docker
`docker run --group-add` by name doesn't add group from host as documented
Description
When including a host group and using the --group-add command to reference the group by name, it fails to perform as documented.
This was first mentioned on Stackoverflow 3 years ago, but is currently still incorrect.
Reproduce
- Have a
/dev/kvmowned bykvmgroup, GID=109, with permissions660(i.e. Ubuntu) getent group kvm- `docker run --rm -it --device /dev/kvm --group-add=kvm ubuntu:latest /bin/bash -c 'ls -la /dev/kvm; groups'
- `docker run --rm -it --device /dev/kvm --group-add=109 ubuntu:latest /bin/bash -c 'ls -la /dev/kvm; groups'
- `docker run --privileged --rm -it --device /dev/kvm --group-add=kvm ubuntu:latest /bin/bash -c 'ls -la /dev/kvm; groups'
- `docker run --privileged --rm -it --device /dev/kvm --group-add=109 ubuntu:latest /bin/bash -c 'ls -la /dev/kvm; groups'
Notice that steps 3 and 5 fail with error:
docker: Error response from daemon: Unable to find group kvm: no matching entries in group file.
even though step 2 shows that it is within the host gentent, while steps 4 and 6 succeed, though throw an error from the groups command since the GID=109 has no matching name within the container.
Expected behavior
Per documentation, steps 3-6 should all have the same result. Assuming step 2 succeeds and indicates GID=109, the result should indicate /dev/kvm has group GID=109, and the current user is a member of that group.
(See Issue #3058 for the bug where using --group-add doesn't add, but replaces groups in for the container user, also counter to documentation)
When mapping by name:
crw-rw---- 1 root 109 10, 232 Dec 13 14:55 /dev/kvm
root kvm
When mapping by GID (not groups throws an error when there's membership in a group with no name):
crw-rw---- 1 root 109 10, 232 Dec 13 14:55 /dev/kvm
root groups: cannot find name for group ID 109
root 109
docker version
Client: Docker Engine - Community
Version: 24.0.7
API version: 1.43
Go version: go1.20.10
Git commit: afdd53b
Built: Thu Oct 26 09:07:41 2023
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 24.0.7
API version: 1.43 (minimum version 1.12)
Go version: go1.20.10
Git commit: 311b9ff
Built: Thu Oct 26 09:07:41 2023
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.25
GitCommit: d8f198a4ed8892c764191ef7b3b06d8a2eeb5c7f
runc:
Version: 1.1.10
GitCommit: v1.1.10-0-g18a0cb0
docker-init:
Version: 0.19.0
GitCommit: de40ad0
docker info
Client: Docker Engine - Community
Version: 24.0.7
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.11.2
Path: /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.21.0
Path: /usr/libexec/docker/cli-plugins/docker-compose
Server:
Containers: 4
Running: 2
Paused: 0
Stopped: 2
Images: 7
Server Version: 24.0.7
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: d8f198a4ed8892c764191ef7b3b06d8a2eeb5c7f
runc version: v1.1.10-0-g18a0cb0
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.2.0-37-generic
Operating System: Ubuntu 22.04.3 LTS
OSType: linux
Architecture: x86_64
CPUs: 12
Total Memory: 62.53GiB
Name: goln-422q533
ID: 9c9ff9b5-166d-4f9c-9922-43fd50435658
Docker Root Dir: /var/lib/docker
Debug Mode: false
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Additional Info
No response
When specifying a user name or group name, those are looked-up in the container's filesystem, not from the host.
Looking at the ubuntu image, there's no kvm user present inside the container image;
docker run -it --rm ubuntu:latest cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
So either pass a name that's present inside the container, or pass their corresponding UID and/or GID, or lookup the UID/GID on the host and pass numeric values to use for running the container's process.
Per documentation, steps 3-6 should all have the same result
Do you have more information where it's documented that these are looked up on the host? Looking at https://docs.docker.com/engine/reference/run/#user, it's documenting that it's looked up inside the container. If there's documentation that documents otherwise, we should fix that
Closing this per the above; I think this is working as documented, but feel free to comment if you think I closed in error.