I want to provide write access to a non-root user in a docker container for a volume mounted on the host. I have the same non-root user and group inside container and host as well.
While running the container, I mount a host volume to it -v /some/folder:/some/folder. I am doing this because my application running inside the docker container needs to write files to the mounted host folder. But since I am running my application as a non-root user, it doesn’t have permission to write to that folder.
Also, I this mounted folder permission is got changed inside the container automatically. I have given assigned below user and group as an owner to this folder on the host: “nonrootuser1:nonrootgroup1”
For 'rootful' docker it works fine, but if it's rootless inside the container it is showing below user and group as an owner to this folder: “root:nobody”
Steps to reproduce this:
- Add user and group on the host
groupadd -g 1015 nonrootgroup1
useradd -u 1099 nonrootuser1
- Create dir which will be assigned to osquery groupadd on the host:
sudo su
mkdir -p /var/osquery/sock
echo "hello world" > /var/osquery/sock/file.txt
chown root:nonrootgroup1 /var/osquery/sock
chmod g+s /var/osquery/sock/
- Create Dockerfile in the home directory :
FROM alpine:3.14
RUN addgroup -g 1015 -S nonrootgroup1
RUN adduser -D nonrootuser1 -u 1099
USER nonrootuser1:nonrootgroup1
CMD ["tail", "-f", "/dev/null"]
- Run docker container :
docker run --rm -d --name sample-app -v /var/osquery/sock:/var/osquery/sock $(docker build . -q)
- Check the user id of the container :
dmytro@dmytro:~/dev/sample-image$ docker exec sample-app id
uid=1099(nonrootuser1) gid=1015(nonrootgroup1) groups=1015(nonrootgroup1)
- check the permissions to the /var/osquery/sock dir inside the container :
Directory /var/osquery/sock is assigned to group 'nobody' instead of 'nonrootgroup1' group
dmytro@dmytro:~/dev/sample-image$ docker exec sample-app ls -lah /var/osquery
total 12K
drwxr-xr-x 3 root root 4.0K Dec 28 10:47 .
drwxr-xr-x 1 root root 4.0K Dec 28 10:47 ..
drwxr-s--- 2 nobody nobody 4.0K Dec 28 09:34 sock
Host details are mentioned below:
Kernel Version: 5.4.0-135-generic
Operating System: Ubuntu 20.04.5 LTS
Storage Driver: overlay2
Please suggest.
Thanks!
I tried to setup in the daemon.json "userns-remap" config, but docker daemon doesn't start with it, because it lacks permission to create dockremap user and group.