Hey all, I’m trying to use rootless docker for a client application where the application requires access to a device on the host machine. Specifically, the application needs read and write access to /dev/udmabuf. Now on the host I have my user, username is admin, that has read and write permissions to /dev/udmabuf via a specific user group: udmabufgroup. I can run the application on the host as this user and it works properly. When I start up a container with my application however, I see that the root user in the container is not being transferred the permissions of my host user, which causes my application to fail.
Some more details to help speed up the debug process:
Host Side----
> lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 24.04 LTS
Release: 24.04
Codename: noble
> docker info
Client: Docker Engine - Community
Version: 27.2.0
Context: rootless
Debug Mode: false
... <truncated>
> docker context show
rootless
> id
uid=1000(admin) gid=1000(admin) groups=1000(admin),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),101(lxd),1001(udmabufgroup)
> ll /dev/udmabuf
crw-rw---- 1 root udmabufgroup 10, 124 Aug 28 19:00 /dev/udmabuf
> cat /etc/group | grep 'udma'
udmabufgroup:x:1001:admin
> cat /etc/subuid
admin:100000:65536
> cat /etc/subgid
admin:100000:65536
My build + run steps are straightforward:
> docker build -f docker/Dockerfile-Client -t client-image:latest .
> docker run -d --device=/dev/udmabuf:/dev/udmabuf -v /var/run/server:/socket --name client-service client-image:latest
I’m not currently doing anything special in the dockerfile, just setting up some dependencies for my application:
...
RUN apt-get update && apt-get install -y \
build-essential \
git \
cmake \
python3 \
&& rm -rf /var/lib/apt/lists/*
RUN mkdir -p /socket
WORKDIR /application
CMD ...
Within the container I see that the user does not have access to udmabuf when I run in interactive mode:
> docker run -it --device=/dev/udmabuf:/dev/udmabuf -v /var/run/server:/socket --name client-service client-image:latest bash
> id
uid=0(root) gid=0(root) groups=0(root)
> ll /dev/udmabuf
crw-rw---- 1 nobody nogroup 10, 124 Aug 28 19:00 /dev/udmabuf
> cat /etc/group | grep 'udma'
<blank>
> cat /etc/subuid
ubuntu:100000:65536
> cat /etc/subgid
ubuntu:100000:65536
Why this user is called ubuntu here, I have no idea. When I try to run the container with my admin user id, I still do not have access to udmabuf and for some reason my username is ubuntu:
> docker run -it --device=/dev/udmabuf:/dev/udmabuf --user 1000 -v /var/run/server:/socket --name client-service client-image:latest bash
> id
uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev)
> ll /dev/udmabuf
crw-rw---- 1 nobody nogroup 10, 124 Aug 28 19:00 /dev/udmabuf
So in summary, my question is: How do I enable access to a host device (specifically /dev/udmabuf) for an application I am running in a rootless docker container?