对已安装卷的Docker访问权限。 为什么它们属于根？

Question

I've set up Docker to run as a non-root user . Now I can start my containers as an ordinary user and I feel more comfortable.

me@machine:~$ docker run -it -v ~/test:/test alpine:3.6 sh
/ # touch /test/test1

Meanwhile on the host:

me@machine:~$ ls -l ~/test/
total 0
-rw-r--r-- 1 root root 0 Jul 31 15:50 test1

Why do the files belong to root ? How can I make them and all created files in the container belong to me ?

Interesting fact: This happens on Debian Linux. Contrary, doing the same on a Mac, the created files would belong to me .

Answer 1

Mac OS Docker and Linux Docker have lot of changes in behavior. So ignore that part. Focus on the side of Linux.

What you did using https://docs.docker.com/engine/installation/linux/linux-postinstall/#manage-docker-as-a-non-root-user basically just means that a non-root user has access to the docker group. Through that docker group you are able to execute docker command. But docker daemon is still running as root user.

That you can confirm by running

ps aux | grep dockerd

And when you do a volume mapping, the directory gets created by docker, which eventually has root user permission. What you are looking for has been launched very recently as Docker user namespaces . Please read the details on below URL

https://success.docker.com/KBase/Introduction_to_User_Namespaces_in_Docker_Engine

This will guide you how to run your docker containers with a mapped user instead of root. In short create/update /etc/docker/daemon.json file to have below content

/etc/docker/daemon.json

{
"userns-remap": "<a non root user>"
}

And restart the docker service. Now your docker containers inside will think they have root privileges but they would run as a non-root user on host