-
-
Notifications
You must be signed in to change notification settings - Fork 121
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Files Written to Mounted Host Directory Owned by Root User #594
Comments
@osterman @sboardwell It would require further customization of the launch script, so that on Linux we mount |
Co-authored-by: osterman <[email protected]>
I'd like to propose this solution (please advise if this is universal enough):
Dockerfile additions:RUN \
groupadd -g 1000 geouser && \
useradd -d /conf -G sudo -g geouser -u 1000 geouser && \
sed -i 's/sudo[[:space:]]ALL=(ALL:ALL) ALL/sudo ALL=(ALL) NOPASSWD: ALL/' /etc/sudoers && \
chown -R 1000:1000 /conf /home && \
chmod 777 /var/tmp |
@drmikecrowe wrote:
@drmikecrowe If you would be willing, I would prefer you try the BindFS solution I proposed and let us know how that goes. Steps:
My hope is that this will solve all the file ownership problems and not get hung up on whatever the host UID and GID are, while also not requiring any further changes to Geodesic. |
@drmikecrowe OK, I have not been able to reproduce and fix the problem, so I need more information from you. This is not an issue with Docker v20 on Ubuntu (tested on 20.04 LTS) when running in rootless mode. As with macOS, this configuration correctly translates file ownership between the root UID and GID inside the container to the user's UID and GID on the host. When running Docker as root, and launching Geodesic using How are you launching Geodesic? Are you able to find the non-root user's UID, GID, and $HOME? |
I add my user to the I'm wondering if we should simply point users to rootless mode... |
@drmikecrowe We definitely should be pointing users to rootless mode. Unfortunately, our current install procedure does not work in rootless mode, because the non-root user cannot install the
|
@Nuru -- what about:
Thoughts? |
@drmikecrowe I do not like the security implications of running other people's scripts as root, and to me it's even worse when a script asks for your password in the middle of running, as you really have no idea what it's doing: maybe it's going to Tweet your password to the world. So I don't want to execute An alternative would be to install the script in |
@Nuru -- I'd recomment |
@drmikecrowe Please try release candidate v0.152.0-rc2 and report issues in #771 |
@drmikecrowe Feel free to try both, but if you are going to try only one, please try ARG VERSION=0.152.0-rc2 |
Since this is a pretty common issue across different container runtimes, underlying VMs, mountTypes -- one note for any fellow colima users out there: Be sure to change from your |
what
root
$HOME
to/localhost
to provide access to configuration files and allow for editing of host files/localhost
from within Geodesic will be set to the same owner UID and GID (that is, owned byroot
) on the host as they have within Geodesic.root
under Linux or Windows Subsystem for Linux (WSL). It does not affect Docker for Mac, nor does it affect Docker for Linux when run in "rootless" mode.Resolution
The recommended solution for Linux users is to run Docker in "rootless" mode. In this mode, the Docker daemon runs as the host user (rather than as
root
) and files created by theroot
user in Geodesic are owned by the host user on the host. Not only does this configuration solve this issue, but it provides much better system security overall.Geodesic, as of v0.151.0, provides an alternative solution: BindFS mapping of file owner and group IDs. To enable this solution, either set (and export) the shell environment variable
GEODESIC_HOST_BINDFS_ENABLED=true
or launch Geodesic with the command line option--geodesic-host-bindfs-enabled
. When this option is enabled, Geodesic will outputamong its startup messages. Note that if you enable BindFS mapping while running in "rootless" mode, it will actually cause files on the host to be created with a different owner and group, not root and not the host user. If you see this behavior, do not use BindFS mapping.
The text was updated successfully, but these errors were encountered: