Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Sharing files with rootless containers #267

Open
dg424 opened this issue Aug 20, 2021 · 2 comments
Open

Sharing files with rootless containers #267

dg424 opened this issue Aug 20, 2021 · 2 comments
Labels
question Further information is requested

Comments

@dg424
Copy link

dg424 commented Aug 20, 2021

Hi,

So, I know that rootless creates a new user namespace, but is there a way to share files between rootless containers and the outside system "while maintaining permissions" ? For instance, both working on a shared storage area. I know I can do chmod ugo+rwx file, but is it possible to keep the permissions across the two boundaries ? For instance, if a file is owned by root outside, root in the rootless container has rw access; if the file is owned by user 1000, then, of course, only both root and 1000 can rw the file, and so on. I'm running rootlesskit via docker - latest release of both.

@AkihiroSuda AkihiroSuda added the question Further information is requested label Aug 20, 2021
@AkihiroSuda
Copy link
Member

For instance, if a file is owned by root outside, root in the rootless container has rw access

No, if this was possible it’s a security issue

@dg424
Copy link
Author

dg424 commented Aug 20, 2021

Hi Akihiro,

Yes, I understand that with rootless, we do not want a rootless container's "root" user to access the "real root" areas on the host. The situation we have is that the host Docker daemon runs as root and we're running rootless on top of this. There are other "regular" containers on the host running as root or some other users creating files that we would like our rootless containers to have access to. The shared area in question is actually a mount point where all containers are interacting -- it is not a location on the actual host system area containing host system files etc. What is the best approach for dealing with this situation ?

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

2 participants