I finally got my head around the user permissions using Docker on a Linux host. It’s actually quite simple. This is a quick summary that helps align permissions inside and outside of the container.
Understanding how user permissions work inside and outside of the container matters when you are mounting a directory as a volume (a bind mount) and you want to access and update files from both inside and outside of the container.
Key point 1 — Linux users are defined by UID not username
On Linux the users are really defined by the user number UID and the group GIU, but we tend to think about the username instead. We can see this on any Linux system by looking at the following
> cat /etc/passwd
In the above the username bob has UID=1000 and GID=1000. The name bob is just an alias to these numbers. What matters really is the numbers.
Key point 2 — Check the Linux user inside the container
There is a particular user that is being used inside the container to run the code. This may be defined in the Dockerfile in a
USER <uid>:<gid> line.
But this can be investigated when the container is running by hopping onto the container and checking the username that owns the mounted drive from inside the container.
For example, in the below, I will hop onto container 12345678. I have a drive mounted at /data inside the container. From the below we can see that the main user that mounted the drive is called alf. We can also see that alf has UID=1010 and GID=1010.
> docker exec -it 123456789 bash
# The following is now inside the docker container
# Check the permissions on the mounted drive directory
$ cd /data
$ ls -l
drwxr-xr-x 2 alf alf 4096 Apr 5 2022 ./
drwxr-xr-x 27 alf alf 4096 Dec 1 00:30 ../
-rw-rw-r-- 1 alf alf 202 Apr 5 2022 file1.txt
-rw-rw-r-- 1 alf alf 209 Apr 5 2022 file2.txt
$ id alf
uid=1010(alf) gid=1010(alf) groups=1010(alf)