User permissions inside and outside of LXC containers

dockerlxcpermissionsusers

I'm running some services inside of Docker LXC containers on my server and I'm beginning to actually do serious things with them.

One thing I'm not clear on is how user permissions work inside and outside of the container. If, for example, I'm running MySQL in a container and have its data directory set to /data, which is a Docker volume, how do permissions inside and outside of the container affect access policies?

Obviously, the idea is to run MySQL as its own user in the container (ie mysql:mysql) and give it read and write rights to that directory. I assume that this would be fairly straightforward, just chmoding the directory, etc. But how does this work outside of the container? Now that I have this Docker shared volume called 'data,' how do I manage access control to it?

I'm specifically looking to be able to run an unprivileged user outside of the Docker container which will periodically access the MySQL shared volume and backup the data.

How can I setup permissions, users, and groups so that a specific user on the host can read/write files and folders in the Docker shared volume?

Best Answer

Since the release of 0.9 Docker has dropped LXC and uses its own execution environment, libcontainer. Your question's a bit old but I guess my answer still applies the version you are using.

Quick Answer: To understand the permissions of volumes, you can take the analogy of mount --bind Host-Dir Container-Dir. So to fulfill your requirement you can use any traditional methods for managing permissions. I guess ACL is what you need.

Long Answer: So as in your example we have a container named dock with a volume /data.

docker run -tid --name dock -v /usr/container/Databases/:/data \
    centos:latest /bin/bash

Inside the container our MySQL server has been configured to use the /data as its data directory. So we have our databases in the /data inside the container. And outside the container on the Host OS, we have mounted this /data volume from /usr/container/Databases/ and we assign a normal user bob to take backups of the databases. From the host machine we'll configure ACLs for user bob.

useradd -u 3000 bob
usermod -R o=--- /usr/container/Databases/
setfacl -R -m u:bob:rwx /usr/container/Databases/
setfacl -R -d -m u:bob:rwx /usr/container/Databases/

To test it out lets take a backup with user bob.

su - bob
tar -cvf container-data.tar /usr/container/Databases/

And tar will list out and you can see that our user was able to access all the files.

Now from inside the container if you check with getfacl you will notice that instead of bob it shows 3000. This is because the UID of bob is 3000 and there is no such user in the container so it simply displays the UID it receives from the meta data. Now if you create a user in your container with useradd -u 3000 bob you will notice that now the getfacl shows the name bob instead of 3000.

Summary: So the user permissions you assign from either inside or outside the container reflects to both environments. So to manage the permissions of volumes, UIDs in host machine must be different from the UIDs in the container.

Related Solutions

Subordinate GIDs/UIDs with LXC and userns for unprivileged user

Is it alright to create a user for those respective UIDs/GIDs on the host in order to have a more meaningful output for ls and friends?

Yes it is alright. However you must ensure that such user has no right over anything in the host system:

Disabled access or password,
No usable login shell,
No writeable home directory.

Be also sure to not create any duplicate in your user names.

Here is a sample script, taking the guest's /etc/passwd and /etc/group files to create the corresponding users in the host system. All names are prefixed with the container name, and all IDs are increased using the given value to match container's UIDs:

#! /bin/sh

# Path to guest's `/etc' directory.
guest_etc=/var/lib/lxc/mycontainer/rootfs/etc
# Guest's name, used as login prefix and inside GECOS field.
guest_name=mycontainer
# Increment to be applied to UIDs and GIDs (= range start).
uid_incr=100000
gid_incr=$uid_incr

guest_passwd=${guest_etc}/passwd
guest_group=${guest_etc}/group

exec <$guest_group
while IFS=":" read name pass gid null; do
    gid_new=$( expr $gid + $gid_incr )
    if ! getent group $gid_new >/dev/null; then
        addgroup --system --gid $gid_new "${guest_name}_${name}"
    fi  
done

exec <$guest_passwd
while IFS=":" read login pass uid gid gecos null; do
    uid_new=$( expr $uid + $uid_incr )
    gid_new=$( expr $gid + $gid_incr )
    if ! getent passwd $uid_new >/dev/null; then
        adduser --system --home /nonexistent --no-create-home \
            --shell /bin/nologin --uid $uid_new --gid $gid_new \
            --gecos "\"$guest_name container user (${gecos})\"" \
            "${guest_name}_${login}"
    fi  
done

The warnings regarding the inaccessible home directory are normal and expected: this is the actual purpose of /nonexistent to not exist.

is there a way to make those files/folder accessible to the host user who "owns" the userns, i.e. john in our case? And if so, is the only sensible method to create a group shared between those valid users inside the subordinate range and and the userns "owner" and set the permissions accordingly? Well, or ACLs, obviously.

This should really worth a separate question IMO.

Since the container's content is owned by different UIDs than the container owner UID, then it is not accessible to him. I can imagine an exception to this rule for subusers, but there is currently none I am aware of (I've created a related question a few time ago, but no answer yet).

The files /etc/subuid and /etc/subgid are currently only used by newuidmap(1) to allow or deny the switch from one UID/GID to another of a given process. It does not give the range owner any other right.

Therefore, the solution to such issue should be designed on a case-per-case basis. Beware however with you ACL idea: let's say you put some ACLs on the container's files to allow your host's UID 1000 to read them, this means that the container's user with container's UID 1000 will also have the same level of privilege...

Best Answer

Related Solutions

Subordinate GIDs/UIDs with LXC and userns for unprivileged user

Related Question