3

I'm trying to run a simple command with docker that read a file in my home directory and write an output file in the same directory on my local machine (/home/userxyz/projects/data). The data folder belongs to me (userxyz) and my group which has the same name (userxyz) with R/W permissions.

I built an image with a Dockerfile like so (following How to add users to Docker container?):

FROM osgeo/gdal:alpine-small-latest

RUN mkdir /usr/tmp

RUN addgroup -S userxyz \
  && adduser -S -D -h /usr/tmp userxyz userxyz \
  && chown -R userxyz:userxyz /usr/tmp

USER userxyz

WORKDIR /usr/tmp

and:

docker build -t userxyz/test .

I ran docker with:

docker run --rm -v /home/userxyz/projects/data:/usr/tmp userxyz/test gdal_translate -ot UInt32 /usr/tmp/input.tif /usr/tmp/output.tif

However, I still get:

ERROR 4: Attempt to create new tiff file `/usr/tmp/output.tif' failed: Permission denied

It works when I only read the file:

docker run --rm -v /home/userxyz/projects/data:/usr/tmp userxyz/test gdalinfo /usr/tmp/input.tif

Any idea what could be wrong with the writing permissions?

EDIT: when opening the data folder to read/write for "Others", the file is correctly created by user#500100, so I guess it's something with username attribution? How can I do so that the file is created by userxyz and not user#500100?

Marc
  • 189
  • 1
  • 9

2 Answers2

2

Although you set the same user & group in Dockerfile with userxyz:userxyz, but host rootfs & container rootfs are 2 different rootfs. This means the UID & GID for same username/group name still be different.

As a result, just copy username, groupname is not enough, you also need to copy UID, GID, something like next:

Dockerfile:

FROM ubuntu:16.04

ARG UID
ARG GID

RUN groupadd -g $GID userxyz
RUN useradd -m -u $UID -g $GID -s /bin/bash userxyz

Build command:

docker build -t abc:1 --build-arg UID=`id userxyz -u` --build-arg GID=`id userxyz -g` .

Explain:

id userxyz -u & id userxyz -g get the UID/GID on host, and pass them to build container, then docker build use them to set the same UID/GID with the host for userxyz. This will assure in container you have same permission with the host.

atline
  • 28,355
  • 16
  • 77
  • 113
1

You must add the user in your group based on the group ID not on the group name. User and group names are isolated in the container, so it won't work.

You can find the group ID in the /etc/group file, using this command on the host machine:

cat /etc/group | grep userxyz

Once found, you add the user to the group in the Dockerfile:

FROM osgeo/gdal:alpine-small-latest

RUN mkdir /usr/tmp

RUN groupadd -g $GID userxyz \
  && adduser -S -D -h /usr/tmp userxyz userxyz \
  && chown -R userxyz:userxyz /usr/tmp

USER userxyz

WORKDIR /usr/tmp

where you replace $GID by the the group ID.

Rémi Chauvenne
  • 479
  • 2
  • 10