I want a Docker non-root user to be able to write to a persistent volume? How can I fix this?

Question

I'm setting up a playspace to run Apache Airflow. I want the directory /airflow to be owned and therefore writable by the user Airflow. My Dockerfile looks like this:

FROM salimfadhley/testpython:latest AS base_python
COPY . /project
WORKDIR /project/src
RUN SLUGIFY_USES_TEXT_UNIDECODE=yes python -m pip install -e /project/src

FROM base_python AS application
ENV AIRFLOW_HOME=/airflow
RUN useradd -G sudo -u 1000 airflow
VOLUME /airflow
WORKDIR /airflow
RUN chown airflow:airflow /airflow
USER airflow

Unfortunately, when I try to write to that directory I get an error:

airflow@fc047510b631:/airflow$ touch hello
touch: cannot touch 'hello': Permission denied
airflow@fc047510b631:/airflow$ cd ..
airflow@fc047510b631:/$ ls -l | grep airflow
drwxr-xr-x   2 root    root 4096 Feb 12 13:38 airflow
drwxr-xr-x   6 airflow sudo 4096 Feb 12 13:35 project
drwxr-xr-x   4 airflow sudo 4096 Feb 12 11:12 src

Is there a way to fix this so that the directory /airflow in the conainer is a persistent volume which is owned and therefore writable by the user "airflow".

Thanks!

Answer 1

Volumes are mounted with the uid/gid, along with file permissions, of the volume source. If that's a host mount, the uid/gid and permissions on your host directory need to be changed. If that's a named volume, you'll need to modify the permissions inside that named volume.

What you do get from fixing the permissions in your image, as you've done in your Dockerfile, is make new named volumes appear with the correct permissions. Docker will initialize an empty named volume with the contents from your image, including file ownership and permissions. However, once that named volume has been initialized with content, further usage of that named volume will skip the initialization step and you'll see the files and permissions from the previous usage.