search

containers / docker-lvm-plugin

Docker volume plugin for LVM volumes
GNU Lesser General Public License v3.0
155 stars 64 forks source link

docker-lvm-plugin doesn't work right with userns-remap #57

Closed mortya closed 5 years ago

mortya commented 5 years ago

I have docker configured with userns-remap. With default permissions, docker-lvm-plugin doesn't work right. It can create volumes, but they can't actually be mounted.

$ sudo docker volume create -d lvm --opt size=0.3G --name docker_lvm_test3
docker_lvm_test3
$ sudo docker run -d -p 8080:80 -v docker_lvm_test2:/somemount nginx
03fd9cccd5d4ef9e3782c1eeb7d7080b93098aa5b8087721bab796b456600888
docker: Error response from daemon: OCI runtime create failed: container_linux.go:348: starting container process caused "process_linux.go:402: container init caused \"rootfs_linux.go:58: mounting \\\"/var/lib/docker-lvm-plugin/docker_lvm_test2\\\" to rootfs \\\"/srv/var/lib/docker/262144.262144/overlay2/b701da7e5d997e50ef147df89ada2c90a88f7e1076f1b15d6ba06842808119d9/merged\\\" at \\\"/somemount\\\" caused \\\"stat /var/lib/docker-lvm-plugin/docker_lvm_test2: permission denied\\\"\"": unknown.
$

This appears to be a simple permission issue. Workaround: chmod 755 /var/lib/docker-lvm-plugin/

Probably best to fix it in the code, though.

shishir-a412ed commented 5 years ago

@mortya I tried to reproduce this by running docker daemon under a remapped root (--userns-remap=smahajan)

[root@localhost docker-lvm-plugin]# cat /etc/subuid
smahajan:120000:65536
[root@localhost docker-lvm-plugin]# cat /etc/subuid
smahajan:120000:65536

The problem is docker-lvm-plugin is running as root and it's graph directory (/var/lib/docker-lvm-plugin) is owned by root:root. When you launch the container, it will run as remapped root (120000) {non-root} and does not have the permission to mount a root path into the container rootfs.

Correct solution would be when docker-lvm-plugin starts (restarts), it should query docker daemon to check if the daemon is running under a remapped root, and chown it's own root (graph) directory to remapped root.

I don't like the idea of adding a dependency to docker daemon, to be able to start the plugin. Since if we add this, docker daemon should be running when the plugin starts so it can query the daemon.

We can get around this situation by:

1) chown 120000:120000 /var/lib/docker-lvm-plugin 2) chmod 755 /var/lib/docker-lvm-plugin (As suggested by you).

I prefer (1) since that's the remapped user container is running under. Also (2) makes /var/lib/docker-lvm-plugin world executable. I ll leave it upto you, which one you wanna choose.

Closing it in favor of workaround for now. If more people start facing this issue, we can think of addressing it in the code.