Open budbay opened 1 year ago
I'm looking on docker docs about userns here, tldr: even userns disable the layer still remapped.
Disable namespace remapping for a container
If you enable user namespaces on the daemon, all containers are started with user namespaces enabled by default. In some situations, such as privileged containers, you may need to disable user namespaces for a specific container. See user namespace known limitations for some of these limitations.
To disable user namespaces for a specific container, add the --userns=host flag to the docker container create, docker container run, or docker container exec command.
There is a side effect when using this flag: user remapping will not be enabled for that container but, because the read-only (image) layers are shared between containers, ownership of the containers filesystem will still be remapped.
What this means is that the whole container filesystem will belong to the user specified in the --userns-remap daemon config (231072 in the example above). This can lead to unexpected behavior of programs inside the container. For instance sudo (which checks that its binaries belong to user 0) or binaries with a setuid flag.
Specifically this part
There is a side effect when using this flag: user remapping will not be enabled for that container but, because the read-only (image) layers are shared between containers, ownership of the containers filesystem will still be remapped.
What this means is that the whole container filesystem will belong to the user specified in the --userns-remap daemon config (231072 in the example above). This can lead to unexpected behavior of programs inside the container. For instance sudo (which checks that its binaries belong to user 0) or binaries with a setuid flag.
Just wanted to drop in and leave some more info to help debug these cron issues... I entered the docker container running scrutiny and noticed that crontab reported that there wasn't one for root. I had to manually load the crontab for root by doing crontab /etc/crontab
and then crontab reported correctly. Maybe the dockerfile needs another command to reinstall the crontab on startup.
I do not see any permissions issues, so I might not be seeing the exact same issue reported here.
Describe the bug I have namespaces enabled for docker but disabled for this container with
userns_mode: host
since smartmontools cant access devices with it enabled. Now cron doesn't trigger the collector because inside the container the scrutiny cron file is not owned by root:if i manually chown scrutiny to root inside the container, cron starts working. However, once the container is updated or restarted, the file is back to old ownership.
Expected behavior Cron files are owned by root
Screenshots n/a
Log Files n/a
Docker Info