Getting setfacl working inside container

I’m trying to set up default files permission inside linux container using command setfacl but I’m getting error “Operation not supported”

it looks like there is an acl option missed in /etc/mtab in root file definition (overlay) but when I’m trying to open the file /proc/mounts (aka ~self/mounts) for edit I’m getting empty file … Any ideas how to pemanently add this acl option ?

According to the setfacl man page, the capability CAP_FOWNER is required:

PERMISSIONS

The file owner and processes capable of CAP_FOWNER are granted the right to modify ACLs of a file. This is analogous to the permissions required for accessing the file mode. (On current Linux systems, root is the only user with the CAP_FOWNER capability.)

You need to add the capability FOWNER to your container:

it can be added to the containter during creation like i.e. variable PATH ?

I am not sure what to respond to that. Have you actually followed the links I shared?

yes, and as far as I understand using “docker run” command causes that this particular cap will be added for “one-time” launch of the container …

small update - it seems that this is already addded …

root@1711fbe8e2ee:/# capsh --print
Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+ep
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=0(root)

Settings in docker run apply for the created container, and apply until the container is deleted. I am not sure what you mean with “one-time”?

It was just a hunch after looking at the documentation/man page, where I stumbled across CAP_FOWNER. I have no idea what else is missing/required.

I will leave this topic for someone who actually uses setfacl inside a container.

I’ve always created containers from QNAP GUI so I was not familiar with command line … now I did some test, pull fresh image from repositiry, create container using “docker run” commad with CAP added but results are the same :frowning:

I think the clue is to have mounted file system with “acl” option …

I can’t tell you how QNAP handles it. Though, I can tell that Synology’s ACL implemention is incompatible with the ACL package of normal distributions (what the containers use). I hope it’s not the case with QNAP.