Docker, why the user and group are different?

Question

I created a Dockerfile in the following

FROM nvidia/cuda:10.1-cudnn7-runtime-ubuntu18.04

ENV CUDA_PATH /usr/local/cuda
ENV CUDA_INCLUDE_PATH /usr/local/cuda/include
ENV CUDA_LIBRARY_PATH /usr/local/cuda/lib64

RUN apt update -yq 

RUN apt install -yq curl wget unzip git vim cmake zlib1g-dev g++ gcc sudo build-essential libncurses5-dev libgdbm-dev libnss3-dev libssl-dev libreadline-dev libffi-dev openssh-server

RUN adduser --disabled-password --gecos '' docker && \
    adduser docker sudo && \
    echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers

RUN mkdir -p /.cache/pip
RUN mkdir -p /.local/share
RUN mkdir -p /.local/lib
RUN mkdir -p /.local/bin
RUN chown -R docker:docker /.cache/pip
RUN chown -R docker:docker /.local
RUN chown -R docker:docker /.local/lib
RUN chown -R docker:docker /.local/bin

# Configure SSHD.
# SSH login fix. Otherwise user is kicked off after login
RUN sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd
RUN mkdir /var/run/sshd
RUN bash -c 'install -m755 <(printf "#!/bin/sh\nexit 0") /usr/sbin/policy-rc.d'
RUN ex +'%s/^#\zeListenAddress/\1/g' -scwq /etc/ssh/sshd_config
RUN ex +'%s/^#\zeHostKey .*ssh_host_.*_key/\1/g' -scwq /etc/ssh/sshd_config
RUN RUNLEVEL=1 dpkg-reconfigure openssh-server
RUN ssh-keygen -A -v
RUN update-rc.d ssh defaults
RUN ln -s /lib/x86_64-linux-gnu/libc.so.6 /lib64/libc.so.6
RUN ln -s /lib/x86_64-linux-gnu/libc.so.6 /lib/libc.so.6

# Configure sudo.
RUN ex +"%s/^%sudo.*$/%sudo ALL=(ALL:ALL) NOPASSWD:ALL/g" -scwq! /etc/sudoers

USER docker
RUN ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519

WORKDIR /home/docker/

RUN chmod a+rwx /home/docker/ && \
    wget https://repo.anaconda.com/miniconda/Miniconda3-py37_4.10.3-Linux-x86_64.sh && \
    bash Miniconda3-py37_4.10.3-Linux-x86_64.sh -b && rm Miniconda3-py37_4.10.3-Linux-x86_64.sh

ENV PATH /home/docker/.local/bin:$PATH
ENV PATH /home/docker/miniconda3/bin:$PATH

ENV which python3.7

RUN mkdir -p /home/docker/.local/
RUN chown -R docker:docker /home/docker/.local/
RUN chmod -R 777 /home/docker/.local/
RUN chmod -R 777 /.local/lib
RUN chmod -R 777 /.local/bin
RUN chmod -R 777 /.cache/pip/

RUN python3.7 -m pip install pip -U
RUN python3.7 -m pip install tensorflow-gpu==2.5.0 ray[rllib] gym[atari] torch==1.7.1 torchvision==0.8.2 scikit_learn==0.23.1 sacred==0.8.1 PyYAML==5.4.1 tensorboard_logger

# ENV PYTHONPATH "${PYTHONPATH}:/home/docker/.local/lib/python3.7/site-packages/"

RUN sudo ln -s $(which python3.7) /usr/bin/python
RUN ls $(python3.7 -c "import site; print(site.getsitepackages()[0])")
RUN python3.7 -m pip list
RUN python3.7 -m pip uninstall -y enum34
USER docker
RUN mkdir -p /home/docker/app
RUN chown -R docker:docker /home/docker/app
WORKDIR /home/docker/app

Then I built an image. After that, I run with this image.

NV_GPU=1 nvidia-docker run -i \
    --name $name \
    --user docker \
    -v `pwd`:/home/docker/app \
    -t MyImage:1.0 \
    ${@:2}

I used the user docker defined in the Dockerfile and mount current files to the workdir. However, it shows the docker user had no permission to create any files

PermissionError: [Errno 13] Permission denied

And the file in /home/docker/app

docker@109c5e6b269a:~/app$ ls -l
total 64
-rw-rw-r--  1 1002 1003 11342 Oct 13 12:50 LICENSE
-rw-rw-r--  1 1002 1003  4831 Oct 14 05:49 README.md
drwxrwxr-x  3 1002 1003  4096 Oct 14 08:12 docker
-rwxrw-r--  1 1002 1003   225 Oct 14 08:36 run_train.sh
drwxrwxr-x 11 1002 1003  4096 Oct 14 03:46 src
drwxrwxr-x  4 1002 1003  4096 Oct 13 12:50 third-party

It shows the user and group are not docker. I tried to change owner to docker but some error occurred in my local file system.

How can I address this PermissionError issue?

Thank you.

Answer 1

You are mapping some directory (pwd) to a volume. The problem is that your local directory belongs to a user with UID=1002, but inside the container the user docker maps to a different UID (probably 1000).

One easy solution is to edit the Dockerfile to specify the UID when creating the user, so it matches your local directory.

If you want your image to be used by others, one good solution is to create an entry point script to modify the user's UID at container creation time, based on environment variable.