How to map user permissions defined in a Docker container that already exist on the host

Question

I want to run postgres inside a Docker container with a mounted volume. I am following steps as describe here. However, the container never starts. I think this is because the /var/lib/postgresql/data directory is owned by user postgres with uid 999, and group postgres with gid 999.

My understanding is that I need to create a user and group with the same uid and gid on my host (the name doesn't matter), and assign these permissions to the directory I am mounting on my host.

The problem is that the uid and gid are already taken on my host. I can rebuild the Docker image from the Dockerfile and modify the uid and gid values, but I don't think this is a good long term solution as I want to be able to use the official postgres images from Docker Hub.

My question is, if a container defines permissions that already exist on the host, how do you map permission from the host to the container without having to rebuild the container itself with the configuration from your environment?

If I am misunderstanding things or am way off the mark, what is the right way to get around this problem?

Answer 1

You are right about /var/lib/postgresql/data. When you run the container it changes, in the container, the owner of the files in that directory to user postgres (with user id 999). If the files are already present in the mounted volume, changing the ownership may fail if the user you run docker with does not have the right permissions. There is an excellent explanation about file ownership in docker here Understanding user file ownership in docker.

My question is, if a container defines permissions that already exist on the host, how do you map permission from the host to the container without having to rebuild the container itself with the configuration from your environment?

I think what you might be looking for is docker user namespaces. Introduction to User Namespaces in Docker Engine. It allows you to fix permissions in docker volumes.

For your specific case if don't want the files in the mounted volume to have uid 999 you could just override the entrypoint of the container and change the uid of the user postgres.

docker run --entrypoint="bash" postgres -c  'usermod -u 2006 postgres;exec /docker-entrypoint.sh postgres'