File created by docker is uneditable on host

Question

I have a Python script that creates a folder and writes a file in that folder. I can open the file and see its contents, but unfortunately I cannot edit it. I tried to add the command, RUN chmod -R 777 . but that didn't help either. In the created files and folders I see a lock sign as follows -

I have been able to recreate the same on a small demo. The contents are as follows -

demo.py

from pathlib import Path
Path("./created_folder").mkdir(parents=True, exist_ok=True)
with open("./created_folder/dummy.txt", "w") as f:
    f.write("Cannot edit the contents of this file")

Dockerfile

FROM python:buster

COPY . ./data/
WORKDIR /data
RUN chmod -R 777 .

CMD ["python", "demo.py"]

docker-compose.yaml

version: "3.3"
services:
  python:
    working_dir: /data
    build:
      context: .
      dockerfile: Dockerfile
    volumes:
      - .:/data/

After making these files run docker-compose up --build and see the results and then try to edit and save the created file dummy.txt - which should fail.

Any idea how to make sure that the created files can be edited and saved on the host?

EDIT:

1. I am running docker-compose rootless. I had read that it is not a good idea to run docker with sudo, so I followed the official instructions on adding user group etc.
2. I actually run the command docker-compose up --build not just docker compose up
3. I am on Ubuntu 20.04
4. username is same for both

   ~$ grep /etc/group -e "docker"
   docker:x:999:username
   ~$ grep /etc/group -e "sudo"
   sudo:x:27:username
   

5. Tried using PUID and PGID environment variables... but still the same issue. Current docker-compose file -

   version: "3.3"
   services:
     python:
       working_dir: /data
       build:
         context: .
         dockerfile: Dockerfile
       volumes:
         - .:/data/
       environment:
         - PUID=1000
         - PGID=1000
   

Answer 1

It seems like the Docker group is different from your user group and you're misunderstanding the way Docker RUN works.

Here's what happens when you run Docker build:

• You pull the python:buster images
• You copy the contents of the current directory to the docker image
• You set the Work directory to the existing data directory
• You set the permissions of the data directory to 777
• Finally, the CMD is set to indicate what program should run

When do a docker-compose, the RUN command has no effect, but it's an Dockerfile instruction and not a runtime command. When your container runs, the writes the files with the user/group of the Docker command which your user doesn't have the permissions to edit.

Answer 2

Docker container runs in an isolated environment so that the UID/GID to user name/group name mapping is not shared to the process inside containers. You are facing two problems.

1. The files created inside containers is owned by root:root (by default, or a randomly chosen UID by the image)
2. The files created with permission 644 or 755 that not editable by host user.

You could refer to images provided by linuxserver.io to learn how they solve the two problems. for example qBittorrent. They provide two environment variables PUID and PGID to solve problem 1. UMASK option to solve problem 2.

Below is the related implementation in their custom Ubuntu base image. You could use that as your image base as well.

the place PUID and PGID is handled:

https://github.com/linuxserver/docker-baseimage-ubuntu/blob/b529d350b1/root/etc/cont-init.d/10-adduser

the place UMASK is handled:

https://github.com/linuxserver/docker-baseimage-ubuntu/blob/b529d350b1438aa81e68a5d87eff39ade0f1c879/root/usr/bin/with-contenv#L2-L5

Personally, I'd prefer setting PUID and PGID to the ones in accord with the host (could get from id -u and id -g) and NOT touching UMASK unless absolutely necessary.