How to give non-root user in Docker container access to a volume mounted on the host How to give non-root user in Docker container access to a volume mounted on the host docker docker

How to give non-root user in Docker container access to a volume mounted on the host


security docker

There's no magic solution here: permissions inside docker are managed the same as permissions without docker. You need to run the appropriate chown and chmod commands to change the permissions of the directory.

One solution is to have your container run as root and use an ENTRYPOINT script to make the appropriate permission changes, and then your CMD as an unprivileged user. For example, put the following in entrypoint.sh:

#!/bin/shchown -R appuser:appgroup /path/to/volumeexec runuser -u appuser "$@"

This assumes you have the runuser command available. You can accomplish pretty much the same thing using sudo instead.

Use the above script by including an ENTRYPOINT directive in your Dockerfile:

FROM baseimageCOPY entrypoint.sh /entrypoint.shENTRYPOINT ["/bin/sh", "entrypoint.sh"]CMD ["/usr/bin/myapp"]

This will start the container with:

/bin/sh entrypoint.sh /usr/bin/myapp

The entrypoint script will make the required permissions changes, then run /usr/bin/myapp as appuser.

security docker

There will throw error if host env don't have appuser or appgroup, so better to use a User ID instead of user name:

inside your container, run

appuser$ id

This will show:

uid=1000(appuser) gid=1000(appuser) groups=1000(appuser)

From host env, run:

mkdir -p /some/folderchown -R 1000:1000 /some/folderdocker run -v /some/folder:/some/folder [your_container]

inside your container, check

ls -lh

to see the user and group name, if it's not root, then it's should worked.

security docker

In the specific situation of using an image built from a custom Dockerfile, you can do the following (using example commands for a debian image):

    FROM baseimage    ...    RUN useradd --create-home appuser    USER appuser    RUN mkdir /home/appuser/my_volume    ...

Then mount the volume using

-v /some/folder:/home/appuser/my_volume

Now appuser has write permissions to the volume as it's in their home directory. If the volume has to be mounted outside of their home directory, you can create it and assign appuser write permissions as an extra step within the Dockerfile.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last