All geek questions in one place

Docker user in and out of the container: what is matching (UID / GID), seeing effects that I don’t understand

I am trying to understand the work of docker well enough to come to reasonable assurance. I use it safely. One tip for this is to always use the USER statement in the Docker file. Trying to understand the effect of this, I ran into some problems.

Concrete questions:

  • What mechanism allows the host kernel to handle users that exist only in the container?
  • Why does run2 below show that the directory belongs to testuser but does not allow ls in the directory?
  • Why does run3 below show the directory owned by testuser ?

Version information is at the bottom of this question.

Customization

I have the following dockerfile

 FROM alpine@sha256 :1354db23ff5478120c980eca1611a51c9f2b88b61f24283ee8200bf9a54f2e5c LABEL version 2.0 LABEL description "Test image for setting user" RUN adduser -D testuser1 ## sometimes removed RUN adduser -D testuser2 ## sometimes removed RUN adduser -D testuser USER testuser CMD sh

I will build it with

 docker build -t kasterma/testuser:1 .

Then run

 docker run -ti -v /home/kasterma/test-user/:/test-home kasterma/testuser:1

The directory /home/kasterma/test-user/ is the directory containing the Docker file.

Run 1: delete both lines labeled ##sometimes removed in the Docker file.

 [ root@datalocal01 test-user]# docker run -ti -v /home/kasterma/test-user/:/test-home kasterma/testuser:1 / $ ls -lh ... drwx------ 2 1001 1001 40 Dec 30 14:08 test-home ...

Shown here is user and group as 1001; which is the user and groupid kasterma in the host. In this context, testuser has uid and gid 1000.

Besides

 / $ cd test-home sh: cd: can't cd to test-home

Run 2: delete only the second line, labeled ##sometimes removed in the Docker file.

 / $ ls -lh ... drwx------ 2 testuser testuser 40 Dec 30 14:12 test-home ...

and

 / $ cd test-home /test-home $ ls ls: can't open '.': Permission denied

Now testuser and kasterma have the same uid and gid (although they are in the container and others on the host). Why can I cd but not ls ?

Run 3: do not delete a single line labeled ##sometimes removed in the Docker file.

 / $ ls -lh ... drwx------ 2 testuser testuser 40 Dec 30 14:15 test-home ...

and

 / $ cd test-home sh: cd: can't cd to test-home

Now testuser has uid and gid 1002, so it does not match with kasterma . But the listing shows this as testuser, but the cd fails.

Version Information

OS version (running on a virtual machine in VirtualBox)

 [ root@datalocal01 test-user]# uname -a Linux datalocal01 3.10.0-514.2.2.el7.x86_64 #1 SMP Tue Dec 6 23:06:41 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

and for dockers

 [ root@datalocal01 test-user]# docker version Client: Version: 1.10.3 API version: 1.22 Package version: docker-common-1.10.3-59.el7.centos.x86_64 Go version: go1.6.3 Git commit: 3999ccb-unsupported Built: Thu Dec 15 17:24:43 2016 OS/Arch: linux/amd64 Server: Version: 1.10.3 API version: 1.22 Package version: docker-common-1.10.3-59.el7.centos.x86_64 Go version: go1.6.3 Git commit: 3999ccb-unsupported Built: Thu Dec 15 17:24:43 2016 OS/Arch: linux/amd64
+5
source share
1 answer

When the host starts SELinux, you may not be able to access the contents of the file system if it is not marked. From man docker-run

Labeling systems, such as SELinux, require that labels contain bulk content that is installed in a container. Without a security label, a system can interfere with processes running inside a container using content. By default, Docker does not change the set of labels by OS. To change the label in the context of the container, you can add one of two suffixes: z or: Z to mount the volume. These suffixes tell Docker to remark file objects on shared volumes. The Z option tells Docker that the two containers share bulk content. As a result, Docker tags content with a shared content label. Shared volume labels allow all containers to read / write content. The Z option tells Docker to tag content using a private unshared tag. Only the current container can use a personal volume.

So, instead of disabling SELinux, you can try

 docker run -ti -v /home/kasterma/test-user/:/test-home:Z kasterma/testuser:1

See Using volumes with Docker may cause SELinux problems for more details.

I tried using your applications on my mailbox (without SELinux and with Docker version 1.12.5): I always get ownership of "testuser" and I can change the directory and list its contents (my local uid is 1000 and I have more no). So, maybe your problem is with an older version of Docker.

If neither the old version of Docker is associated with SELinux, the behavior you described is similar to User Namespaces .

Make sure your host kernel includes the user namespace (CentOS 7, which seems to use the distribution, does not include it by default.

See Using custom namespaces in Docker , which describes how to enable user namespaces in CentOS 7 and how to verify the correct behavior.

For user namespace information, see several sites, for example:

An introduction to the user namespace in the Docker Engine

Docker security

User spaces have arrived in Docker!

Docker for your users - Username space representation

You can find a clear description of permissions in Docker volumes before introducing custom namespaces (prior to Docker 1.10) on the Deni Bertovic blog - Permissions for working with docker tones .

Hope this helps.

+5
source

Source: https://habr.com/ru/post/1262084/

More articles:


All Articles