Docker host-mounted volume permissions

Question

In our internal testing environment we provision CentOS VMs from a vSphere-based server. The images are vanilla 7.1 with packages and associated configuration to support authentication via LDAP. I have Docker 1.13.1 installed with OverlayFS driver on an xfs filesystem.

FROM centos:7
RUN useradd dockeruser
USER dockeruser
VOLUME /data

On the host:

mkdir data
echo "hello from host" > data/host-msg.txt
docker run -ti --rm -v $(pwd)/data:/data testimage bash

Inside the container:

echo "hello from container" > /data/container-msg.txt
bash: /data/container-msg.txt: Permission denied

Listing the directory contents inside the container:

drwxr-xr-x   2 12345 13000    25 Feb 12 21:36 data
drwxr-xr-x   5 root  root    360 Feb 12 21:36 dev
drwxr-xr-x   1 root  root     62 Feb 12 21:36 etc

The data directory shows the ownership in uid/gid format rather than username/groupname.

I have read many articles and questions describing this behavior and various strategies to workaround .

But . On my local Fedora 25 development system I get none of this behavior. I perform the procedure above, am able to write to the host-mounted /data mount, and the directory listing displays username/groupname.

/
    drwxrwxr-x   2 dockeruser dockeruser  4096 Feb 12 04:36 data
    drwxr-xr-x   5 root       root         360 Feb 12 22:00 dev
    drwxr-xr-x   1 root       root        4096 Feb 12 22:00 etc

/data
    -rw-rw-r--   1 dockeruser dockeruser    21 Feb 12 22:04 container-msg.txt

To make everything as similar as possible to the lab configuration I stood up a CentOS 7.1 VM on my dev system via libvirt and again got the same results -- no messing with uid/gid mapping, user namespaces, nothing. Writing to the host mounted volume from inside the container Just Worked, out of the box.

What could possibly account for this behavior? Is the LDAP on the lab VM somehow introducing permission issues at the filesystem level? is there something specific I could ask our ops team to either inspect or temporarily disable to try and troubleshoot this issue?

Finally and perhaps most important, if permissions issues on host-mounted volumes don't seem to be issues at all for me either on a clean CentOS or Fedora Workstation then why does it still continue to be a thing in the Docker community? Is there some configuration in these setups that is so fundamentally different from what everyone else is using (my team's lab VMs included) that things just work?

Answer 1

The data directory shows the ownership in uid/gid format rather than username/groupname.

This is because your container does not have a mapping for this uid/guid (check /etc/passwd). In fact, the actually files have uid/guid always . It's just a function of the application/os to give back the names. Try to stat the path from inside/outside container. They should have same uid/guid

stat /data
stat /path/on/host