Menu
I am using Docker 1.4.1 on Ubuntu 14.04.1 LTS with Kernel 3.13.0-4.
Consider the following Dockerfile
FROM debian:wheezy
VOLUME /var/myvol
# RUN mkdir /var/myvol
# copy content to volume
ADD foo /var/myvol/foo
# create user, and make it new owner of directory
RUN useradd nonroot \
&& chown -R nonroot:nonroot /var/myvol/ \
&& ls -al /var/myvol
# switch to new user
USER nonroot
# remove directory owned by user
RUN ls -al /var/myvol && rm /var/myvol/foo && ls -al /var/myvol
and build it with
touch foo
docker build -t test .
then the resulting output is
Step 0 : FROM debian:wheezy
---> c90d655b99b2
Step 1 : VOLUME /var/myvol
---> Running in d3bc83df9451
---> b860e18186d8
Removing intermediate container d3bc83df9451
Step 2 : ADD foo /var/myvol/foo
---> aded36dba841
Removing intermediate container db5dd1b08958
Step 3 : RUN useradd nonroot && chown -R nonroot:nonroot /var/myvol/ && ls -al /var/myvol
---> Running in 148941cb7858
total 8
drwxr-xr-x 2 nonroot nonroot 4096 Feb 6 09:55 .
drwxr-xr-x 13 root root 4096 Feb 6 09:55 ..
-rw-rw-r-- 1 nonroot nonroot 0 Feb 6 09:30 foo
---> 144e4ff90439
Removing intermediate container 148941cb7858
Step 4 : USER nonroot
---> Running in 924f317b6718
---> 345c1586c69f
Removing intermediate container 924f317b6718
Step 5 : RUN ls -al /var/myvol && rm /var/myvol/foo && ls -al /var/myvol
---> Running in 16c8c2349f27
total 8
drwxr-xr-x 2 root root 4096 Feb 6 09:55 .
drwxr-xr-x 13 root root 4096 Feb 6 09:55 ..
-rw-rw-r-- 1 root root 0 Feb 6 09:30 foo
rm: cannot remove `/var/myvol/foo': Permission denied
INFO[0000] The command [/bin/sh -c ls -al /var/myvol && rm /var/myvol/foo && ls -al /var/myvol] returned a non-zero code: 1
If I'd replace the VOLUME line with the commented one below, it works perfectly. What is really strange is the output of ls -al: While the first says the owner was nonroot, the second one outputs the owner as root, so the chown command seems to be somehow discarded or the permissions resetted after switching to the new user.
Am I understanding Docker volumes in a wrong way? Is only root allowed to work with them, or may this be a bug that I should report?
[Edit]
What I want to achieve is to use a volume as data-storage for a containerized service. This service isn't required to run as root (and so I would prefer to use a non-root user), but is required to delete directories and files that are no longer needed.
930
You need to run the appropriate chown and chmod commands to change the permissions of the directory. This assumes you have the runuser command available. You can accomplish pretty much the same thing using sudo instead.
Rootless mode allows running the Docker daemon and containers as a non-root user to mitigate potential vulnerabilities in the daemon and the container runtime.
The Docker daemon always runs as the root user. If you don't want to preface the docker command with sudo , create a Unix group called docker and add users to it. When the Docker daemon starts, it creates a Unix socket accessible by members of the docker group.
When you declare a directory as a VOLUME, you effectively can't use it in a Dockerfile any more. The basic reason is that volumes are set up when the container is run, not built.
In this case, you could simply move the VOLUME statement to the end of the Dockerfile. Any data in the image at that directory will be copied into the volume when the container is started.
118
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
