Docker Community Forums

Share and learn in the Docker community.

Permission denied when using userns-remap and writing to a directory mounted from the host


(Daniloradenovic) #1

Hi everyone. I am trying out the userns-remap feature of Docker to create a file inside a container as root user and have the owner of this file as test user on the host.

Issue type
When userns-remap is configured to map users from container to a user on the host, user inside the container cannot write to a directory mounted from the host.

Expected result
File is created

Actual result
Permission denied

OS Version/build
Docker: 18.03.0
Ubuntu: 16.04.4 LTS
Kernel: 4.13.0-36-generic

Steps to reproduce

sudo adduser test
sudo usermod -aG docker test
sudo echo '{ "userns-remap": "test"}' >> /etc/docker/daemon.json
service docker restart
su - test
mkdir tmp
docker run -v /home/test/tmp:/somedir ubuntu:16.04 touch /somedir/file.txt

Any ideas what I might be missing here?

EDIT it is stated in the docs that

…if volumes are mounted from the host, file ownership must be pre-arranged need read or write access to the volume contents.

… One notable restriction is the inability to use the mknod command. Permission is denied for device creation within the container when run by the root user.

Does this mean that root user inside the container cannot create files/directories inside the mounted directory, even though the owner of the mounted directory is the user that root maps to using userns-remap, in this case test?

EDIT 2 If 777 permission is granted to the mounted directory, in this case /home/test/tmp on the host, file can be created successfully from inside the container. However, the newly created file has the following permissions on the host:

ls -l /home/test/tmp
total 0
-rw-r–r-- 1 165536 165536 0 march 29 01:36 file.txt

User with id 165536 is not present in the /etc/passwd which brings us back to the start. I would expect that the root user inside the container has the same permissions as the test user on the host and that the files created by root user in the container have the owner on the host that is mapped using userns-remap, i.e. test.