8i | 9i | 10g | 11g | 12c | 13c | 18c | 19c | 21c | 23c | Misc | PL/SQL | SQL | RAC | WebLogic | Linux
Home » Articles » Linux » Here
Docker : Host File System Permissions for Container Persistent Host Volumes
Let's assume you have a user called "docker_user" that has sudo privileges on docker, as described here. How do you make sure a non-root user has access to the host volumes accessed by a container? Here's one method.
Related articles.
Host Setup
From the user "docker_user" create the directories where you want to store the persistent volumes used by the containers. I'm going to create them under the "docker_user" user's home, but they could be anywhere.
mkdir -p /home/docker_user/volumes/ol7_183_ords_tomcat mkdir -p /home/docker_user/volumes/ol7_183_ords_db
As the "root" user create a new group with a specific group ID, which will be used for group ownership inside the container and on the host file. Below you can see we've altered the group ownership and permissions on the directories, including the sticky bit for the group permissions. We've the added the "docker_user" user to the "docker_fg" group.
groupadd -g 1042 docker_fg chown -R :docker_fg /home/docker_user/volumes chmod -R 775 /home/docker_user/volumes chmod -R g+s /home/docker_user/volumes usermod -aG docker_fg docker_user
Image/Container Setup
For this to work we have to make sure the volume defined in the container has the same group permissions. For the ORDS container image build we create the same group we did on the host, and make the "tomcat" user part of that group.
groupadd -g 1042 docker_fg useradd tomcat -G docker_fg
Later in the image build we create the CATALINA_BASE
location and set the permissions as we did on the host.
mkdir -p ${CATALINA_BASE} chown :docker_fg ${CATALINA_BASE} chmod 775 ${CATALINA_BASE} chmod g+s ${CATALINA_BASE}
When we run the container, both the host file and container have a group (docker_fg) with the same ID (1042), and the group ownership of the directory is configured to use it.
We are now able to access the directories from within the container, and from the "docker_user" user on the hosts file system, rather than being forced to use the "root" user to access it.
For more information see:
Hope this helps. Regards Tim...