6

I'd like to map user postgres or root inside container to user myuser on the host. There's a lot of references to this online, but it is not very clear to me how to achieve the following:

Is there a simple way to map arbitrary user inside container to user in host by a simple command line flag at the docker-run level

Map root user inside container to myuser on host

docker run --user-remap "mysuser:root" -p 6379:6379 redis:alpine

and

Map postgres inside container to myuser on host

docker run -it -p 5431:5432 --user-remap "myuser:postgres" --rm -v /home/myuser/data:/var/lib/postgresql/data postgres:9.6.0

I do not want to apply the same settings to all my containers. So doing this at the docker daemon level by applying

sudo docker daemon --userns-remap myuser

and updating /etc/passwd, /etc/group, /etc/subuid, /etc/subgid would not help solve my problem. Is there a way to solve this problem at the docker run stage, so that these settings can be applied on a container by container basis.

Thanks

alpha_cod
  • 1,933
  • 5
  • 25
  • 43
  • This post addresses part of this question http://stackoverflow.com/questions/35291520/docker-and-userns-remap-how-to-manage-volume-permissions-to-share-data-betwee But I dont have an option to preset the uid/gid in the host in my scenario – alpha_cod Oct 19 '16 at 09:57

1 Answers1

7

No, if you want to use user-namespaces, there's currently no way to remap the user for bind-mounted directories and files.

Basically, the issue you're running into is the exact goal of user namespaces; preventing a privileged user inside a container to get access to files on the host. This protects you from a process being able to escape the container from doing damage on the host.

However it looks like your goal is to give the postgres user access to files on your host, which are owned by a local user. For that situation, there may be another approach; run the container with the same uid:gid as the user that owns the files on the host. This may require changes to the image (because some parts in the images are currently created with the postgres user, which currently has a different uid:gid (also see some information about this in this answer)

Currently, doing so with the postgres official image requires some manual changes, but a pull request was recently merged for the official postgres image that makes this work out of the box (see docker-entrypoint.sh#L30-L41)

You can find details on the pull request; https://github.com/docker-library/postgres/pull/253, and the associated documentation; https://github.com/docker-library/docs/pull/802. This change should be available soon, but in the meantime you can create a custom image that extends the official PostgreSQL image.

Community
  • 1
  • 1
thaJeztah
  • 27,738
  • 9
  • 73
  • 92