New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set owner of items created by Docker on the host #4582
Comments
Rootless mode appears to address this issue:
Unfortunately many CI runners use rootful Docker. |
When bind-mounting a directory, files "inside" and "outside" the container are the same (I should mention here: on a Linux machine; the situation is different on Docker Desktop). This means that permissions of files and their ownership are exactly the same. On Linux, those permissions are based on user and group ID (numeric value); user and group names are effectively just "presentation" (and what names are shown, depends on what's present on the host if you look from the host). So, in the case of a bind-mount, docker itself is not in the middle of things; when you specify a bind-mount ("host-path" to be mounted at "container-path"), that configuration is passed to the OCI runtime, which mounts the host-path into the container's mount-namespace. After that, processes If you want those files to have different permissions, there are some options;
Depending on your situation, you can also run Docker Desktop (for Mac, Windows, or Linux); Docker Desktop runs the daemon (and containers) inside a VM; when bind-mounting files from your host, those files are mapped into the VM, and Docker Desktop allows permissions to be mapped; this does, however, come with an overhead, so may be less suitable for heavy data read/writes. For some use-cases, the Longer term, we anticipate providing support for "id-mapped mounts"; this is a feature in recent Linux kernel versions that allows mapping user-id's on a per mount base; this is similar to running containers with user-namespaces (user-mapping) and rootless, but per mount. With this, it's possible for a process inside the container running as (e.g.) Support for this has not yet been implemented, and (as mentioned) requires recent kernel versions, so if implemented, can't be supported on all Linux distros (running older kernel versions). More discussion on this topic can be found in this ticket; Some information can also be found in this answer I once wrote; https://stackoverflow.com/a/29251160/1811501 (but most of that I also captured above). Given that this is not something that relates to the Docker CLI (as mentioned this all depends on the daemon-side), and we're tracking this features in moby/moby#2259, I'll close the ticket here, but feel free to continue the conversation. |
Feature Request
I want to set the owner of directories and files created by Docker on the host from overlapping bind and named volumes.
Use case:
Using named volumes to increase performance on Windows without breaking permissions on Linux.
Possible implementations:
UID:GID
option to volumes, and have Dockerchown
anything that it creates on the host with that value.compose config
that prints the host paths that will be created by Docker, allowing a shell script to create them beforehand so they're not owned by root.The problem I want to solve
If Docker creates a file or directory on the host system, it seems like those items are always owned by root. Here's a demonstration:
If we
mkdir volume
on the host before running Docker,volume
will retain its owner. But if we don't, Docker will create it and it will be owned by root on the host.Setting the owner of the volume path in the image doesn't fix this issue, the directory must be created on the host to have a non-root host owner.
This issue doesn't appear in WSL, but that difference is likely caused by WSL instead of Docker.
Why should this feature be added to Docker?
It seems unreasonable to ask users to create directories before Docker just so they're not owned by root. Ownership on the host seems like something that should be configurable, rather than a fight against Docker to achieve.
Docker version/info
Related issues/keywords:
The text was updated successfully, but these errors were encountered: