How to give non-root user in Docker container access to a volume mounted on the host
There's no magic solution here: permissions inside docker are managed the same as permissions without docker. You need to run the appropriate chown
and chmod
commands to change the permissions of the directory.
One solution is to have your container run as root and use an ENTRYPOINT
script to make the appropriate permission changes, and then your CMD
as an unprivileged user. For example, put the following in entrypoint.sh
:
#!/bin/shchown -R appuser:appgroup /path/to/volumeexec runuser -u appuser "$@"
This assumes you have the runuser
command available. You can accomplish pretty much the same thing using sudo
instead.
Use the above script by including an ENTRYPOINT
directive in your Dockerfile:
FROM baseimageCOPY entrypoint.sh /entrypoint.shENTRYPOINT ["/bin/sh", "entrypoint.sh"]CMD ["/usr/bin/myapp"]
This will start the container with:
/bin/sh entrypoint.sh /usr/bin/myapp
The entrypoint script will make the required permissions changes, then run /usr/bin/myapp
as appuser
.
There will throw error if host env don't have appuser
or appgroup
, so better to use a User ID instead of user name:
inside your container, run
appuser$ id
This will show:
uid=1000(appuser) gid=1000(appuser) groups=1000(appuser)
From host env, run:
mkdir -p /some/folderchown -R 1000:1000 /some/folderdocker run -v /some/folder:/some/folder [your_container]
inside your container, check
ls -lh
to see the user and group name, if it's not root
, then it's should worked.
In the specific situation of using an image built from a custom Dockerfile, you can do the following (using example commands for a debian image):
FROM baseimage ... RUN useradd --create-home appuser USER appuser RUN mkdir /home/appuser/my_volume ...
Then mount the volume using
-v /some/folder:/home/appuser/my_volume
Now appuser
has write permissions to the volume as it's in their home directory. If the volume has to be mounted outside of their home directory, you can create it and assign appuser
write permissions as an extra step within the Dockerfile.