inability to access host-mounted docker volumes by non-root users about colima HOT 7 CLOSED

This has been fixed upstream. brew upgrade lima and ensure you are on lima version >= v0.6.4

from colima.

@kumikumi is the container running as a non-root user?
Or better still, do you mind sharing snippets from the docker-compose.yaml file? You can redact any information you deem sensitive.

from colima.

@kumikumi is the container running as a non-root user?

When I enter the container with docker exec -it php /bin/bash and type whoami it prints out root.

Or better still, do you mind sharing snippets from the docker-compose.yaml file? You can redact any information you deem sensitive.

If you have specific questions about the setup, I can share the relevant snippets with potential sensitive information redacted.

from colima.

@kumikumi
What I have discovered so far is that non-root user in the container is unable to access the mounted volume.
I suspect the server's subprocesses are running as non-root user.

Does the container has top or ps command and see if there are processes running as non-root user?

Thanks.

from colima.

You're right. The web server process is running as non-root and having trouble accessing the mounted volume.

ps aux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.0  0.0   3836  3148 ?        Ss   10:52   0:00 /bin/bash /var/www/html/fooapp/app/docker-scripts/php.entrypoint.sh
root           8  0.2  0.4  78344 25356 ?        S    10:52   0:00 apache2 -DFOREGROUND
www-data    6133  0.0  0.1  78408  7544 ?        S    10:53   0:00 apache2 -DFOREGROUND
www-data    6134  0.0  0.1  78408  7544 ?        S    10:53   0:00 apache2 -DFOREGROUND
www-data    6135  0.0  0.1  78408  7544 ?        S    10:53   0:00 apache2 -DFOREGROUND
www-data    6136  0.0  0.1  78408  7544 ?        S    10:53   0:00 apache2 -DFOREGROUND
www-data    6137  0.0  0.1  78408  7544 ?        S    10:53   0:00 apache2 -DFOREGROUND
root        6144  0.0  0.0   2364   576 ?        S    10:53   0:00 tail -f /var/log/foo/foo.log
root        6145  1.5  0.0   4100  3260 pts/0    Ss   10:53   0:00 /bin/bash
root        6151  0.0  0.0   6700  2980 pts/0    R+   10:53   0:00 ps aux

from colima.

Lima is planning to replace sshfs with samba and that may fix this lima-vm/lima#188. I would prefer to wait until after that before attempting any proper fixes.

As a workaround for now, since you're using docker-compose, you can have a custom Dockerfile that changes www-data's uid to match your macOS user's uid i.e. 501. If you're not sure how to go about that, you can specify the docker image you're using and I can assist with the Dockerfile.

Thanks.

from colima.

Hmm, if I understand this issue it's not really fixed. ddev generates its own docker-compose.yaml and runs containers with uid:gid of the host-side user. So if I'm 501, the web container will run as UID 501 (and all the processes inside it also run as UID 501).

However, as of today with limactl 0.7.3 and colima 0.2.2 it's not possible to write to a mounted directory inside the container.

For example, mkdir. test and place this docker-compose.yaml:

services:
  web:
    image: busybox
    user: "501:20"
    command: tail -f /dev/null
    volumes: 
    - $PWD:/var/www/html

And now start it and exec into it to create a file:

docker-compose up -d
docker exec ctest_web_1 touch /var/www/html/junk
touch: /var/www/html/junk: Read-only file system

from colima.