User IDs not lining up and permission woes :-(

I’m having an inconsistent behavior when running a container in docker with volumes.

The issue seems to be explained in more details here: Permission problems in bind mount in Docker Volume | techflare

Basically I have an alpine app with a user created that owns the container assets under /app. I have a volume exposed where the data should be written out.

If I run the container and let it run as the container’s root user it works fine but it creates the files owned by root, where my host user doesn’t have access to them.

If I run the container as a non-privileged user, then I cat into a weird mess of UIDs hell.

id
uid=100(appuser) gid=100(users) groups=100(users)
ls -lh
-rwxr-xr-x    1 appuser  users      11.5M Mar 22 16:04 config-generate
drwxr-sr-x    1 appuser  users       4.0K Mar 22 16:04 config_files
drwxr-xr-x    2 5434     users       4.0K Mar 22 15:34 docker_overrides
drwxrw-rw-    3 5434     users       4.0K Mar 22 15:33 metricbeat
drwxr-sr-x    1 appuser  users       4.0K Mar 22 16:04 mibs
drwxr-xr-x    2 root     root        4.0K Mar 22 16:05 telegraf
 cd metricbeat/
sh: cd: can't cd to metricbeat/: Permission denied

for context: telegraf and metricbeat are defined as VOLUME in the Dockerfile.
5434:users is the local user.
appuser:users is the container user.

My configuration:

  config:
     #command: "poller generate --outputFilter metricbeat"
    entrypoint: "sleep 9999"
    image: testing:latest
    network_mode: host
    env_file: .env
    volumes:
      - ./config_generate:/app/docker_overrides/
      - type: bind
        source: ./metricbeat
        target: /app/metricbeat

One idiotic non-portable solution is to hard code the UID and GID of the local user into the container which I’d rather not do. The user argument doesn’t seem to do anything for me. I tried adding this line:

   user: "5434:100"

Now, I have found a solution where I can pass a flag to metricbeat to be more forgiving on UIDs matching but is there a more intelligent way of doing this?

Ideally It would be nice if the mount /bind/volume would support a way to specify the UID/GID to match the values from the user flag.

Any ideas?

Lets remove docker for a second from the equation amd assume you installed an application using a package from your distros repository, which installs an application, creates a restricted user and runs the application as such restricted user. Furthermore lets assume you want to use a folder of your choosing, but the restricted user that runs the process is not allowed to write into that folder.

To resolve this situation you would allign either the ownership of the folder with the user that runs the process or less likely change the users uid/gid of the process to match the folder.

A container is nothing more than an isolated process on the host, so the solution looks pretty much the same. Make sure you align the uid/gid of the (host) folder owner to the uid/gid that runs the process.