0

For the context :

docker --version
    Docker version 20.10.7, build 20.10.7-0ubuntu5~20.04.2

test 1 : volume is /myvolume

Here's my Dockerfile

FROM alpine:latest
USER 1000:1000
VOLUME /myvolume

and the build + run commands :

docker build -t myimage .
docker run --rm -it myimage

then, once in the container :

/ $ whoami
    whoami: unknown uid 1000
/ $ ls -ld /myvolume/
    drwxr-xr-x    2 root     root          4096 Mar  8 09:22 /myvolume/
/ $ touch /myvolume/test
    touch: /myvolume/test: Permission denied

So far, this is no surprise the user with UID 1000 can't write to /myvolume.

test 2 : volume is /tmp

My Dockerfile

FROM alpine:latest
USER 1000:1000
VOLUME /tmp

(same build + run commands), and in the container :

/ $ whoami
    whoami: unknown uid 1000
/ $ ls -ld /tmp
    drwxrwxrwt    2 root     root          4096 Nov 24 09:20 /tmp
/ $ touch /tmp/test
/ $ ls -l /tmp
    total 0
    -rw-r--r--    1 1000     1000             0 Mar  8 09:23 test

Now the volume has changed to /tmp, the user with UID 1000 can write in it.

I know /tmp is typically world-writable in GNU/Linux, but here, this looks "magical" (which is fine only when Harry Potter is around) and I'm wondering whether :

a) I'm missing something about how Docker and volumes work (please refer me to appropriate documentation / tutorials)

b) it's a coincidence due to my setup / something's missing to be explicit and stop relying on defaults

c) it's an undocumented feature that may change any time without notice

d) it's a feature I've not been able to find documentation about, and I can safely rely on the fact that when a volume is attached to /tmp, it is always world-writable

Httqm
  • 225
  • 2
  • 10

2 Answers2

1

From the Docker documentation at https://docs.docker.com/engine/reference/builder/#volume:

The docker run command initializes the newly created volume with any data that exists at the specified location within the base image.

It appears that not only are files and directories copied to the designated location, but also the permissions of those files and the permissions of that location.

Consider the following Dockerfile:

FROM alpine:latest
RUN rm -rf /tmp
USER 1000:1000
VOLUME /tmp

If you attempt the following command inside container:


~ $ touch /tmp/test

You will encounter the following error:


touch: /tmp/test: Permission denied
sbrajchuk
  • 11
  • 2
0

That "Magic" is the so-called (and well-documented) "Sticky Bit".

Phill W.
  • 1,479
  • 7
  • 7
  • 1
    You missed my point (or I didn't ask my question clearly enough) : I know about /tmp and its permissions. My question is why (and how) a volume gets these permissions when associated to /tmp while it doesn't somewhere else. – Httqm Mar 08 '22 at 12:43