Wrong ownership in volume mount on NixOS host

Docker Engine General
, ,
1

Trying to use Docker volume mounts on NixOS unstable, I am facing the problem, that the mounted volume inside the container is owned by root instead of the requested user id, and thus the user in the container can neither enter nor write to that directory:

On NixOS unstable it is not able to reach the volume mount:

~ docker run --rm --tty --interactive --name perm_test \
    --volume "$(pwd):/var/www/html" --user $(id -u):$(id -g) \
    php:8.2 ls -l /var/www/html
ls: cannot open directory '/var/www/html': Permission denied

This seems not to be about www-data or about php, the same happens with any other directory and other images, e.g. alpine:

~ docker run --rm --tty --interactive --name perm_test \
    --volume "$(pwd):/var/opt" --user $(id -u):$(id -g) \
    alpine:latest ls -l /var/opt
ls: can't open '/var/opt': Permission denied

On a Debian or Ubuntu system, this example shows the content of $(pwd), this is why I suspect NixOS to have some (security?) settings, that interfere with Docker in some way.

It might become more clear, when going up one directory:

 ~ id -u && id -g && docker run --rm --tty --interactive --name perm_test \
     --volume "$(pwd):/var/www/html" --user $(id -u):$(id -g) \
     php:8.2 ls -l /var/www/
1000
100
total 4
drwx------ 39 root root 4096 Sep  3 09:41 html

The volume mounted to the directory is owned by root, while the current user should be the same as on the host machine. On a Debian system, the same command shows the expected ownership:

u@deb ~ id -u && id -g && docker run --rm --tty --interactive --name perm_test \
     --volume "$(pwd):/var/www/html" --user $(id -u):$(id -g) \
     php:8.2 ls -l /var/www/
1000
1000
total 4
drwxr-xr-x 18 1000 1000 4096 Sep  3 14:23 html

Passing :z to the volume mount argument like suggested elsewhere does not make a difference here (:U even returns “invalid mode”).

Also, since this is actually an environment based on ddev, it is not an option to switch to podman or even more nix-styled approaches for now.

So what is the matter with this? Is it a Docker or a NixOS issue? What is actually the problem here? Is there a way to mitigate this, so that I can use my NixOS machine to contribute to this project using the same ddev environment, the rest of the team also uses on their machines? Please help :slight_smile:

3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.