Already discussed to death, boot2docker issue #581 (18 months ago) reported that docker volumes from the OSX disk will not allow writes if the user insider the docker container writing the file isn’t root, even with proper ownership set. We’ve looked at this before.
There are several work-arounds proposed, I thought we could investigate the most promising one. The first step, however is to:
Reproduce the issue
On OSX, using the latest version of Docker Toolbox, provision the affected environment:
A simple bash script helps us reproduce the behavior : Mount a file in a docker volume with proper permissions assigned and attempt to write to it within the container as non-root.
Some of the paths may differ, depending on your OSX short account name. Running the script:
we see that user postgres (id=70 on alpine:3.1) was denied write access to a file they own on the ‘host’ system mounted into the container through a docker volume.
Why? Recall that the idea of a local path in a volume statement is misleading, as the docker host is not the OSX machine, rather the VM provided by docker-machine. On OSX, docker-machine driven by a Virtualbox VM automatically creates a VBOXSF mount from the OSX User directory (/User/) into the VM (/User/) filesystem, scrambling the permissions.
Is the above test valid? As a control, we may run docker directly on a linux host:
Solution : Convert VBOXSF to NFS?
docker-machine-nfs is a helper that converts the /User share from VBOXSF to NFS after provisioning. Set-up is simple:
And running our test reveals:
This didn’t change anything. Why? A NFS server defaults to mapping all UIDs from the client (boot2docker VM) into the local account ‘-2’ (nobody) for security concerns. We trust the VM, so We overcome this with -maproot=0, instucting the OSX nfs server to map VM root requests to our local root account. This will allow writes on the VM through the docker daemon.
To verify, we start over and re-run docker-machine-nfs with this option:
Success? Or wizardry that creates an all-you-can-eat buffet WRT file permissions? To check:
Success! This is a great development for .. well.. local docker development.