Search code examples
linuxdockerfile-permissionslinux-namespaces

Run each Docker container in a specific user namespace configuration


Problem:

I am trying to mount a directory as Docker volume in such a way, that a user, which is created inside a container could write into a file in that volume. And at the same time, the file should be at least readable to my user lape outside the container.

Essentially, I need to remap a user UID from container user namespace to a specific UID on the host user namespace.

How can I do that?

I would prefer answers that:

  • do not involve changing the way how Docker daemon is run;
  • and allows a possibility to configure container user namespace for each container separately;
  • do not require rebuilding the image;
  • I would accept answer that shows a nice solution using Access Control Lists as well;

Setup:

This is how the situation can be replicated.

I have my Linux user lape, assigned to docker group, so I can run Docker containers without being root.

lape@localhost ~ $ id
uid=1000(lape) gid=1000(lape) groups=1000(lape),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),121(lpadmin),131(sambashare),999(docker)

Dockerfile:

FROM alpine
RUN apk add --update su-exec && rm -rf /var/cache/apk/*

# I create a user inside the image which i want to be mapped to my `lape`
RUN adduser -D -u 800 -g 801 insider
VOLUME /data

COPY ./entrypoint.sh /entrypoint.sh
ENTRYPOINT ["sh", "/entrypoint.sh"]

entrypoint.sh:

#!/bin/sh
chmod 755 /data
chown insider:insider /data

# This will run as `insider`, and will touch a file to the shared volume
# (the name of the file will be current timestamp)
su-exec insider:insider sh -c 'touch /data/$(date +%s)'

# Show permissions of created files
ls -las /data

Once the is built with:

docker build -t nstest

I run the container:

docker run --rm -v $(pwd)/data:/data nstest

The output looks like:

total 8
 4 drwxr-xr-x    2 insider  insider       4096 Aug 26 08:44 .
 4 drwxr-xr-x   31 root     root          4096 Aug 26 08:44 ..
 0 -rw-r--r--    1 insider  insider          0 Aug 26 08:44 1503737079

So the file seems to be created as user insider.

From my host the permissions look like this:

lape@localhost ~ $ ls -las ./data
total 8
4 drwxr-xr-x 2  800  800 4096 Aug 26 09:44 .
4 drwxrwxr-x 3 lape lape 4096 Aug 26 09:43 ..
0 -rw-r--r-- 1  800  800    0 Aug 26 09:44 1503737079

Which indicates that the file belongs to uid=800 (that is the insider user which does not even exist outside the Docker namespace).

Things I tried already:

  1. I tried specifying --user parameter to docker run, but it seems it can only map which user on the host is mapped to uid=0 (root) inside the docker namespace, in my case the insider is not root. So it did not really work in this case.

  2. The only way how I achieved insider(uid=800) from within container, to be seen as lape(uid=1000) from host, was by adding --userns-remap="default" to the dockerd startup script, and adding dockremap:200:100000 to files /etc/subuid and /etc/subgid as suggested in documentation for --userns-remap. Coincidentally this worked for me, but it is not sufficient solution, because:

    • it requires reconfigure the way how the Docker daemon runs;
    • requires to do some arithmetic on user ids: '200 = 1000 - 800', where 1000 is the UID my user on the host, and 800 the UID is of the insider user;
    • that would not even work if the insider user would need to have a higher UID than my host user;
    • it can only configure how user namespaces are mapped globally, without a way to have unique configuration per container;
    • this solution kind of works but it is a bit too ugly for practical usage.

Solution

  • If you just need a read access for your user, the simplest will be to add the read permissions for all files and subdirectories in /data with acls outside of docker.

    Add default acl: setfacl -d -m u:lape:-rx /data.

    You will also need to give access to the directory itself: setfacl -m u:lape:-rx /data.

    Are there any obstacles for such a solution?