How can I map user ids from host to container using docker desktop?

Question

I am using docker desktop on ubuntu to start and run containers with docker compose.

There is a user id mismatch between host and container which is causing permission issues.

My application is based on this example (the dockerfile is the same) - https://github.com/nickjj/docker-rails-example/blob/main/Dockerfile

At build time it creates a 'ruby' user with uid:gid of 1000:1000. This matches my host id:gid. This worked nicely on my old laptop, but on my new one it seems files owned by the host user appear as owned by root in the container.

When I try chown as the ruby user the files appear as being owned by someone else:

-rw-rw-r-- 1 100999 100999 8318 Nov 22 20:26 README.md

Somewhere the mapping between host and container is not being made. From what I've gathered there are user name space remapping features but these aren't available when using docker desktop. What options are available?

Answer 1

At the moment, I do not have all the details, I just started to use Docker Desktop for Linux recently. But I found a ticket at https://github.com/docker/desktop-linux/issues/31 that explains the situation in detail. Most of the information I add here comes from the discussion in that link, especially from the answers by p1-0tr. In summary:

• Docker Desktop for Linux runs the file-sharing daemon inside a user namespace with uid/gid remapping, which allows running it as a regular user. That is the reason why you see a different uid/gid.
• The root user at the container is mapped to your user. Therefore, the easiest way to map the content to your user when using Docker Desktop for Linux is to use the root user inside the container (first answer to your question).
• If you still need another user inside the container, you can edit the file /etc/subuid in the format <username>:<startingUid>:65536 (second answer to your question), and startingUid would be something like 1000. But if your user is already 1000, the root user at the container will be 1000, and then you will have problems. I suggest using a range that does not contain your user (which also means that it will not map to your user, but something else). I did not investigate this further, so if someone has something to add here, please do it. However, this solution is not recommended because it will raise privileges for Docker Desktop and thus should be avoided.
• Add a group with gid 100999 (sudo addgroup --gid 100999 <group name>) on your host machine, add your user to this group, and give the group permission to the files. The files will be accessible from both places (third answer to your question, but not exactly as you expect). Please check that ticket on GitHub above for more details.
• And finally, my preferred solution at the moment (and fourth answer to your question): just use plain docker instead of Docker Desktop for Linux if you are using containers with non-root users. That mapping will not happen, and that might be the reason it worked on your old laptop (I guess you did not have Docker Desktop there, am I right?). I believe it is the easiest way to have a docker setup that works on Mac, Windows, and GNU/Linux without many hacks and env changes. But this is, of course, a personal opinion (and that might change in the future). Just an extra hint: you might need to delete/change /home/<youruser>/.docker/config.json after uninstalling/disabling Docker Desktop for Linux. I do not remember the error message I had and do not have the environment to replicate it to add details, but if you have issues with Docker later, this is a starting point for you to look into.