForceRecursive bool `json:",omitempty"`
	}

[corporal9736]

However, for normal files and dirs, when owner is changed inside docker, the owner will also change outside docker. For volumes inside bind mount this doesn't work. As I showed before, even if I change the owner of mount point, the folder on host still belongs to root. Is this also by design?