On my host I have a file /path/to_file/my_file in rwxrwx--- mode. This file belongs to a group "A" which my user is part of, but is owned by another user. I can read this file without problem as I'm in group A.
I start a rootless docker container with:
docker run -it --user $(id -u):$(id -g A) -v /path/to_file/my_file:/data --rm my-image:latest
And inside the container I run:
cat /data/my_file
Which gives this error:
cat: my_file: Permission denied
Command ls -l gives:
-rwxrwx--- 1 nobody nogroup 188 Aug 10 08:30 my_file
Thank you for your help!
Rootless is implemented on top of user namespaces. And user namespaces are implemented by looking up your user in /etc/subuid and /etc/subgid to create a range of UIDs and GIDs. If each of the files were to say yourname:100000:65536, then uid 0 in the namespace would map to 100000 on the host, and uid 1234 in the namespace would map to 101234 on the host.
Volume mounts currently do not map uid/gid's between the host and the container, the numeric values are identical in both. It's one of the big reasons I suspect Docker does not enable user namespaces by default.
Any uid or gid outside of the subuid/subgid range won't have any access to users in the namespace. The user namespace doesn't have the concept of what your user has access to on the host, so your group access on the host is not taken into consideration.
To give access to the container, you'll want to change the file uid/gid on the host to a value in the range that the container user would have read/write access. Other options include copying the file into the container, e.g.
cat /path/to_file/my_file \
| docker run -i --rm -v appdata:/data busybox /bin/sh -c "cat >/data/my_file"
docker run -it -v appdata:/data --rm my-image:latest