Closed subdavis closed 3 years ago
It did not occurr to me that the shifted namespace means permissions work differently inside user namespaced containers.
root
is still root
and even though the pids appear differently on the host, inside a container, root still controls everything.
[root@9dad9b44c46d /]# ls -la /data/mariadb/
total 176208
drwxr-xr-x 7 999 root 4096 Jan 22 02:21 .
drwxr-xr-x 30 root root 4096 Jan 22 02:21 ..
-rw-rw---- 1 999 root 16384 Jan 22 02:19 aria_log.00000001
-rw-rw---- 1 999 root 52 Jan 22 02:19 aria_log_control
drwx------ 2 999 root 4096 Apr 19 2020 ccnet_db
-rw-rw---- 1 999 root 50331648 Jan 22 02:21 ib_logfile0
-rw-rw---- 1 999 root 50331648 Apr 19 2020 ib_logfile1
-rw-rw---- 1 999 root 79691776 Jan 22 02:21 ibdata1
-rw-rw---- 1 999 root 0 Apr 19 2020 multi-master.info
drwx------ 2 999 root 4096 Apr 19 2020 mysql
drwx------ 2 999 root 4096 Apr 19 2020 performance_schema
drwx------ 2 999 root 4096 Apr 19 2020 seafile_db
drwx------ 2 999 root 12288 Apr 26 2020 seahub_db
-rw-rw---- 1 999 999 24576 Jan 22 02:21 tc.log
Rootless docker really is a mindbender.
No change needed.
Rootless docker really is a mindbender.
yep.
use of named volumes avoid some of the hard bits.
Otherwise:
Under rootless docker, the only way to maintain the same permissions between host and container is to use
--user 0:0
.Maria won't allow itself to be run as "root" even though it's actually "root" in my user shifted namespace. My data dir ends up looking like this when viewed from the host:
100998
corresponds to pid999
inside the container.999
should not own these files, because I used--user 0:0
in my docker run arguments.The problem now is that I have a bunch of files that my host user has no permissions to read, so my backup processes (also running as PID
1000
host, PID0
in its container) has no access to these files.I would like to be able to run mariadb as root in order to allow it to function properly in rootless docker.
Using image version
10.1
Update
Found problem code:
While I understand why this is done, I would like to be able to override it with and env var like
MARIADB_FORCE_ROOT
or something like that. Rootless docker (and podman, for that matter) are only going to become more populare in the future. This is a legitimate use case.