If you can prearrange users and groups in advance, then it’s possible to assign UIDs and GIDs in such specific way so that host users correspond to namespaced users inside containers.
Here’s an example (Ubuntu 14.04, Docker 1.10):
-
Create some users with fixed numeric IDs:
useradd -u 5000 ns1 groupadd -g 500000 ns1-root groupadd -g 501000 ns1-user1 useradd -u 500000 -g ns1-root ns1-root useradd -u 501000 -g ns1-user1 ns1-user1 -m
-
Manually edit auto-generated subordinate ID ranges in
/etc/subuid
and/etc/subgid
files:ns1:500000:65536
(note there are no records for
ns1-root
andns1-user1
due toMAX_UID
andMAX_GID
limits in/etc/login.defs
) -
Enable user namespaces in
/etc/default/docker
:DOCKER_OPTS="--userns-remap=ns1"
Restart daemon
service docker restart
, ensure/var/lib/docker/500000.500000
directory is created.Now, inside containers you have
root
anduser1
, and on the host —ns1-root
andns1-user1
, with matching IDsUPDATE: to guarantee that non-root users have fixed IDs in containers (e.g. user1 1000:1000), create them explicitly during image build.
Test-drive:
-
Prepare a volume directory
mkdir /vol1 chown ns1-root:ns1-root /vol1
-
Try it from a container
docker run --rm -ti -v /vol1:/vol1 busybox sh echo "Hello from container" > /vol1/file exit
-
Try from the host
passwd ns1-root login ns1-root cat /vol1/file echo "can write" >> /vol1/file
Not portable and looks like a hack, but works.