1

I run a docker container in order to extract files from a source folder into a destination folder. The source folder resides in my user's home directory so there is no problem to read from it or write. The destination folder on the other hand, is accessed only by a nonrootuser.

When I ran the docker container with the nonrootuser, I cannot write in the container's folders (permission denied). On the other hand when I ran the container with my user, I cannot write to the destination folder.

Setup

I build the image like this

docker build -t lftp .

based on the following Dockerfile:

Dockerfile

FROM debian:10
RUN apt-get update && apt-get  -y upgrade
RUN apt-get -y install lftp dos2unix man
# Adding the scripts
COPY scripts /scripts
WORKDIR /work
# Adding the nonrootuser and his uid (`id -u nonrootuser`)
RUN useradd -u 47001 nonrootuser && mkhomedir_helper nonrootuser

Then I ran the container while binding the following volumes :

  • download_folder
  • destination_folder <-> this folder need to be accessed by a nonrootuser
docker run -ti --rm --name=lftp_untar -u `id -u nonrootuser`:`id -g nonrootuser` -v ${download_folder}:/source -v ${destination_folder}:/target lftp bash /scripts/execute_untar.sh /source /target

Where:

execute_untar.sh

#!/bin/bash

source=$1
target=$2

if [ ! -d $source ]; then
  echo Can\'t access $source
  exit 1
fi

if [ ! -d $target ]; then
  echo Can\'t access $target
  exit 1
fi

if [ ! -w $target ]; then
  echo Can\'t write to $target
  exit 1
fi

# Then Read files from /scripts and /work folder 
exclude_file=$(readlink -f /scripts/exclude.txt)
log_file=$(readlink -f untar.log)
yeaaaahhhh..hamf hamf
  • 746
  • 2
  • 13
  • 34
  • One of the major design goals of Docker is that containers can't read or write host files; you can work around it with bind mounts but it's awkward and there are potential issues like this. Would it make more sense to run this script directly on the host, not in a container? – David Maze May 03 '22 at 11:08
  • Is one of the permission checks you show failing? With which combination of `docker run -u` user IDs? Is that script missing a `tar` command; if it does, and it runs, what's the actual error it produces? – David Maze May 03 '22 at 11:10

1 Answers1

0

The issue with the access denied has to do with the fact that when you mount the directories =>

-v ${destination_folder}:/target
-v ${download_folder}:/source

will require root permissions from the perspective of the container environment. Also take a look at Can I control the owner of a bind-mounted volume in a docker image?

I would suggest when you run the containers mount the target, source folders under the nonrootuser home directory, in order to match their permissions. This way you will have the needed write access

docker run -ti --rm --name=lftp_untar -u `id -u nonrootuser`:`id -g nonrootuser` -v ${download_folder}:/home/nonrootuser/source -v ${destination_folder}:/home/nonrootuser/target lftp bash /scripts/execute_untar.sh /home/nonrootuser/source /home/nonrootuser/target
Tolis Gerodimos
  • 3,782
  • 2
  • 7
  • 14
  • yes. I checked the volumes that are mounted. I pass absolute paths and the files are in the container. I think the simplest solution is to copy everything in $HOME of nonrootuser . More or less what you wrote in your previous reply :) – yeaaaahhhh..hamf hamf May 03 '22 at 11:05
  • If it indeed works, let's roll with it. To also help future users – Tolis Gerodimos May 03 '22 at 11:15