I’m attempting to run rootless Docker.
I’ve mapped the /var/log/auth.log file to the container because i want the log to be read from within the container. On the host system, auth.log has the permissions 640 and has the owner syslog(uid:107):adm(gid:4).
In the container this log file is seen as nobody(uid:65534):nobody(gid:65534), which i think i understand. I believe it’s because the file is not owned by the user that is running the Docker daemon?
I’ve tried the following:
- On the host system I’ve added the user that the docker daemon is running as to the adm usergroup
- In the container I’ve added the container user to the nobody group
But i still get ‘Permission denied’ message when i attempt to cat the contents.
So far i’ve only been able to get the container to be able to read the contents of auth.log if i set the permissions of the auth.log to 644, which is undesirable since it’s contents shouldn’t be read by everyone.
Is there a method to allow container to read the contents of the the log?
So you run rootless Docker to deny access to files that are not owned by your user and you want to access a file that is not owned by your user. That won’t work. If you want to access files that require root privileges, you need to run rootful Docker. Rootless Docker will run containers in a user namespace so the userid on the host and in the container will not be the same. Your user will be root having UID 0 in the container and other users in the container will have a larger UID from the host’s point of view. If you run rootless Docker which is for security purposes, don’ttry to allow non-rot users accesing fsystem files!
I don’t actually want to run this container as rootless; I want to run other containers as rootless but i speculated that rootfull and rootless docker can’t run side by side - or can they?
EDIT: I made the speculation because some rootless install guides state
sudo systemctl disable --now docker.service docker.socket
When you install rootless Docker, it could recommend disabling the rootful Docker, because it assumes you want to run only one daemon and if you have two, you could accidentally run containers on the wrong Docker. You can have both and you can switch between them by using
docker context use CONTEXTNAME
Where context name can be “default” (rootful docker) or “rootless”.