-
Notifications
You must be signed in to change notification settings - Fork 273
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Non-root users, shared volumes, & RStudio #50
Comments
Worked up a more minimal example of the issue here: http://stackoverflow.com/questions/26500270 Should we:
none of these feel like good solutions |
All good questions. Maybe the Docker group / mailing list needs the Q as well... |
Okay good idea, putting the link here for future reference: https://groups.google.com/forum/#!topic/docker-user/VFdFuZ4Ze_A |
Very polite of you :) The main trouble with that list may be that you get as ignored as on SO :-/ |
yeah, shoulda started off with 'look at this stupid docker behavior'. One one hand that makes sense if the kernel just cares about the id On Wed, Oct 22, 2014 at 9:14 AM, Dirk Eddelbuettel <notifications@github.com
Carl Boettiger |
Yep. Seems like an issue that shoulda coulda woulda hit other users / developers too. |
fwiw, I've made a few tweaks to the Dockerfiles in 43d6203 to work around this issue for the time being.
|
Okay, here's a slightly cleaner solution than requiring the user to be
Not super-elegant, but until docker supports usernames instead of UIDs I think this will do. Some interesting feedback on both the SO and the google-discuss list above as well. |
That looks good. One thing that is different between Debian and Ubuntu is the automagic sudo capability for uid 1000 in Ubuntu. So maybe we don't have to be that concerned with 1000 (unless something changed in Debian ...) |
Hmm! Just tried that on an ubuntu image and I still get:
|
still good that we're on Debian. Kinda suprised Debian doesn't have more downloads: https://registry.hub.docker.com/search?q=library&f=official |
I scratched my head about that one too -- might be another case of mind share / market share among Docker users. |
I think all the issues in this thread are resolved in the current build. Anyone running our containers as a non-root user can link a directory, including ones at or above If the host machine user has a UID other than 1000 (or 0, for root), the user should specify their UID when running docker, e.g.
to avoid changing the permissions in the linked volume on the host. This is designed for rstudio mode and run only when the container is executed without a default command. For interactive containers, it is sufficient to run with the flag
note this command links the current working directory to The only limitation is that the interactive method doesn't handle alternate UIDs. If the user running docker has a different UID, they have to do this more manually. Run a terminal in docker (using rstudio image or above):
and then in the bash shell run:
to setup the user with correct UID, switch to the non-root user, and then run R or whatever. |
@cboettig : Although a non-root user can share folders with running container, it is not a good idea to allow sharing of entire user home
Running docker container as daemon with above command recursively and irreversibly sets owner permission to $UID and removes SUID, if set. At present with docker v1.7.0, Although such behavior may be acceptable if one has specified $USER home If a user run like following by switching to root block partition
I tried it on dummy system and only way to recover is to access hard drive from different system and go file by file to revert to root as owner and set SUID for at least following binaries source.
@cboettig: Forgot to pass big thanks for making rstudio docker. It works flawless once permissions are set correctly. |
@dyndna Yes, messing with the root file system can always cause trouble. If you are running docker with a non-root user, you should not have permissions to create, delete, or edit anything above |
Agree and non-root user usually has no read-write permission above Although I have not tested, I believe your My 2 cents:
Thanks |
@dyndna Yes, you're running the container as a root, so of course it has root permissions and can change the root directories. Note in the examples above we suggest running the container as a non-root user with the In your example, since you run the container as root and mount a root directory on the host to the home directory of the container. If we did not change permissions on that home directory (recursively), the rstudio user would not be able to access it or the files contained in it. Like you observe, docker volume linking prevents you from modifying things above the linked volume. Thanks for your comments, we should probably add some clarifications to the Wiki on not linking volumes above $HOME. Maybe there's a way we can avoid any call to change permissions if volumes are linked; e.g. https://github.com/rocker-org/rocker/blob/master/rstudio/userconf.sh#L55; |
Hi @cboettig I'm just hitting into issues with user permissions. I've read this and advice on StackOverflow but I find that setting --user makes the docker fail. The 'nuclear option' |
Hi @Robinlovelace , nice to hear from you. Just taking a quick look at https://github.com/Robinlovelace/geocompr#running-geocompr-code-in-docker, seems like you're binding to
If I'm going to be accessing the container with RStudio, I almost always just bind to
Can you consider switching to that? Otherwise you will want to change permissions of Sidenote: binding to |
Many thanks for this lucid explanation. Entendido! I will update the README (and my own usage of docker) accordingly. |
++ PR v welcome (I see you've forked the book ; ) |
Update @cboettig I've updated the readme following your advice - see here: geocompx/geocompr@a02d3f9 I'm still getting messages saying RStudio doesn't have the right permissions to open the project. This is separate from the previous issue but my solution is still to do, for example chmod a+rwx geocompr It works out of the box on my windows machine so wonder if its a question of docker set-up. Thanks loads in any case! |
So I was having the same issues and it was fixed by changing the listening port (sorry, I'm new to this and may be describing it wrong). I used a docker-compose and did But in the docker run -p 50:8787 should do it if it's the same. That was the big fix for me! First post here, please be nice My Dockerfile (note I was messing with the ENV (-e) stuff MAINTAINER 'Alex Blohm' alexrblohm@gmail.com ADD install_packages.R / RUN Rscript /install_packages.R EXPOSE 8787 #WORKDIR /home/rstudio/project ENV DISABLE_AUTH=true docker-compose Sorry formatting got all crazy! |
Docker does some kinda unexpected things when it comes to handling non-root users and shared volumes. With the rstudio image, we have to create a non-root user with a password that can be set at runtime for security purposes, which we do by running a custom userconf.sh on startup.
RStudio wants to start in the users home directory (regardless of the value of --workdir). First crazy thing is: if the userconf.sh script does not run a
chown
command (as we have currently), that directory is not owned by the userrstudio
(or other user specified with the environment variable$USER
. Lacking write permissions, RStudio cannot even start up. Surprisingly, the directory/home/rstudio
is owned by the userdocker
!If we run
chown -R $USER:$USER /home/$USER
at the end of the userconf.sh script, RStudio can now log in. But if we have linked a home directory,chown
ing to anything other than the thedocker
user (Why the docker user? Just the first non-root user added to docker?) means that the permissions on the linked directory outside of the container will be changed to some other user. Attempting to match the host user name with the $USER value on the container isn't any different than just leaving the container $USER as docker.The only way out of this that I see is to have only one user (e.g. hardwire the user
docker
, and just set the password interactively. breaks previous instructions and feels inelegant). Can't be sure if this problem existed before we added a default userdocker
, perhaps removing that would avoid these issues?Anyway, curious if you might confirm any of this behavior, and I'll see what I can come up with.
The text was updated successfully, but these errors were encountered: