Still not fully understanding linux file permissions and how they work with containers

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

PancakeBimmer

New Member
Apr 15, 2016
3
1
3
30
I am misunderstanding or simply not understanding something that is making it more confusing for me to understand how linux file permissions work with containers when mapping volumes. So please correct me and add feedback as you see fit.

First, I understand that everything running in docker container is running as root:root, unless some images allow to specify user and group. That means that every file and folder created are owner by root:root

Now I create a group 39001 docker-storage, and add root and user accounts to it. Then I create folder "/storage" and change group ownership to 39001 docker-storage group. So now when I create folder or file in this directory it is owned by that account and group ownership is 39001 docker-storage. Likewise, root user from console creates file or folder in "/storage" and file/folder is owned by root but group ownership stays 39001 docker-storage.

So I create a container for unifi controller and map folder to "/storage/unifi". If this folder is not created prior to first time container startup, it will be owned by root user and root group. I would have expected it to be root:docker-storage. I understand that commands are coming from inside the container and it is not aware of group 39001. But why wouldn't it take group ownership from host?

If in the same example folder /storage/unifi is created by user of docker-storage group, it is still owned by docker-storage group. Then once container is started for first time it still has no problem accessing the folder, yet files and folders under it still get created and owned by root:root

Running "chown root:docker-storage -R" on unifi folder corrects that and container has no problem with access either. The only way to fix this that I am aware of is having UID and GID specified on docker container, but what if that is not an option?

What am I missing?
 

RTM

Well-Known Member
Jan 26, 2014
956
359
63
I am misunderstanding or simply not understanding something that is making it more confusing for me to understand how linux file permissions work with containers when mapping volumes. So please correct me and add feedback as you see fit.

First, I understand that everything running in docker container is running as root:root, unless some images allow to specify user and group. That means that every file and folder created are owner by root:root
I am not so sure that is how it works, or at least how it generally works.
On my machine when I create /test, chown it to user1:user1 and create /test/test with root, /test/test stays as owned by root:root.
Now I create a group 39001 docker-storage, and add root and user accounts to it. Then I create folder "/storage" and change group ownership to 39001 docker-storage group. So now when I create folder or file in this directory it is owned by that account and group ownership is 39001 docker-storage. Likewise, root user from console creates file or folder in "/storage" and file/folder is owned by root but group ownership stays 39001 docker-storage.

So I create a container for unifi controller and map folder to "/storage/unifi". If this folder is not created prior to first time container startup, it will be owned by root user and root group. I would have expected it to be root:docker-storage. I understand that commands are coming from inside the container and it is not aware of group 39001. But why wouldn't it take group ownership from host?

If in the same example folder /storage/unifi is created by user of docker-storage group, it is still owned by docker-storage group. Then once container is started for first time it still has no problem accessing the folder, yet files and folders under it still get created and owned by root:root

Running "chown root:docker-storage -R" on unifi folder corrects that and container has no problem with access either. The only way to fix this that I am aware of is having UID and GID specified on docker container, but what if that is not an option?

What am I missing?
So... what I am getting at is that the behavior you may be seeing, is that it could be something OS dependent.
Meaning because the base distribution inside the unifi container may be different than yours, you may be seeing a difference.

Of course if this does not explain your behavior, you may need to look into namespaces.
In short root inside your docker != root on your host OS
It can lead to annoying permissions issues.
 

casperghst42

Member
Sep 14, 2015
112
20
18
55
I think what you're looking for is the PUID and PGID environment variables Understanding PUID and PGID, they control which owner:group is being set on files on the docker host when you use filesystem mapping. If you use volumes then it doesn't really matter.

-e PGID=100

That will map what ever user is running the application in the docker container to GID:100 on the docker host.

In your case you should run your docker container with -e PGID=39001 - it should not be nessary to use -e PUID=1 for root (that happens automatically when you do not give it a value).

I only have a rudimental understanding of this, but this should give you a chance to get what you want.
 
  • Like
Reactions: Marjan