docker cp fails in rootless mode

[mike2307]

Description I'm experimenting with docker in rootless mode, using script https://get.docker.com/rootless. Starting containers works fine but a docker cp command fails always.

Steps to reproduce the issue:

1. $ docker run --rm -d traefik

2. $ docker ps -a
   CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
   26acf3431984        traefik             "/traefik"          33 seconds ago      Up 32 seconds       80/tcp              dazzling_williamson

3. $ touch my_file
4. $ docker cp my_file dazzling_williamson:/tmp/

Describe the results you received: Error response from daemon: Error processing tar file(exit status 1): lchown /tmp/my_file: invalid argument

Describe the results you expected: File is being copied without errors.

Additional information you deem important (e.g. issue happens only occasionally): Always reproducible.

Output of docker version:

Client: Docker Engine - Community
 Version:           master-dockerproject-2019-09-09
 API version:       1.40
 Go version:        go1.12.9
 Git commit:        016a3232
 Built:             Mon Sep  9 23:52:32 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          master-dockerproject-2019-09-09
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.12.9
  Git commit:       536e26c
  Built:            Mon Sep  9 23:59:00 2019
  OS/Arch:          linux/amd64
  Experimental:     true
 containerd:
  Version:          v1.2.9
  GitCommit:        d50db0a42053864a270f648048f9a8b4f24eced3
 runc:
  Version:          1.0.0-rc8
  GitCommit:        425e105d5a03fabd737a126ad93d62a9eeede87f
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

Output of docker info:

Client:
 Debug Mode: false

Server:
 Containers: 2
  Running: 1
  Paused: 0
  Stopped: 1
 Images: 6
 Server Version: master-dockerproject-2019-09-09
 Storage Driver: vfs
 Logging Driver: json-file
 Cgroup Driver: none
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: d50db0a42053864a270f648048f9a8b4f24eced3
 runc version: 425e105d5a03fabd737a126ad93d62a9eeede87f
 init version: fec3683
 Security Options:
  seccomp
   Profile: default
  rootless
 Kernel Version: 5.2.11-200.fc30.x86_64
 Operating System: Fedora 30 (Workstation Edition)
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 15.08GiB
 Name: xxxxxxxxxxx
 ID: QLJZ:YH27:TSKH:QJX5:42ZP:DZ3Q:X5E5:VBBO:D6ZU:BMCK:CZQB:57BV
 Docker Root Dir: /home/xxxxxxxxxxx/.local/share/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: true
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false
 Product License: Community Engine

WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled

Additional environment details (AWS, VirtualBox, physical, etc.):

[AkihiroSuda]

What is your UID, GID and /etc/sub[ug]id ?

[mike2307]

@AkihiroSuda UID is 1310810133 (originating from a domain) GID is 1310800513 (originating from a domain) /etc/subuid for the corresponding user is xxx:165536:65536 (have been added manually) /etc/subgid for the corresponding user is xxx:165536:65536 (have been added manually)

[AkihiroSuda]

You need more than 1310810133 subuids (currently you only have 65536) because docker cp wants to chown the file to 1310810133.

Or use tar cf - somefile | docker exec foo tar xf - instead.

[mike2307]

So what would be a working configuration?

I changed my /etc/sub[ug]id to xxx:165536:1320000000

Now docker won't start:

[rootlesskit:parent] error: failed to setup UID/GID map: newuidmap 6332 [0 1310810133 1 1 165536 1320000000] failed: newuidmap: write to uid_map failed: Invalid argument
: exit status 1

Am I exceeding some limits here?

[AkihiroSuda]

The UID limit should be 4G on Linux, but newuidmap might have 2G limit, not sure

[mike2307]

Just for the case someone, having a very high UID/GID as well, stumbles across that issue...

For my UID 1310810133/GID 1310800513 this worked:

$ cat /etc/subuid
xxxxxx:1320000000:1320000000

$ cat /etc/subgid
xxxxxx:1320000000:1320000000

In addition, a high UID will also cause https://github.com/moby/moby/issues/39608. The workaround is described here: https://github.com/moby/moby/issues/39608#issuecomment-529856990

[aacebedo]

The problem is still present and the workaround mentionned by @mike2307 or @AkihiroSuda (adding a very large range) is not applicable on environments with a lot of users.

In my case, users have a very high UID (> 1 000 000 0000) that I cannot change. Using docker rootless, users cannot execute docker cp with one of their files as their uid is huge. I cannot map those users on subuid without overlap as I must give them a range including their uid to make it works.

Note that docker pull is not working either if the image contains a file with an owner uid outside of the range. The user gets the same error (lchown invalid argument)

Is there any other way to correct this ?

[AkihiroSuda]

Running rootless containers without subuid is being experimented in https://github.com/rootless-containers/subuidless , but not ready for actual use yet

[aacebedo]

Thanks for the answer. It means wanting users with high uid rootless setup is a dead end until subuidless is fully implemented ?