Docker Community Forums

Share and learn in the Docker community.

Docker volumes and file/dir ownership: clean separation on Mac, not on RHEL

(Mdf0) #1

I have set up a centos 7 image in a docker container on a Mac (running Docker v1.12.1). I’ve added a centos user in that container and have mounted a volume in the Mac filesystem for use as centos user’s home directory (it lives in $HOME/dockerhome on my Mac). In the host filesystem, the volume retains my ownership (uid1055); in the container, the mounted volume’s files/directories take on the centos user’s ownership (uid 1001). Exactly as one would expect/want.

I have built the same container on a RHEL 7 host, mounting a similar host filesystem volume for use as the centos user’s home directory. When I log in to the centos container, the centos user’s files/directories do not have the centos user’s ownership (uid 1001). Instead, they show the uid that is the same as my mac login’s uid (1055). I can recursively chown the centos user’s home directory and all looks good. But when I look at the RHEL filesystem, the ownership of the volume has been changed to some other user’s identity (specifically, the person with uid 1001, the centos usr’s uid in the container).

Is there some fundamental limitation in docker for RHEL/Linux that makes this happen?

I mentioned “similar host filesystem” on RHEL. In our RHEL cluster one cannot chown on a mounted filesystem, even with sudo privileges; this can only be performed when the volume lives on a local disk. So the desire to keep the docker home directories in, e.g., ~/dockerhome, fails because docker seems to be trying (and failing) to perform some chowns (not described in the Dockerfile or the start script, so assumed to be part of the --volume treatment). When I place the volume in /var or /opt with appropriate ownerships, no chown errors are reported, the container runs, yet with the aforementioned ownership problem.

Any idea what’s different between the two docker hosts?

Specifics: OSX 10.11.6; docker v1.12.1 on mac, v1.12.2 on RHEL 7; centos 7

(David Maze) #2

This behavior seems extremely obvious to me: when you tell Docker to share a directory tree between the container and a host, the numeric user IDs are shared. (And in fact I’ve had some trouble with the uid remapping on MacOS in the past, which can result in a container process not being able to read a file it just wrote.)

I’m not aware of any uid remapping capability on Linux; there’s certainly no discussion of it in the docker run documentation.

One thing that may help you is to force the container to run your process as the host’s numeric user ID,

docker run -u$(id -u)

Another thing that might help is to not try to store whatever content in bind-mounted directories and just use Docker volumes instead.

(Mdf0) #3

Not sure that matches my experience. On MacOS my uid (numeric id) is 501, and in the centos container, my added user’s uid is 1001. The shared (bind-mounted) directory is owned by me (501) in the host filesystem but is owned by the centos usr (1001) in the container.

Aligning the uids is a possibility, but they are separate identities (different login names), so it would seem like a hack. And it’s not necessary on my Mac. That’s why I’m asking about the Linux behavior being different.