Mount volumes as non root user in docker container

Question

I want to mount a volume in the docker container as a non root user. I am using the following (k8s.yaml) -

volumeMounts:
        - name: volume-to-be-mounted
          mountPath: /location
volumes:
        - name:  volume-to-be-mounted
          hostPath:
            path: path
            type: DirectoryOrCreate

This volume is mounted as root inside the container. But I want to mount it as non-root. Is there any way of doing this? I can also use the https://docs.docker.com/storage/volumes/ but I want to mount the same volume on other container (in the same pod) as well.

Some of the solutions that come to mind but don't suit my use case -

change the permissions of the directory in entrypoint (not viable because entrypoint will be run as a non root user.)
https://stackoverflow.com/a/39576814/9081810 I am using k8s.yaml to specify my requirements. I don't know how this solution will fit in.

Possible solutions that can work but I don't know how to do it -

set permissions to 777 while mounting the volume.

I'd expect the ConfigMap contents to be read-only (though can't find a statement to this effect in the documentation). Just so long as the active user can read the files there, does it actually matter what user owns them? — David Maze, Mar 28 '19 at 11:11
I want to write in that specific location. Will remove the config map from the question. — user2851669, Mar 28 '19 at 12:02

score 3 · Answer 1 · answered Apr 01 '19 at 22:01

If you're using kubernetes you can use a security context and set the fsGroup value.

Example from the docs

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo
spec:
  securityContext:
    runAsUser: 1000
    fsGroup: 2000
  volumes:
  - name: sec-ctx-vol
    emptyDir: {}
  containers:
  - name: sec-ctx-demo
    image: gcr.io/google-samples/node-hello:1.0
    volumeMounts:
    - name: sec-ctx-vol
      mountPath: /data/demo
    securityContext:
      allowPrivilegeEscalation: false

If you're just using docker ... well there's been an open issue since 2013

score 2 · Answer 2 · answered Mar 28 '19 at 11:53

2

you can consider running init container as a root user. have init container and main container share the same volume. from init container update the ownership of the volume

answered Mar 28 '19 at 11:53

P Ekambaram

15,499
7
34
59

Changing the ownership from init container will be only reflected in the init container and not the application container. I tried - chown -R user:user folder – user2851669 Mar 28 '19 at 12:18
are you sure the volume is shared between the two containers? – P Ekambaram Mar 28 '19 at 12:39

score 1 · Answer 3 · answered Apr 02 '19 at 02:23

You want to mount the same volume on other container (in the same pod) as well.
I don't think you can do this.
The definition of pod is:A pod (as in a pod of whales or pea pod) is a group of one or more containers (such as Docker containers), with shared storage/network, and a specification for how to run the containers.
more detail: https://kubernetes.io/docs/concepts/workloads/pods/pod/

Mount volumes as non root user in docker container

3 Answers3