Linux file ACLs are not kept using Docker for new files/containers created by Docker daemon

Question

I am trying to grant read permissions to group grafana-cloud to files under /var/lib/docker/containers:

#> ls  /var/lib/docker/containers/ | head -n1
0515ccad974eb0e4577c7b35a0c517ab889db95d996e6188e9d0377cfa2265d4

#> setfacl -Rdm g:grafana-agent:rx /var/lib/docker/containers
#> setfacl -Rm g:grafana-agent:rx /var/lib/docker/containers

Executing this snippet, it grants permissions to all the files and folders that already exists.

#> getfacl /var/lib/docker/containers/0515ccad974eb0e4577c7b35a0c517ab889db95d996e6188e9d0377cfa2265d4
getfacl: Removing leading '/' from absolute path names
# file: var/lib/docker/containers/0515ccad974eb0e4577c7b35a0c517ab889db95d996e6188e9d0377cfa2265d4
# owner: root
# group: root
user::rwx
group::---
group:grafana-agent:r-x
mask::r-x
other::---
default:user::rwx
default:group::---
default:group:grafana-agent:r-x
default:mask::r-x
default:other::---

If I create a new file or folder inside /var/lib/docker/containers, the acls are correctly kept:

#> mkdir /var/lib/docker/containers/foo
#> getfacl /var/lib/docker/containers/foo
getfacl: Removing leading '/' from absolute path names
# file: var/lib/docker/containers/foo
# owner: root
# group: root
user::rwx
group::---
group:grafana-agent:r-x
mask::r-x
other::---
default:user::rwx
default:group::---
default:group:grafana-agent:r-x
default:mask::r-x
default:other::---

The problem comes when a new container is created, where the acls seems that are not applied as I'm expecting:

#> docker run -d busybox
70216a6debce117563d2273da01a1219edc9e1357864cde5026076548b7169e8
#> getfacl /var/lib/docker/containers/70216a6debce117563d2273da01a1219edc9e1357864cde5026076548b7169e8/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/docker/containers/70216a6debce117563d2273da01a1219edc9e1357864cde5026076548b7169e8/
# owner: root
# group: root
user::rwx
group::---
group:grafana-agent:r-x     #effective:---
mask::---
other::---
default:user::rwx
default:group::---
default:group:grafana-agent:r-x
default:mask::r-x
default:other::---

#> su - grafana-agent -c "ls /var/lib/docker/containers/70216a6debce117563d2273da01a1219edc9e1357864cde5026076548b7169e8/"
ls: cannot open directory '/var/lib/docker/containers/70216a6debce117563d2273da01a1219edc9e1357864cde5026076548b7169e8/': Permission denied

If now I run again the setfacl command, the acls are applied to the new container file tree and user can read the files:

#> setfacl -Rm g:grafana-agent:rx /var/lib/docker/containers/70216a6debce117563d2273da01a1219edc9e1357864cde5026076548b7169e8/
#> su - grafana-agent -c "ls /var/lib/docker/containers/70216a6debce117563d2273da01a1219edc9e1357864cde5026076548b7169e8/"
70216a6debce117563d2273da01a1219edc9e1357864cde5026076548b7169e8-json.log  checkpoints  config.v2.json  hostconfig.json  hostname  hosts  mounts  resolv.conf  resolv.conf.hash
#> getfacl /var/lib/docker/containers/70216a6debce117563d2273da01a1219edc9e1357864cde5026076548b7169e8
getfacl: Removing leading '/' from absolute path names
# file: var/lib/docker/containers/70216a6debce117563d2273da01a1219edc9e1357864cde5026076548b7169e8
# owner: root
# group: root
user::rwx
user:grafana-agent:r-x
group::---
group:grafana-agent:r-x
mask::r-x
other::---
default:user::rwx
default:user:grafana-agent:r-x
default:group::---
default:group:grafana-agent:r-x
default:mask::r-x
default:other::---

Is there something wrong in my process? It seems acls are not applied in first place as we can read #effective:--- next to the grafana-agent user, but I could not find any I've tried granting the acls to the users instead of the group with same results.

Thank you.

Answer 1

ACLs only extend the standard POSIX permissions. The effective permission here is --- because the POSIX permissions for the group are --- and the (default) ACL mask is also ---.

You could instead do the following:

1. Change the ownership of the directory: e.g. chown root:grafana-agent /var/lib/docker/containers
2. Set its permissions with the s bit such that all new files (and directories) created inside will belong to the same group which is the owner of the directory: e.g. chmod g+rs /var/lib/docker/containers

You may need to change the group permissions for /var/lib/docker too: chmod o+x /var/lib/docker (this will allow every "other" user to list files in the directory and thus to access the containers subfolder)