Rootless docker results in volumes/bind owned by "other" user
mtthw opened this issue · 1 comments
As part of the entry script, the ownership of /data/configdb
and /data/db
file ownership is changed to belong to mongodb (id=999)
and the script reruns itself as the mognodb
user.
I am running rootless docker, as a non-privileged user.
I do no have root/sudo access on the machine.
I am currently mounting a directory with a 700 mask (drwx------).
Starting the mongo container results in the mounted directory ownership changing to uid 100998 on the host machine.
100998 comes from the uid offset introduced by rootless docker, see [1].
It is tedious to have to execute a command within the VM to give ownership back to the host user.
Such as:
chown -R root /data/db
This is coming about from using fscrypt[2][3] to encrypt the data being stored in mongo.
The file owner changing results in me need to run bash on the mongo container to change the owner back, so I can unlock the directory and then start mongo properly.
Or having more permissive file permissions on my encrypted directory.
I am curious why mongod is not run as the root user within the container.
- If it to prevent privilege escalation, does running through rootless docker mitigate the need to run mongod as mongodb?
- Or is running mongo with a modified entry script, that does not gosu to change user to mongodb, a bad idea?
The uid that 999 appears at on the host can change depending on the docker setup: no userns, userns mapping, rootless.
I could not find a way to get the uid 999 to map to the correct user.
Having directories that get mapped to odd uid, systemd-coredump, or adm took some debugging.
[1] https://medium.com/@tonistiigi/experimenting-with-rootless-docker-416c9ad8c0d6
[2] https://www.kernel.org/doc/html/latest/filesystems/fscrypt.html
[3] https://github.com/google/fscrypt/
I wouldn't personally recommend relying on rootless containers alone to make running as root "safe", but YMMV. I would say it's probably safer than otherwise, but not a given.
If you are certain you want to run mongod
as root from within our image, I would suggest bypassing our entrypoint script entirely (--entrypoint mongod
). For your use case of wanting the container to run as a specific host user, however, I would instead suggest using --user
(ie, if your host user is uid 1000 and gid 1000, --user 1000:1000
, which should "just work" on a normal rootful Docker daemon).