Mariadb image, user namespaces and 'mysqld --user=1000'

General Discussions
1

Hi,

My question is how to best manage permissions on a mount directory on the host for mysqldb data directory.
I think the best is for me to pre-create the directory with ‘correct’ ownership, and then start the docker container. However, I’d like docker container to create the directory with the ‘correct’ ownership for me.

Also, a feature request: can the check for ‘running as root’ by this container return ‘true’ if the container runs in a user-mapped runtime?

I am running library/mariadb (10.3.2) with user namespace enabled and with docker-compose.

I mount mariadb’s data directory (/var/lib/mysql).

I require the files created by mysql to use the host’s uid:gid which I choose. For example, remapBase + 1000.

Docker trusted users (members of docker group) do not have host root privilege. However, they must have (rwx) access to the files written by the containers. So, I want the docker trusted users to also be members of the effective groups of the containers. For example, a docker trusted user would be a member a host group with gid==‘remapBase + 1000’ so they can read/write files of containers running with container gid==1000. To be most effective, I don’t want the docker containers to control which uid:gid they use.

In docker-compose file, I have two ways to control user id. One is ‘user: “1000”’ which works like ‘docker run --user’. The other is “command: mysqld --user=1000” which controls the user that mysqld runs at after starting as root.

I’ve tried these combinations:
user: "1000"
command: mysqld --user=1000

user: "0"
command: mysqld --user=1000

user undefined
command: mysqld --user=1000

All the above create files with the default uid of the container: remapBase + 999. This appears in log:
mysqld: One can only use the --user switch if running as root
I think the user id mapping causes the test here to be false. The process is running with uid==0, but its mapped to another host uid. Perhaps this test only looks at the host uid, not the container’s id.

This ‘fails’ if the mount directory does not pre-exist.

user: "1000"
command undefined

If the host mount directory does not pre-exist, it is created but by uid==0 without write permissions and so uid== ‘1000’ cannot write to the directory. Permission fail to create the mysqld datadir.

I think this is best for me now: If I pre-create the host mount directory and give it appropriate permissions, the last works.

2

This is the exact use case for a docker volume. :slight_smile:

Rather learn to use volumes, you can save and load them to move them around in a tar file.

3

Thanks, In the year since I wrote this, I learned exactly that. Indeed, I learned a great deal in the last year such that my question no longer makes sense to me. I guess it never did to anyone else, either. Thanks again.