Docker mount volume directory permissions to non root user using dockerfile

Question

I have a dockerfile with an entrypoint that starts a java app jar in shell process.I have set USER nobody in dockerfile before entrypoint to make sure the entrypoint shell is executed by nobody user and not root. The task definition for the container on AWS ECS takes care of the volume and mount parameters. So ideally at container run time /var/log/applogs on host is mounted onto the container with same path. But what happens is that since the user context is switched from root to nobody, so nobody that runs the container (executing the entrypoint) doesn’t have write permission to /var/log/applogs/ directory on the container. As such the app is unable to create the log file there on the container. What i see is that the host ec2 /var/log/applogs gets mounted just fine on the container being run by nobody user but since the nobody user is missing write permissions on this path on the container, hence its unable to write app log here. What is the correct way to fix this either on the dockerfile or something else?

Answer 1

You can try this...

Remove the USER nobody entry from Dockerfile and change your Entrypoint into the following script:

#!/bin/bash

# change ownership to user=nobody, group=nobody
chown -R nobody:nobody /var/log/applogs

# open with sudo a new shell as user nobody and call your application
sudo -u nobody /bin/bash -c "java -jar /path/to/your/application.jar"

# alternative
# open with su a new shell as user nobody and call your application
# su -s /bin/bash -c "java  -jar /path/to/your/application.jar" nobody