Permission denied when using userns-remap and writing to a directory mounted from the host

General Discussions
1

Hi everyone. I am trying out the userns-remap feature of Docker to create a file inside a container as root user and have the owner of this file as test user on the host.

Issue type
When userns-remap is configured to map users from container to a user on the host, user inside the container cannot write to a directory mounted from the host.

Expected result
File is created

Actual result
Permission denied

OS Version/build
Docker: 18.03.0
Ubuntu: 16.04.4 LTS
Kernel: 4.13.0-36-generic

Steps to reproduce

sudo adduser test
sudo usermod -aG docker test
sudo echo '{ "userns-remap": "test"}' >> /etc/docker/daemon.json
service docker restart
su - test
mkdir tmp
docker run -v /home/test/tmp:/somedir ubuntu:16.04 touch /somedir/file.txt

Any ideas what I might be missing here?

EDIT it is stated in the docs that

…if volumes are mounted from the host, file ownership must be pre-arranged need read or write access to the volume contents.

… One notable restriction is the inability to use the mknod command. Permission is denied for device creation within the container when run by the root user.

Does this mean that root user inside the container cannot create files/directories inside the mounted directory, even though the owner of the mounted directory is the user that root maps to using userns-remap, in this case test?

EDIT 2 If 777 permission is granted to the mounted directory, in this case /home/test/tmp on the host, file can be created successfully from inside the container. However, the newly created file has the following permissions on the host:

ls -l /home/test/tmp
total 0
-rw-r–r-- 1 165536 165536 0 march 29 01:36 file.txt

User with id 165536 is not present in the /etc/passwd which brings us back to the start. I would expect that the root user inside the container has the same permissions as the test user on the host and that the files created by root user in the container have the owner on the host that is mapped using userns-remap, i.e. test.

2

Hi Danilo,

Belated answer but hopefully it will help.

When you configure Docker’s “/etc/docker/daemon.json” file with {“userns-remap”: “test”}, Docker will not map root in the container to user test in the host as you are expecting. It will map root in the container to the first user-ID from within the subid range for user test, as found in /etc/subuid and /etc/subgid.

In your case it happens to be user-ID 165536 on the host.

This implies that in order for root in the container to be able to write to a bind-mounted directory, the bind-mounted directory must be owned by user-ID 165536 on the host.

FYI, I recently founded a company called Nestybox, that has developed a container runtime (aka runc) that enables Docker to launch containers that always use exclusive userns mappings per container, yet support bind-mounts into the container without requiring that you modify permissions on the bind mount source.

If this sounds interesting, the software is free to download as we are looking for adopters.

Hope this helps!