Volumes files have root owner when running docker with non-root user. · Issue #3...
source link: https://github.com/moby/moby/issues/3124
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Comments
As a non-programmer with a user that is in the docker usergroup Context I may also create a container with git and some scripts doing the only stuff that the collaborator should have to do. Using docker in this way is new for me, but I think it is a great use case! This issue is related to #2372. However, I think this use-case is much more specific and might have higher priority. |
mmm, me too - there is an issue somewhere discussing somethign related. |
If you can find the issue, please link it (I couldn't). |
Volumes will now inherit permissions of the files in the image, unless they are bind mounted, for example( Based on the linked issues, I believe this issue is resolved, so I am closing. |
I currently experience that files created by the container in a mounted volume are owned by root on the host. I want this to be the same user:group as the user:group that owns the directory. Is this possible? |
@jwgmeligmeyling files and folders created in the volume will have the same uid:gid (numeric) as the user creating them in the container. If you add a user inside the container having the same uid:gid as outside the container and run your contsiner as that user, that should be possible |
Thanks for the response, I will try that! |
Copy link
iGEL commented on Jun 3, 2016
@thaJeztah That solution is not really satisfying as it breaks portability of the container. |
If you are mounting files/dirs from the host, this is by definition non-portable. |
Well, with docker-compose and the current path it is Ok, It's probably something that should be done in docker-compose if it isn't already. |
With "non" portable, @cpuguy83 means that you cannot start the container on a "random" host, without first creating the files and folders it needs for the bind-mount. (e.g., you cannot reschedule such a container to a different host in a Swarm cluster) |
So this issue kind of stagnated. I only plan on using Docker for local development, currently. That said, I plan on cloning down the git repo, running However, my |
@chadfurman Not sure I follow. |
@cpuguy83 I was running "gulp build" inside my container. As such, all files it built were owned by root because my container's default user was "root". There should be an easy way of making the container user the same user as the person who ran, for example, I ended up running gulp build locally outside of the docker container and sharing the resulting |
@chadfurman Something like this might work if you are working on Linux and docker is on the same machine. But otherwise it would just not be possible. Docker4Mac does uid/gid translation at the filesystem layer when mounting from the Mac into the container. This is outside of the core of docker, though. |
@cpuguy83 lots of developers use Linux and docker on the same machine. I'm guessing you're talking about https://docs.docker.com/engine/reference/builder/#/user which needs to be built into the image? Seems like a run-time "run as this user" setting would be helpful. Though, I can respect that risk-value proposition is not horribly enticing. |
@chadfurman |
added a commit to ElementsProject/lightning-charge that referenced this issue
Have you tried echoing $HOME. I think it's not being set automatically with |
When you say "docker" do you actually mean "container"? When you say "docker commands" do you mean "commands inside container?" |
@iamsoorena - if you are indeed trying to perform a global install via yarn on a running container, you're going to have the same issue you'd have on any server where you aren't root (you launched as a different user). You'll need to install non-global packages into a hierarchy where your user has permissions. This is something that I do frequently when I use a container for development against my local OS X disk. If what you really want to do, is to have an container image that has some yarn packages installed, I'd recommend that your just extend the image with your own additions. If the package you're using has already set the |
@bdurrow but the user doesnt exist inside the container, this can be problematic for some application that lookup user from UID. (Apache Spark / Hadoop in my case). As a workaround now, we share a dynamic Why Docker is not changing the |
Doesn't work:
|
Man, this is confusing. I feel like this is a legitimate problem. I've tested the following on:
AND a Windows 10 20H2 build 19042.867 computer with:
For a very simple test, let's say there is a configuration directory on my host user's home directory that I want a running container to be able to modify. Let's call this directory Here is a very simple Dockerfile to add and use a non-root user:
Okay, let's build this image:
Now, let's run the image interactively, bind mounting the
In the container, running
Now, and here's the weird thing, running Here is the result of
Can someone explain what is happening here? This seems like incorrect behavior. |
@noahjahn that is indeed confusing. That looks like an issue with Docker Desktop, and it's best to report that one in either the https://github.com/docker/for-win or https://github.com/docker/for-mac issue tracker. What I suspect is happening is that some caching is happening; on Docker Desktop, some "magic" is in place to ignore the actual ownership, and instead trick the container's user to think it's the owner. This was done to allow accessing your files in any container (irregardless as what user the container is running), without having to change the permissions of the files on your host (what is needed on a plain Linux situation). To demonstrate; create a directory for testing, and create a file in it;
Check the owner and group of the file (looking at the numeric ID's; user- and group-name on linux are only "presentation"). In this case, the file is owned by my user-account; UID 501 and GID 20
Now, run a container as user
The process in the container sees itself as owner of the file ( Starting another container, now as user
Even though the file on the host has not been modified:
So, I suspect something in that magic is either caching something, or there is some delay in making it work. |
I have a similiar issue where running composer from docker https://hub.docker.com/_/composer installs dependencies as root on Windows under WSL2. Yet when I do this on MacOS, installed dependencies are under correct host user. |
I experienced a similar problem. I think it's a bug in Docker Desktop for MacOS. If you
|
I get the same behavior on Linux (Ubuntu 20.04, Docker 20.10.7), so I don't think this is completely a Docker Desktop issue. |
@Aposhian this is a very old ticket by now, and it collected different scenarios over time that are not all related to the same cause/situation. If you have exact steps to reproduce, could you open a new ticket with details instead? |
@thaJeztah, I'm happy to create a new issue with the recreate steps on my original comment at #3124 (comment). At the time though, you mentioned the issue should be created at Docker Desktop even though it's happening on both Mac and Windows with WSL. |
@noahjahn depending on what With different scenarios being brought up in this thread, better to have a new issue, otherwise different issues are conflate, which makes it hard (if not impossible) to look into. |
When I get around to it, I can post the steps to repro on Linux on a separate issue. |
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK