lima icon indicating copy to clipboard operation
lima copied to clipboard

Published 20 hours ago verified publisher icon lima-vm

Mounted volumes change permissions to root:nogroup

Open naomiaro opened this issue 2 years ago • 4 comments

Description

I'm on Big Sur

docker -v
Docker version 20.10.12, build e91ed5707e

Hello, I'm just trying a simple Dockerfile like this:

FROM node:16

RUN mkdir /web && chown node:node /web

WORKDIR /web

COPY --chown=node:node package.json package-lock.json* ./
USER node
RUN npm install --legacy-peer-deps && npm cache clean --force

COPY --chown=node:node . .

EXPOSE 3000

Which has a couple volumes mounted in docker-compose.

volumes:
      - ./react:/web
      - /web/node_modules

If there are no volume mounts, the container is running with files under user:group node:node like expected, but once I mount volumes, these files are having their users and groups changed to root:nogroup.

Docker Desktop mounts the volumes keeping node:node permissions in the container.

Is there anyway with Lima to achieve this same behaviour? Thanks.

naomiaro avatar Mar 03 '22 02:03 naomiaro

Same behaviour here.

For instance

$ cat > test.txt
This is a test
^C

$ ls -asl "$(PWD)"
4 -rw-r--r--  1 foo  15 Mar 14 15:57 test.txt

$ docker run --rm -it -v "$(PWD)":/app --user nginx nginx:1.19.1 ls -asl /app
total 4
4 -rw-r--r-- 1 root nogroup 15 Mar 14 14:57 test.txt

Whereas with Docker Desktop:

$ docker run --rm -it -v "$(PWD)":/app --user nginx nginx:1.19.1 ls -asl /app
total 4
4 -rw-r--r-- 1 nginx nginx 15 Mar 14 14:57 test.txt
Versions MacOS : Monterey 
$ limactl --version
limactl version 0.9.1
$ docker --version
Docker version 20.10.13, build a224086349

brambaud avatar Mar 14 '22 15:03 brambaud

Same problem here.. inside the lima-VM the permissions are the same as on macOS:

# macos

❯ echo $UID $GID
503 20

❯ mdls docker.yaml
kMDItemFSOwnerGroupID                  = 20
kMDItemFSOwnerUserID                   = 503

# limaVM

dhermsmeier@lima-docker:/Users/dhermsmeier/Downloads$ ls -lah
-rw-r--r--  1 dhermsmeier dialout 3.6K Jun 15 06:46  docker.yaml

dhermsmeier@lima-docker:/Users/dhermsmeier/Downloads$ stat docker.yaml
Access: (0644/-rw-r--r--)  Uid: (  503/dhermsmeier)   Gid: (   20/ dialout)

As soon as I mount the files inside a container, the permissions are lost:

dhermsmeier@lima-docker:/Users/dhermsmeier/Downloads$ docker run --entrypoint ash -it --rm -v $(pwd):/app alpine

/app # stat /app/docker.yaml
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (65534/  nobody)

Versions:

❯ limactl --version
limactl version HEAD-de546da

❯ docker --version
Docker version 20.10.17, build 100c70180f

❯ system_profiler SPSoftwareDataType
Software:

    System Software Overview:

      System Version: macOS 12.4 (21F79)
      Kernel Version: Darwin 21.5.0

Hermsi1337 avatar Jun 21 '22 07:06 Hermsi1337

Ok, the permission-issue is related to this docker-rootless-thing.

I've recreated my lima-vm with rootful docker and now all permissions are correct.

This is my current vm-spec if you want to try:
https://gist.github.com/Hermsi1337/cae623b87b2070431c63cf0b12b54a8c

NOTE: you have to reboot the vm after creatig it; limactl stop -f docker && sleep 5 && limactl start docker

Hermsi1337 avatar Jun 21 '22 08:06 Hermsi1337

Ok, the permission-issue is related to this docker-rootless-thing.

I've recreated my lima-vm with rootful docker and now all permissions are correct.

This is my current vm-spec if you want to try: https://gist.github.com/Hermsi1337/cae623b87b2070431c63cf0b12b54a8c

NOTE: you have to reboot the vm after creatig it; limactl stop -f docker && sleep 5 && limactl start docker

I get this issue with the docker template, I don't think it's anything to do with rootful vs rootless.

It seems the bind mount will only set UID and GID to either 0 or 65565 and nowhere in between.

See the following example.

$ cd /tmp/lima

$ limactl --version
limactl version 0.20.1

$ touch test

$ ls -ln
total 0
-rw-r--r--  1 501  0  0  7 Feb 01:26 test

$ docker run -it --rm -v `pwd`:`pwd` -w `pwd` alpine sh

/tmp/lima # ls -ln
total 0
-rw-r--r--    1 0        65534            0 Feb  7 01:26 test

/tmp/lima # touch test2

/tmp/lima # ls -ln
total 0
-rw-r--r--    1 0        65534            0 Feb  7 01:26 test
-rw-r--r--    1 0        65534            0 Feb  7 01:26 test2

/tmp/lima # exit

$ ls -ln                                               
total 0
-rw-r--r--  1 501  0  0  7 Feb 01:26 test
-rw-r--r--  1 501  0  0  7 Feb 01:26 test2

$ sudo chown 1000:1000 test test2

$ ls -ln
total 0
-rw-r--r--  1 1000  1000  0  7 Feb 01:26 test
-rw-r--r--  1 1000  1000  0  7 Feb 01:26 test2

$ docker run -it --rm -v `pwd`:`pwd` -w `pwd` alpine sh
/tmp/lima # ls -ln
total 0
-rw-r--r--    1 65534    0                0 Feb  7 01:26 test
-rw-r--r--    1 65534    0                0 Feb  7 01:26 test2

jshbrntt avatar Feb 07 '24 01:02 jshbrntt