Fixing Docker Permissions

Fixing permissions for Docker

The post “Handling Permissions with Docker Volumes” explains clearly the problem: when you run a docker container bound to a directory, all files are accessed/written with the UID of the docker user.

For instance, let us bind our ~/temp directory to the /data directory inside the container, and create the file /data/test inside the container with:

docker run -it -v ~/temp:/data ubuntu:16.04 "touch" "/data/test"

Then ls -lhF ~/temp gives:

total 8,0K
-rw-r--r-- 1 root root 0 set 4 19:23 test

because the command touch has been run with UID 0 inside the container. Usually, I want to run a container with my UID, so that running a container is undistinguishable from running any other program. The first element of the solution is the gosu package that must be installed via the Dockerfile command: RUN apt-get update && apt-get install -y gosu.

The second element is a trivial script gosu.sh that computes the UID and GID of the owner of the /data directory inside the container and runs the program with that UID/GID. The gosu.sh for our HapCHAT program is:

#!/bin/bash
# Add local user
# with the same owner as /data
USER_ID=$(stat -c %u /data)
GROUP_ID=$(stat -c %g /data)
 
echo "Starting with UID:GID $USER_ID:$GROUP_ID"
groupadd -g "$GROUP_ID" group
useradd --shell /bin/bash -u "$USER_ID" -g group -o -c "" -m user
export HOME=/
chown --recursive "$USER_ID":"$GROUP_ID" /HapCHAT
 
exec gosu user "$@"

Copying and running that file is achieved with the following snippet of the Dockerfile

COPY gosu.sh /usr/local/bin/gosu.sh
ENTRYPOINT ["/usr/local/bin/gosu.sh"]
CMD ["/usr/bin/snakemake"]

TL,DR

We can run a docker container with the unprivileged permissions of our users with a simple script and a change to the Dockerfile. You can find the files at https://github.com/AlgoLab/HapCHAT/tree/master/docker