Docker and –userns-remap, how to manage volume permissions to share data between host and container?

by

If you can prearrange users and groups in advance, then it’s possible to assign UIDs and GIDs in such specific way so that host users correspond to namespaced users inside containers.

Here’s an example (Ubuntu 14.04, Docker 1.10):

  1. Create some users with fixed numeric IDs:

    useradd -u 5000 ns1

groupadd -g 500000 ns1-root
groupadd -g 501000 ns1-user1

useradd -u 500000 -g ns1-root ns1-root
useradd -u 501000 -g ns1-user1 ns1-user1 -m

  2. Manually edit auto-generated subordinate ID ranges in /etc/subuid and /etc/subgid files:

    ns1:500000:65536

    (note there are no records for ns1-root and ns1-user1 due to MAX_UID and MAX_GID limits in /etc/login.defs)

  3. Enable user namespaces in /etc/default/docker:

    DOCKER_OPTS="--userns-remap=ns1"

    Restart daemon service docker restart, ensure /var/lib/docker/500000.500000 directory is created.

    Now, inside containers you have root and user1, and on the host — ns1-root and ns1-user1, with matching IDs

    UPDATE: to guarantee that non-root users have fixed IDs in containers (e.g. user1 1000:1000), create them explicitly during image build.

Test-drive:

  1. Prepare a volume directory

    mkdir /vol1
chown ns1-root:ns1-root /vol1

  2. Try it from a container

    docker run --rm -ti -v /vol1:/vol1 busybox sh
echo "Hello from container" > /vol1/file
exit

  3. Try from the host

    passwd ns1-root
login ns1-root
cat /vol1/file
echo "can write" >> /vol1/file

Not portable and looks like a hack, but works.

More Related Contents:

  1. What does Docker use to host/run web applications?
  2. How to deal with persistent storage (e.g. databases) in Docker
  3. How to assign more memory to docker container
  4. How to start a stopped Docker container with a different command?
  5. docker : invalid reference format
  6. How to upgrade docker container after its image changed
  7. How do I run a command on an already existing Docker container?
  8. How do you list volumes in docker containers?
  9. Why can’t I use Docker CMD multiple times to run multiple services?
  10. When using BuildKit with Docker, how do I see the output of RUN commands?
  11. How can I expose more than 1 port with Docker?
  12. How to get docker-compose to always re-create containers from fresh images?
  13. Mount host directory with a symbolic link inside in docker container
  14. Connect docker python to SQL server with pyodbc
  15. How to delete images from a private docker registry?
  16. Is it possible to start a stopped container from another container
  17. Powershell Docker Command Doesn’t Work Like Bat File
  18. Difference between links and depends_on in docker_compose.yml
  19. Can’t delete docker image with dependent child images
  20. Docker Compose keep container running
  21. Kubenetes: Is it possible to hit multiple pods with a single request in Kubernetes cluster
  22. Docker unknown shorthand flag: ‘a’ in -aq)
  23. How to change the default location for “docker create volume” command?
  24. How to connect to local MySQL server through Docker?
  25. Connect to a Service running inside a docker container from outside
  26. How to tag docker image with docker-compose
  27. Finding the layers and layer sizes for each Docker image
  28. What’s the best way to share files from Windows to Boot2docker VM?
  29. Docker loading kernel modules
  30. docker – how do you disable auto-restart on a container?

Leave a Comment