Rootless docker results in volumes/bind owned by "other" user

Question

Rootless docker results in volumes/bind owned by "other" user

mtthw opened this issue a year ago · 1 comments

As part of the entry script, the ownership of /data/configdb and /data/db file ownership is changed to belong to mongodb (id=999) and the script reruns itself as the mognodb user.

I am running rootless docker, as a non-privileged user.
I do no have root/sudo access on the machine.

I am currently mounting a directory with a 700 mask (drwx------).
Starting the mongo container results in the mounted directory ownership changing to uid 100998 on the host machine.
100998 comes from the uid offset introduced by rootless docker, see [1].

It is tedious to have to execute a command within the VM to give ownership back to the host user.
Such as:

chown -R root /data/db

This is coming about from using fscrypt[2][3] to encrypt the data being stored in mongo.
The file owner changing results in me need to run bash on the mongo container to change the owner back, so I can unlock the directory and then start mongo properly.
Or having more permissive file permissions on my encrypted directory.

I am curious why mongod is not run as the root user within the container.

If it to prevent privilege escalation, does running through rootless docker mitigate the need to run mongod as mongodb?
Or is running mongo with a modified entry script, that does not gosu to change user to mongodb, a bad idea?

The uid that 999 appears at on the host can change depending on the docker setup: no userns, userns mapping, rootless.
I could not find a way to get the uid 999 to map to the correct user.
Having directories that get mapped to odd uid, systemd-coredump, or adm took some debugging.

[1] https://medium.com/@tonistiigi/experimenting-with-rootless-docker-416c9ad8c0d6
[2] https://www.kernel.org/doc/html/latest/filesystems/fscrypt.html
[3] https://github.com/google/fscrypt/

Answer 1 · 2023-06-08T23:45:13.000Z

I wouldn't personally recommend relying on rootless containers alone to make running as root "safe", but YMMV. I would say it's probably safer than otherwise, but not a given.

If you are certain you want to run mongod as root from within our image, I would suggest bypassing our entrypoint script entirely (--entrypoint mongod). For your use case of wanting the container to run as a specific host user, however, I would instead suggest using --user (ie, if your host user is uid 1000 and gid 1000, --user 1000:1000, which should "just work" on a normal rootful Docker daemon).