Share volume between docker host and container

If you want to share a volume between the docker host and an container, you mount the volume you want to share with -v source:target. If your image does not specify a USER, the command you run inside the container is using the root user – which means that you access the mounted volume with the access rights of root on the docker host. If you trust your image, this is ok – if you want to to be more secure you may want to restrict the access.

You can specify a USER in the dockerfile, or use docker run –user to use an unprivileged user. That means that the process in the container is using the given user to access the mounted volume. Now you have 2 problems.

First of all the user has to exist in the container – you may create it first with useradd during the build of the image. And secondly the user has to exist on the host, and both users have to have the same UID; otherwise the file access rights for the user won’t apply. Same holds true if you try to grant rights for a group; the the group has to exists in the container and the image with the same GID.

So how can the “generic” image be in sync with a “specific” host?

One way to apply this is to share the user and group definition between host and container. Traditionally these definitons are in /etc/passwd and /etc/group.

So you can run the docker image with

docker run –user myuser -v /share:/share -v /etc/passwd:/etc/passwd:ro -v /etc/group:/etc/group:ro

where myuser exists as an user on the docker host.

The container can not manipulate the definitions, since they are read only. The container can not steal or hack the passwords, since they are not in /etc/passwd. And you can grant myuser all and only the needed access rights on the shared volume. You should make sure that the image does contain sudo.

Leave a Reply