Share access to a directory in and out of docker

Hi everyone, I’ll get straight to the point.

I created the files root and normal-user

Here is the root file content

FROM ubuntu:latest
CMD ["touch", "/data/root-file"]

Here is the normal-user file content

FROM ubuntu:latest

RUN groupadd \
    -g 1234 \
    devel \
&& useradd \
    -m \
    -s /bin/bash \
    -u 1234 \
    -g devel \
    devel
USER devel

CMD ["touch", "/data/normal-user-file"]

Note that, in the normal-user file, devel was created and set as default user.

I so created data directory

+ mkdir /tmp/data-0020241206
+ ls -ld /tmp/data-0020241206
drwxrwxr-x 2 abc abc 4096 dic  6 09:54 /tmp/data-0020241206

I don’t know if this is relevant, but as you may have noticed, that directory has “abc” (as user and as group).

Everything is OK, so let’s do some tests

+ docker build -t test -f root .
+ docker run -v /tmp/data-0020241206:/data --rm test
+ ls -l /tmp/data-0020241206/root-file
-rw-r--r-- 1 root root 0 dic  6 10:03 /tmp/data-0020241206/root-file

mmmhhh…

Apparently everything is ok, but as you may have noticed, the “root-file” has “root” (as user and as group).

For many people, this is not a good thing, because it can undermine, above all, security (I won’t go into detail).

So I tried this other approach (instead of the “root” dockerfile, the “normal-user” dockerfile will be used)

+ docker build -t test -f normal-user .
+ docker run -v /tmp/data-0020241206:/data --rm test
touch: cannot touch '/data/normal-user-file': Permission denied

As you can see there is some problem.

Surely this is due to the fact that user and group (abc and devel) are different.

How can this be solved?

Maybe you need to map permissions… map volumes… or?

In practice, how can you give two or more users access to the same directory?

In practice, I would like the devel user (from inside docker) to be able to create /data/normal-user-file without any problems, and the abc user (from outside docker) to be able to access the file /tmp/data-0020241206/normal-user-file (even read-only).
Yes, read-only: that’s exactly what I want (for personal security reasons).

In a corporate environment, what is the most conventional practice?

RECAP

*/data*/: read and write for both users
*/data*/normal-user-file: write (reading permission is not mandatory, I don't care...) for devel, read for abc

You either have rootless Docker or Docker DEsktop that works similarly regarding file permissions. The reason is exactly security. So your own user’s file could be read by root in the container and you don’t actually need to mount anything from the root user.

We discussed it a couple of times, but I didn’t have time to make it a blogpost yet. Some I found on the forum

It is about permissions on Linux. With or without containers, it doesn’t matter. If the files have the right ownerships and permissions, and users have the right groups, multiple users can access the same files. In rootless Docker you need to know about the UID mapping which is the same as when using user namespaces as that is what the rootless Docker is based on.

.

1 Like

Meaning what?
I’ve never used Docker Desktop…

Indeed.
What should I mount?
It seems obvious to me that there is nothing to mount.

Anyway, could you try to explain better (I don’t speak English)?

It is about permissions on Linux: OK
With or without containers, it doesn’t matter: Meaning what?

Difference between ownership and permissions?

Simply put, what do you mean by mapping?

Something like the following?

$ id
uid=1000(abc) gid=1000(abc) gruppi=1000(abc),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare),142(docker)

I ADD (since the post is no longer editable)

Are you referring to linux containers (do linux containers exist?), or docker containers?

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.