Reputation: 9912
Problem with the User and Group inside a container
Preliminary
First, a preliminary. When running a docker container with a volume mapped to some part of the host, the user inside the docker container is usually root, so for files generated by the container, the Host cannot edit, modify or delete them. To solve this some people (including the one who created the image I am using) recommends using -u
The Situation
I have a Docker image (built by a different person in a different machine)
This Docker image assumes the user is going to be a user with id 1000
The problem
When a person who is the only user of a Host machine (and whose user id is 1000) runs the image, there is no problem. However, in my case I am the second user of this Host so my user id is 1001. So I have the following:
In the Host I do cat /etc/passwd and I get several users including:
firstuser:x:1000:1000:firstluser,,,:/home/firstuser:/bin/bash
myself:x:1001:1001:My Name,,,:/home/myself:/bin/bash
Then :
CASE 1 I run the container with
docker run -it --rm -u 1001:1001 -v /a/path:/another/path image /bin/bash
because doing id -u and id -g gives me 1001.(I am the second user after all)
Doing this causes that
groups:cannot find name for group ID 1001
then my user becomes "I have no name!" and when I do cat/etc/passwd I get
originaluser:x:1000:1000::/home/originaluser:bin/bash <---- here there are not ,,,
so obviously my user (1001) does not exist which causes a lot of problems.
To solve this I tried
CASE2 I run the container with
docker run -it --rm -u 1000:1000 -v /a/path:/another/path image /bin/bash
which does not cause the previous error, and now even though I am myself but run the Docker image as firstuser, in the container I am originaluser (since both are 1000)
Doing the cat /etc/passwd I can see
originaluser:x:1000:1000::/home/sensetime:bin/bash
and as predicted my user is originaluser.
I should be happy but, this also causes problems!
Later on the program inside the container tries to create a file (with user 1000) but since it is mapped and the user owner is 1001 this creation fails.
What is a good way to prevent all these problems and be able to synchronize the user in the host with the user in the container?
Upvotes: 3
Views: 5038
Answers (1)
Reputation: 2461
I recently discovered fixuid which may solve most of you problems.
The uid/gid in a container cannot (or is not expected to) match the ones on your host.
The fixuid setuid go binary I linked above can solve this by changing the uid/gid of the user in docker to match the one you configured.
For instance:
Host: uid/gid/name=1001/1001/kansai
Guest user: uid/gid/name=1000/1000/user
If you had add the fixuid binary in you container (build phase) then you can run:
docker run --rm -it -u $(id -u):$(id -g) -v /a/path:/another/path image fixuid /bin/bash
You can also set fixuid in an entrypoint so it will be easier to use.
Upvotes: 2
Related Questions
- Can't add user to docker group
- Userid and Group id in docker run command
- How to forward local-user's groups to the container?
- Docker image - add user to group
- echo $UID gives host ID and not container root user ID (docker/linux)
- Docker, why the user and group are different?
- Linux user groups missing when user mounted to container
- Docker run - User group not working as expected?
- How do I add a container user to a user group in the Docker host?
- Using an explicit UID/GID in Dockerfile