Docker: how to control the ownership of created files

Discussion room for Docker, a lightweight virtualization application that gives you the ability to run thousands of containers created by developers from all over the world on DSM
Forum rules
1) This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:

https://account.synology.com/support/su ... p?lang=enu



2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your DiskStation model.
hlubovac
I'm New!
I'm New!
Posts: 8
Joined: Mon Nov 06, 2017 3:31 am

Docker: how to control the ownership of created files

Unread post by hlubovac » Mon Nov 06, 2017 3:41 am

Hello -

I have DS916+ with DSM 6.31.3-15152 (newest, as of today) with Docker installed via Package Center.

I'm going to skip details that I think are irrelevant. I wrote an app that, from within Docker container, via mounted volumes, moves files from one location within my unit to another. The owner (file > properties) of original files (at the source) is one of the registered user account, which is expected. Docker container/app runs as problem is that the files that

hlubovac
I'm New!
I'm New!
Posts: 8
Joined: Mon Nov 06, 2017 3:31 am

Re: Docker: how to control the ownership of created files

Unread post by hlubovac » Thu Nov 09, 2017 6:13 pm

* Gee, thanks, moderator, for truncating my original post. That was very helpful. No wonder nobody replied.

Hello, Synology community!

I'm a newbie. Just got DS916+ recently, and it is now running DSM 6.31.3-15152. I installed docker on it, with the intention to run a custom app that I wrote, which is supposed to organize files. So, its job is to move a file owned by one user (file > properties) to another part of the disk.

Let's call my docker container "mycon" and the app that it is hosting "myapp".

I don't see any settings within docker/container UI related to setting up which user-account would run mycon and/or myapp. I determined (during runtime > stdout) that mycon/myapp got assigned this "made up" user named "mycon\root". Now, after myapp moves the file where I want it to be, the owner of the file gets to be "root" (another non-existing user account), which poses problems, because users already configured with access to destination shared folder don't see that file (until I manually either propagate permissions or change the owner, using the built-in admin account).

So, my question is, how is this supposed to work? Is there a "secret" setting somewhere related to who runs mycon and myapp (I'd prefer this solution)? Or, is the solution for myapp to execute some system command to change owner and/or permissions of files that are moved (I'd rather not head this direction)? Or, is there another designed solution for this? Perhaps there is some convention within DSM and Docker related to which user-account runs containers (e.g. if I had one with some special name, maybe DMS would "tell" docker to use that one)?

I can't be the first one with this problem. How do other docker containers go about this? Anyone?

Thank you.
Hari

sincarne
Virtuoso
Virtuoso
Posts: 1310
Joined: Wed Feb 15, 2017 9:57 pm

Re: Docker: how to control the ownership of created files

Unread post by sincarne » Fri Nov 10, 2017 2:12 am

Look at Docker hub page for app you use. Should say how set user. If not say then it poor application. Use other one instead.

hlubovac
I'm New!
I'm New!
Posts: 8
Joined: Mon Nov 06, 2017 3:31 am

Re: Docker: how to control the ownership of created files

Unread post by hlubovac » Sat Nov 11, 2017 2:33 pm

Thanks, but that's not it - but I figured it out in the meantime.

What you said wasn't it - because, I'm the one researching how to properly create (write) an app that runs in a docker container. In other words, I wrote that app, and I packaged it docker-compliant - and now I'm trying to find out what's the proper way to change ownership of files that the app creates.

I was able to solve my problem by executing chown command after the file-copy operation. I'm not sure that I understand this completely, but the only difficulty with that approach is that docker-container references users by UID, while DSM references them by name. In other words, this does it for me:

via telnet (and, I'm assuming, SSH):
chown myuser file-path

from within docker-container:
chown 2020 file-path

So, "2020" is UID for user "myuser". And, to find out the UID for a user (since that's not displayed anywhere within DMS, that I can see), execute this within telnet connection/client:
id -u myuser
This prints
2020

It appears that Docker containers aren't given access to user-list. When I execute commands referencing DSM usernames from within docker-container, I'm getting "no such user" error, while the same work when I supply UID's. That seems okay though: I'm glad docker-containers can't get such information.

So, for the lack of better solution, I'll have 2020 passed to the container via configuration. Hopefully, this helps the "next guy".

sincarne
Virtuoso
Virtuoso
Posts: 1310
Joined: Wed Feb 15, 2017 9:57 pm

Re: Docker: how to control the ownership of created files

Unread post by sincarne » Sun Nov 12, 2017 2:04 pm

wow you really not know how docker work :lol:
this not synology package. docker linux software. make it work with all distro.

hlubovac
I'm New!
I'm New!
Posts: 8
Joined: Mon Nov 06, 2017 3:31 am

Re: Docker: how to control the ownership of created files

Unread post by hlubovac » Sun Nov 19, 2017 4:12 am

sincarne wrote:wow you really not know how docker work :lol:
this not synology package. docker linux software. make it work with all distro.
Thank you, that was very helpful.

I wonder what made you form that intelligent opinion? Why don't you read the whole thing first.

sincarne
Virtuoso
Virtuoso
Posts: 1310
Joined: Wed Feb 15, 2017 9:57 pm

Re: Docker: how to control the ownership of created files

Unread post by sincarne » Sun Nov 19, 2017 8:29 am

hlubovac wrote:
sincarne wrote:wow you really not know how docker work :lol:
this not synology package. docker linux software. make it work with all distro.
Thank you, that was very helpful.

I wonder what made you form that intelligent opinion? Why don't you read the whole thing first.
i form intelligent opinion from actually knowing how docker work. it not have access to user list just like it not have access to any folder on your NAS. that why you have to tell it what user it can use or what folder it can access. that why docker so much more secure than package and that whole idea behind container.

mightbetrue
Versed
Versed
Posts: 221
Joined: Sun Oct 02, 2016 9:41 am

Re: Docker: how to control the ownership of created files

Unread post by mightbetrue » Sun Nov 19, 2017 12:22 pm

@hlubovac

unless a different user is defined in the dockerfile, the main process inside a container is executed as root.

easy solution:
If you need the container to access a mounted volume with a specific uid:gid, you need to add a group with the desired gid and a user with the desired uid.
You need to add something like 'groupadd' and 'useradd' to add both in your dockerfile. When you build the image, the uid:gid is backed into the image.

proper solution:
If you want to pass in the uid and gid as a parameter to dynamicly configure them during container start, you need to have an entrypoint script that does at least modify the gid of an existing group and the uid on an existing user. I would strongly advice to take a look at s6-overlay, it makes environment variable handling quite easy, takes care of the pid1 problem and more.

A good starting point is https://github.com/linuxserver/docker-baseimage-xenial .

You might even think about using linuxserver/docker-baseimage-xenial as your base image, and just add your "service" like they do in https://github.com/linuxserver/docker-plex (the magic happens in the /root folder of the project repo).

hlubovac
I'm New!
I'm New!
Posts: 8
Joined: Mon Nov 06, 2017 3:31 am

Re: Docker: how to control the ownership of created files

Unread post by hlubovac » Sun Nov 19, 2017 7:38 pm

sincarne wrote:
hlubovac wrote:
sincarne wrote:wow you really not know how docker work :lol:
this not synology package. docker linux software. make it work with all distro.
Thank you, that was very helpful.

I wonder what made you form that intelligent opinion? Why don't you read the whole thing first.
i form intelligent opinion from actually knowing how docker work. it not have access to user list just like it not have access to any folder on your NAS. that why you have to tell it what user it can use or what folder it can access. that why docker so much more secure than package and that whole idea behind container.
Dude, I was asking a question. I wasn't preaching.

Since nobody answered (where the hell where you?!), I came up with a solution, and I posted it here for others to maybe find helpful.

True, docker container doesn't have access to user accounts. But it can execute chown and chmod, given that it knows IDs of those accounts. So, my solution, currently, is to pass those ID values (user and group) to the container (via env-variables or config-file system that I have), where the container then executes chown and chmod on directories and files that it creates outside of its realm.

So, unless you have a better solution to suggest, I cannot find your rants useful. Yes, you're the docker expert - recognized - happy?

hlubovac
I'm New!
I'm New!
Posts: 8
Joined: Mon Nov 06, 2017 3:31 am

Re: Docker: how to control the ownership of created files

Unread post by hlubovac » Sun Nov 19, 2017 7:45 pm

mightbetrue wrote:@hlubovac

unless a different user is defined in the dockerfile, the main process inside a container is executed as root.

easy solution:
If you need the container to access a mounted volume with a specific uid:gid, you need to add a group with the desired gid and a user with the desired uid.
You need to add something like 'groupadd' and 'useradd' to add both in your dockerfile. When you build the image, the uid:gid is backed into the image.

proper solution:
If you want to pass in the uid and gid as a parameter to dynamicly configure them during container start, you need to have an entrypoint script that does at least modify the gid of an existing group and the uid on an existing user. I would strongly advice to take a look at s6-overlay, it makes environment variable handling quite easy, takes care of the pid1 problem and more.

A good starting point is https://github.com/linuxserver/docker-baseimage-xenial .

You might even think about using linuxserver/docker-baseimage-xenial as your base image, and just add your "service" like they do in https://github.com/linuxserver/docker-plex (the magic happens in the /root folder of the project repo).
Thank you. What you said sounds promising. I can't go for the solution of hard-wiring a single user (or a set or users) at the Dockerfile level, because my service copies files to targets that are defined at the point of time when container is already in existence - so, the user-list cannot be predicted at that time.

I will research the 2nd solution you mentioned, where the uid/gid are passed to the container via entrypoint script, which would then obtain uid's and gui'd dynamically (e.g. from a config-file). Perhaps that'll work. I have to study this example that you linked to, to better understand the concept. I'll post back how it goes.

Some info here: https://hari-lubovac.blogspot.com/2017/ ... ology.html

Thank you!
Hari
Last edited by hlubovac on Wed Dec 20, 2017 4:25 pm, edited 1 time in total.

sincarne
Virtuoso
Virtuoso
Posts: 1310
Joined: Wed Feb 15, 2017 9:57 pm

Re: Docker: how to control the ownership of created files

Unread post by sincarne » Mon Nov 27, 2017 10:00 pm

hlubovac wrote:True, docker container doesn't have access to user accounts. But it can execute chown and chmod, given that it knows IDs of those accounts. So, my solution, currently, is to pass those ID values (user and group) to the container (via env-variables or config-file system that I have), where the container then executes chown and chmod on directories and files that it creates outside of its realm.?
This correct method and what all docker hub page say to do for container that need user. you make many false statement do to you not know how it work instead of learn how it work. why not ask on docker forum for help? it seem like you try make docker container without use docker container before

mightbetrue
Versed
Versed
Posts: 221
Joined: Sun Oct 02, 2016 9:41 am

Re: Docker: how to control the ownership of created files

Unread post by mightbetrue » Mon Nov 27, 2017 10:42 pm

@sincarne: is this a foreplay of some sorts before you actualy add something of importance to the thread?

Since you seem to be a real docker pro, how about sharing links to some docker hub pages of images you maintain?
It would allow everyone to learn how it's done properly from someone who obviously has everything figured out :)

Post Reply

Return to “Docker”