Cannot run as root (UID 0) under rootless docker

[subdavis]

Under rootless docker, the only way to maintain the same permissions between host and container is to use --user 0:0.

• See https://docs.docker.com/engine/security/rootless for details.
• See https://medium.com/@tonistiigi/experimenting-with-rootless-docker-416c9ad8c0d6 for a straighforward explanation of user namespaces

Maria won't allow itself to be run as "root" even though it's actually "root" in my user shifted namespace. My data dir ends up looking like this when viewed from the host:

drwxr-xr-x  7  100998 brandon     4096 Jan 22 01:07 ./
drwxr-xr-x 30 brandon brandon     4096 Jan 21 23:41 ../
-rw-rw----  1  100998 brandon    16384 Jan 22 01:07 aria_log.00000001
-rw-rw----  1  100998 brandon       52 Jan 22 01:07 aria_log_control
drwx------  2  100998 brandon     4096 Apr 19  2020 ccnet_db/
-rw-rw----  1  100998 brandon 50331648 Jan 22 01:08 ib_logfile0
-rw-rw----  1  100998 brandon 50331648 Apr 19  2020 ib_logfile1
-rw-rw----  1  100998 brandon 79691776 Jan 22 01:08 ibdata1
-rw-rw----  1  100998 brandon        0 Apr 19  2020 multi-master.info
drwx------  2  100998 brandon     4096 Apr 19  2020 mysql/
drwx------  2  100998 brandon     4096 Apr 19  2020 performance_schema/
drwx------  2  100998 brandon     4096 Apr 19  2020 seafile_db/
drwx------  2  100998 brandon    12288 Apr 26  2020 seahub_db/
-rw-rw----  1  100998  100998    24576 Jan 22 01:07 tc.log

100998 corresponds to pid 999 inside the container. 999 should not own these files, because I used --user 0:0 in my docker run arguments.

The problem now is that I have a bunch of files that my host user has no permissions to read, so my backup processes (also running as PID 1000 host, PID 0 in its container) has no access to these files.

I would like to be able to run mariadb as root in order to allow it to function properly in rootless docker.

Using image version 10.1

Update

Found problem code:

• https://github.com/docker-library/mariadb/blob/master/docker-entrypoint.sh#L319-L322
• https://github.com/docker-library/mariadb/blob/master/docker-entrypoint.sh#L144-L147

While I understand why this is done, I would like to be able to override it with and env var like MARIADB_FORCE_ROOT or something like that. Rootless docker (and podman, for that matter) are only going to become more populare in the future. This is a legitimate use case.

[subdavis]

It did not occurr to me that the shifted namespace means permissions work differently inside user namespaced containers.

root is still root and even though the pids appear differently on the host, inside a container, root still controls everything.

[root@9dad9b44c46d /]# ls -la /data/mariadb/
total 176208
drwxr-xr-x  7  999 root     4096 Jan 22 02:21 .
drwxr-xr-x 30 root root     4096 Jan 22 02:21 ..
-rw-rw----  1  999 root    16384 Jan 22 02:19 aria_log.00000001
-rw-rw----  1  999 root       52 Jan 22 02:19 aria_log_control
drwx------  2  999 root     4096 Apr 19  2020 ccnet_db
-rw-rw----  1  999 root 50331648 Jan 22 02:21 ib_logfile0
-rw-rw----  1  999 root 50331648 Apr 19  2020 ib_logfile1
-rw-rw----  1  999 root 79691776 Jan 22 02:21 ibdata1
-rw-rw----  1  999 root        0 Apr 19  2020 multi-master.info
drwx------  2  999 root     4096 Apr 19  2020 mysql
drwx------  2  999 root     4096 Apr 19  2020 performance_schema
drwx------  2  999 root     4096 Apr 19  2020 seafile_db
drwx------  2  999 root    12288 Apr 26  2020 seahub_db
-rw-rw----  1  999  999    24576 Jan 22 02:21 tc.log

Rootless docker really is a mindbender.

No change needed.

[grooverdan]

Rootless docker really is a mindbender.

yep.

use of named volumes avoid some of the hard bits.

Otherwise:

https://mariadb.com/kb/en/docker-official-image-frequently-asked-questions/#can-i-run-the-mariadb-container-as-an-arbitrary-user