Docker Mount a Volume as Root

Is it possible to have a mount and volume in the same container using docker-compose?

~/logs:/app/logs/:rw

The directory ~/logs must be granted rw to 1000:1000 (appuser:appgroup) because this is an existing directory on the host.

other:/app/other/:rw

Named volume is created by docker on the host which is owned by root (except rootless mode). Use VOLUME to retain the permission set in Dockerfile:

FROM node:16-alpine
RUN apk add dumb-init
RUN addgroup appgroup && adduser -S appuser -G appgroup
RUN mkdir -p /app/logs && mkdir /app/other
WORKDIR /app/
COPY package*.json ./
RUN npm install
COPY . /app
RUN chown -R appuser:appgroup /app/
USER appuser
VOLUME /app/other

why is logs directory owned by node:node?

This user:group was created in the base image node:16-alpine.

Alternate method that solve similar issue, if it suits your need.

Mounted folder created as root instead of current user in Docker

At the moment, this is a recurring issue with no simple answer.

There are two common approaches I hear of.

First involves chowning the directory before using it.

RUN mkdir -p /home/jboss/myhub/logs ; chown -R jboss:jboss /home/jboss/myhub/logs
USER jboss

In case you need to access the files from your host system with a different user, you can chmod files that your app created inside the container with your jboss user.

$ chmod -R +rw /home/jboss/myhub/logs

The second approach, involves creating the files with appropriate chmod in Dockerfile (or in your host system) before running your application.

$ touch /home/jboss/myhub/logs/app-log.txt
$ touch /home/jboss/myhub/logs/error-log.txt
$ chmod 766 /home/jboss/myhub/logs/app-log.txt
$ chmod 766 /home/jboss/myhub/logs/error-log.txt

There certainly are more ways to achieve this, but I haven't yet heard of any more "native" solutions.
I'd like to find out an easier/more practical approach.

docker can not write on mounted volume with non-root user

Most propably the UID on your host for myuser does not match the UID for myuser inside the Container.

Solution

If you want to write from within your container into a directory of your host machine you must first create a myuser User on your host and check its UID via

$ sudo su - myuser -c "id"
uid=1000(myuser) gid=100(users) Gruppen=100(users)

In this example UID=1000 and GID=100.

Now you will need to create a Folder ~/log/nginx with owner/group of myuser on your host.

$ sudo mkdir ~/log/nginx
$ sudo chown myuser ~/log/nginx
$ sudo chmod -R 0700 ~/log/nginx/

Afterwards you can create a Dockerfile and your user with the same UID/GID.

RUN useradd myuser -u 1000 -g 100 -m -s /bin/bash
USER myuser

Now you should be able to write to your mounted volume with the specified user. You can check this via:

docker run -v $(pwd)/log/nginx:/var/log/nginx --rm -it mynginx:v1 /bin/bash

if you can now write to /var/log/nginx

How to give non-root user in Docker container access to a volume mounted on the host

There's no magic solution here: permissions inside docker are managed the same as permissions without docker. You need to run the appropriate chown and chmod commands to change the permissions of the directory.

One solution is to have your container run as root and use an ENTRYPOINT script to make the appropriate permission changes, and then your CMD as an unprivileged user. For example, put the following in entrypoint.sh:

#!/bin/sh

chown -R appuser:appgroup /path/to/volume
exec runuser -u appuser "$@"

This assumes you have the runuser command available. You can accomplish pretty much the same thing using sudo instead.

Use the above script by including an ENTRYPOINT directive in your Dockerfile:

FROM baseimage

COPY entrypoint.sh /entrypoint.sh
ENTRYPOINT ["/bin/sh", "entrypoint.sh"]
CMD ["/usr/bin/myapp"]

This will start the container with:

/bin/sh entrypoint.sh /usr/bin/myapp

The entrypoint script will make the required permissions changes, then run /usr/bin/myapp as appuser.

Creating/generating files in a mounted volume on docker container own to regular user and not to root

Solution: We need to run docker script on user scope and push the user attribute with user id and group id convention ("uid:gid" ).

example: run command in specific user sudo -iu john
and run docker-compose function:USER_INFO=$(id -u):$(id -g) docker-compose up --build --force-recreate -d

compose file structure:

version: '3.4'
services:
  app:
    image: ubuntu:latest
    command: /home/john/clone_repository_and_generate_reports.sh 
    volumes:
      - "/home/john/:/home/john/"
    environment:
      - NODE_ENV=production
    env_file:
      - ./.config.env
    user: "${USER_INFO}"

---

Related Topics