Rootless Docker: Permission denied when writing files to volume mount without sudo

Question

I'm unable to write to a mounted volume when in my container (through ssh) without sudo permissions. The mounted folder is host user's home folder at the host. I'm running a rootless docker daemon.

I did the following steps to start a container:

1. I've set up a rootless docker following the instruction on https://docs.docker.com/engine/security/rootless/

2. Build the Dockerfile (below) with this command:

   docker build --build-arg USER_ID=$(id -u) --build-arg GROUP_ID=$(id -g) --build-arg USER_NAME=user--build-arg USER_PASS=user -t test .

3. Started a container using the command:

   docker run -d --name test_container -p 50000:22 -v /home/$(id -u -n):/mnt/home test

4. Ssh'd into my container via

   ssh user@localhost -p 50000

When I create a file in my home directory I get a permission denied. When I create a new folder in my host and chmod it to 777; then I'm able to create files but they don't appear in my original host with the proper user/group, instead I get something like:

drwxrwxrwx  6 gdekkers gdekkers 4096 May 25 21:10 .
drwxr-xr-x 14 gdekkers gdekkers 4096 May 25 21:10 ..
drwxrwxrwx  3 gdekkers gdekkers 4096 Apr 30 13:01 SomeFolder
drwxr-xr-x  2   100999   100999 4096 May 25 21:08 test
drwxr-xr-x  2   100999   100999 4096 May 25 21:10 test2

which is inconvenient as I need to apply chown periodically. It seems to be related to the namespaces that a rootless Docker uses. How could I make sure that the files that are created match the user at my host?

Dockerfile:

FROM nvidia/cuda:11.2.2-cudnn8-runtime-ubuntu20.04

# Input arguments
ARG USER_ID
ARG GROUP_ID
ARG USER_NAME
ARG USER_PASS

# environment variables
ARG DEBIAN_FRONTEND="noninteractive"
ENV TZ Europe/Belgium

# Install some basic utilities and clean up
RUN apt-get update && apt-get install -y \
    nano \
    ca-certificates \
    sudo \
    libx11-6 \
    openssh-server \
 && rm -rf /var/lib/apt/lists/*

# Create a sudo user
RUN groupadd --gid $GROUP_ID user
RUN useradd -rm -d /home/$USER_NAME -s /bin/bash --uid $USER_ID --gid $GROUP_ID -G sudo $USER_NAME
RUN usermod -aG sudo $USER_NAME
RUN echo $USER_NAME:$USER_PASS | chpasswd

# Start ssh service
RUN service ssh start
EXPOSE 22
CMD ["/usr/sbin/sshd","-D"]

Thanks!

Answer 1

I encountered problems like this recently when working on my own projects. This is caused by different UID/GID mapping when using Docker rootlessly.

I have a recent write-up on my blog detailing how to deal with rootless Docker issues such as these "Permissions denied" issues. Inheritance ACLs on the host are a viable solution (as also mentioned in this StackOverflow thread):

Start by installing the acl package if you do not already have it installed:

sudo apt install acl

Then let's always allow rwX permissions for current and future files in ./data for the user ubuntu:

sudo setfacl -Rm d:u:ubuntu:rwX,u:ubuntu:rwX ./data

(above example assumes Docker bind mount is a child of ./data)