Volume mounting user/root difference between mac and linux

General Discussions General
1

Hi all

I’m creating an oracle database container on my mac that is also put on a linux server, based on the scripts found here: https://github.com/oracle/docker-images/tree/master/OracleDatabase .
I’m using Docker CE at the moment.

After getting something useful on my mac I put my config files over on the linux machine, only to find out the volume I use for .dmp files behaves differently. (A .dmp file contains a database dump.)

First off I run the docker container like so on both environments:

#!/bin/bash

# get our current running dir, since the 'docker run' command expects absolute paths for volumes
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"

docker run --name oracle-db --rm \
  -p 1521:1521 -p 5500:5500 \
  -e ORACLE_SID=OUR_SID \
  -e ORACLE_PDB=PDB1 \
  -e ORACLE_PWD=REDACTED \
  -e ORACLE_CHARACTERSET=AL32UTF8 \
  -v $DIR/dmp:/media/dmp \
  oracle/database:12.2.0.1-ee

This runs the image just fine, the user being run inside is the general oracle user (instead of root).
One of the first steps I do after the container runs is importing said .dmp file, which is passed along through the volume that’s placed at /media/dmp . On mac this works flawlessly, but when doing this on a ubuntu 16.04 docker setup the import command fails: I get a ‘permission denied’ error because the import process can’t create a logfile for the import in that /media/dmp mount point.

The reason is a difference of how the mount is done on mac (verified by doing cat /etc/mtab | grep dmp):
osxfs /media/dmp fuse.osxfs rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other,max_read=1048576 0 0
Here the result of the same command on the linux system:
/dev/mapper/dtm–dvl01–vg-root /media/dmp ext4 rw,relatime,errors=remount-ro,data=ordered 0 0

When taking a look at the permissions on the mac container (by doing ls -l /media/):
drwxr-xr-x 7 oracle oinstall 238 Aug 10 09:26 dmp
For linux:
drwxrwxr-x 2 root root 4096 Aug 10 09:19 dmp

You can see the mount folder in the container running on mac is fully accessible for the ‘oracle’ user, for linux it’s created/mounted as the root user.
So what’s up with this difference of having a ‘clean’ user mapping when running the container with a volume on mac, while the same command when running the container on a linux system creates the mountpoint just for root, with other users having read access?
I googled a bunch of things to find any answers or tips/workarounds for my situation, but did not find anything directly relevant for me. I would prefer a cross-platform solution, but I noticed there are differences for the storage drivers. CentOs systems only seem to support the devicemapper driver, which is applicable here I think since the oracle image is based on oracle linux which is a fork of RHEL.

(I did some other tests earlier with nginx & tomcat in docker that also use the volume feature, for which read/write did work on both mac and linux. To my surprise I just noticed they run everything as root inside the container, so it’s easy to understand why this worked without any fuss. But this seems a very big no-no from a security standpoint. Ah well.)