-
Notifications
You must be signed in to change notification settings - Fork 121
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
VirtioFS is not handling permissions as expected. All mount permissions are owned by root regardless of chown. #6243
Comments
Tested on 4.7.0 (76176), issue still persists |
@spurin thanks, we are investigating. |
Thanks @fredericdalleau I very much appreciate you taking the time to respond to this. The environment that I noticed the issue with is open sourced under https://github.com/spurin/diveintoansible-lab Essentially it provides a nice lab environment allowing those learning Ansible (and Linux in general), to have six vm like containers (ubuntu and centos) and an Ansible control host alongside web terminals and sshd. I opted for bind mounted directories that correspond to the 'ansible' and 'root' users to cater for those new to unix who at this point, may struggle with the likes of vim or other areas (the course is aimed from a beginner up with no prior knowledge). With this, all of the user directories are also easily accessible on the host system should they need them. It the user does have difficulties, they can use a local editor on their system and/or easily copy/save the work they may have done during the course. If you were curious, you can quickly try the environment on Google Cloud Shell using a standard google id - |
I'm experiencing this in particular with postgres images where I mount a data dir from host into /var/lib/postgresql/data - the mounted directory gets root ownership, which I can't change. Changing the user in docker-compose.yml does alter the permissions but I still get a lot of permissions errors when trying to write to the database, either by creating databases or inserting data. I'll try to create a replicable docker-compose.yml Edit: I can't replicate this with a brand new container. Going to try trashing the offending container in my broken project and seeing if that fixes it. |
Ah I was just over-thinking it. Given this docker-compose.yml:
Running
Presumably because it's trying to do bootstrapping in the postgres container with directories owned by root. If I change my docker-compose.yml to add a user, I get a different error message:
Sorry @spurin for crashing into your issue but I think we're experiencing symptoms of the same problem. |
I think I have the same issue, only this happens with mysql. My compose file looks like this:
My console log:
Here is my uploaded diagnostics id: |
No problem by the way @jaspertandy - I welcome your input. We're all in the same boat with this issue 🙂 |
I also have this issue. Will upload. |
I also have the issue with MariaDB. Took so long to find that the cause was VirtioFS!
|
Yep, looks like the same issue. Had a look at the Dockerfile for this version of Mariadb and my guess it's also expecting specific user ownership as per the line here - |
You can work it around, by adding the following operator to the mysqld command: |
Thanks for sharing this workaround for MySQL/MariaDB! The underline issue of virtiofs not handling permissions as expected is the main context of the issue I raised. Hopefully when resolved this will resolve the issue I've encountered as well as avoid the need for workarounds or changes to container images like you've had to do 👍 |
Hi everyone, I don't know if my issue is the same as yours but I'm encountering a denied permission when using VirtioFS with Docker Desktop 4.6.1 on my macbook M1 pro (version 12.3) and the image node:17.3. If I try to run
If I disable VirtioFS, I no longer get he error and the command installs the project correctly. If I enable VirtioFS again, the error reappears. Nevertheless, my file system seems to be correct inside the container because all the files in |
I'm pretty sure the issue @collettemathieu mentions is related. I'm experiencing the same issue when running www-data@060a93ffd570:/app$ composer require --dev symfony/phpunit-bridge
Info from https://repo.packagist.org: #StandWithUkraine
Using version ^6.0 for symfony/phpunit-bridge
./composer.json has been updated
Running composer update symfony/phpunit-bridge
Loading composer repositories with package information
Updating dependencies
Nothing to modify in lock file
Installing dependencies from lock file (including require-dev)
Package operations: 1 install, 0 updates, 0 removals
- Downloading symfony/phpunit-bridge (v6.0.7)
- Installing symfony/phpunit-bridge (v6.0.7): Extracting archive
Install of symfony/phpunit-bridge failed
[RuntimeException]
Failed to extract symfony/phpunit-bridge: (1) '/usr/bin/unzip' -qq '/app/vendor/composer/tmp-8fdfcfea164ee5d9806960b8de20a89f' -d '/app/vendor/composer/aa9c3df7'
warning: cannot set modif./access times for /app/vendor/composer/aa9c3df7/symfony-phpunit-bridge-924f44f/Legacy/
Operation not permitted
warning: cannot set permissions for /app/vendor/composer/aa9c3df7/symfony-phpunit-bridge-924f44f/Legacy/
Operation not permitted
warning: set times/attribs failed for /app/vendor/composer/aa9c3df7/symfony-phpunit-bridge-924f44f/Legacy/
warning: cannot set modif./access times for /app/vendor/composer/aa9c3df7/symfony-phpunit-bridge-924f44f/
Operation not permitted
warning: cannot set permissions for /app/vendor/composer/aa9c3df7/symfony-phpunit-bridge-924f44f/
Operation not permitted
warning: set times/attribs failed for /app/vendor/composer/aa9c3df7/symfony-phpunit-bridge-924f44f/ |
I'm seeing the same error while building an internal CMake project. Problem went away if the virtiofs is disabled. As leonboot mentioned, the problem only happens when using a non-root user in the container.
|
This thread is about issues with VirtioFS. Of course disabling it solves the problem... |
Also have this problem with mariadb and percona images. |
Had some luck running mysql with a different data folder for mysql and using a different socket. Though setting it in my.cnf instead of running mysql with an argument. Specific lines in my.cnf:
Specific lines in docker-compose.yml:
|
I am seeing what I believe to be the same issue on Docker 4.6.1 on an Intel MBP 16. This always manifests as a permissions issue (e.g., EACCESS). However, I am seeing this not on bind mount volumes, but on named volumes. This is happening in two different contexts.
This all seems to have started late last week. It has gotten worse of the weekend and is no unbearable. |
I am also seeing the Issue described here on Docker Desktop for Mac 4.7. I am running a Postgres DB and with virtiofs disabled it comes up ok, as soon as i enable virtiofs i get permission errors of the ownership of
setup
|
Same here with Postgres |
Any further thoughts on this? If there's been any progression in the development releases I'll happily test. Thanks |
Also ran into what appears to be the same issue this morning, would love any workarounds or suggestions people have |
Note: after some investigation, as a workaround i was able to use I have no idea why this would have worked when the Postgres image already tries to do |
Here's another reproduction:
This works fine with gRPC FUSE but not with VirtioFS 😞 |
Since VirtioFS is enabled by default on macOS 12.5 and above: This issue still persists. E.g. it also does not work with my JupyterLab docker stacks: mkdir jupyterlab-benz0li docker run -it --rm -u root -p 8888:8888 -v "${PWD}/jupyterlab-benz0li":/home/benz0li -e NB_USER=benz0li glcr.b-data.ch/jupyterlab/julia/base:1.9.2
Works fine with gRPC FUSE. |
Inside the container; after
Test: Use Inside the container; after
P.S.: Inside the container; executing |
yeah, no idea why they pushed it as default when this permission issue still persists and now will become even more of a problem for people.. |
Just use orbstack if you on apple silicon, its super fast, I waited for these fixes for so long... |
@TargiX Docker Desktop is just fine and for this issue there is a workaround. I already use the following alternatives:
ℹ️ Both use QEMU in the background. I have no need for an additional tool. |
Agreed, this is going to break alot of people once they upgrade. I just upgraded to the latest version and the VirtioFS issue broke one of my container startups with the permission error. It was a PostgreSQL container. Using grpcFuse works just fine and was what I was using because I tried to switch to the VirtioFS before and ran into the same issue. I reverted back to |
This is a small repo that hits this issue.... echo "Hello Everyone" >> example.txt
sed -i -e "s/Everyone/World/g" example.txt Under VirtioFS line 2 generates the permission issue Error reported, when run under VirtioFS, is....
|
I can confirm, when doing this on a mounted location it gives the error, when running on a non-mounted location it runs fine. |
This same issue is behind the problem using
Works fine if I switch to gRPC, but fails when using VirtioFS. If I use The fact that VirtioFS is now the default for new installs is making this problem more common. |
I updated to 4.24.0 and though it solved some problems with Rosetta, this VirtioFS problem is still there. It only happens using a container with a shared volume. Using an internal volume is ok. |
This is still happening for Docker Desktop for Mac version 4.27.1 (136059). In my case even gRPC FUSE is not working.
One-line test case, running from macOS host with either VirtioFS or gRPC FUSE:
If I change the file sharing implementation to
Notice that We noticed this issue become more pronounced with our recent upgrade to Debian Bookworm, which has the new Git security features that others have mentioned in this thread which enforce consistent ownership throughout the repo. |
Re-tested this, works now in v4.28.0. |
Re-tested #6243 (comment) with Container startup time:
Thank you guys! |
Sorry...I'm not seeing this as fixed. I've re-run my repro from above. i.e....
... and I still see the same permissions error on a mounted drive (and works fine otherwise). I'm running Docker Desktop v4.29.0 using VirtioFS on MacOS (Intel) |
Hello! I'm still also encountering this issue. (We are defaulting to gRPC fuse for now). Our problem is that we have some containers that use Supervisord and are unable to start due to their inability to create their socket file. Not using Virtio FS solves it, but we prefer to use it due to it's speed. Did anyone manage to fix this yet? Update: |
I'm sorry, but this issue is still not fixed in my opinion. My test case from #6243 (comment) still fails for VirtioFS and gRPC FUSE. It still only works for osxfs. This is tested (again) on Docker Desktop 4.29.0 (145265) for Mac. Our organization has a Docker Business account, so I contacted Docker support about this issue. As a starting point, I specifically asked for what the expected behavior of my test case should be based on documented/expected behavior of Docker Desktop. This was the best I could get, after a month of back-and-forth:
This still leaves me just as confused as before. This is frustrating, because even basic Git commands will fail security checks when using a Git repo that has been mounted in the manner shown in my test case. One would think that Docker Desktop could work with a mounted Git repo out-of-the-box without hacking up the default configuration of either product, but it is simply no longer the case. We do not want to have to hack around with Git security settings to work around this shortcoming. And as many others have noted on this GitHub issue, it seems a lot of other software is sensitive to this issue as well. For now, we (unfortunately) feel we must continue using osxfs, since the other options are simply broken when it comes to permissions handling. Our organization is large enough such that we have a large & uncountable number of containers/images, shell scripts, etc. that mount & use Git repos, and they all broke with the new Debian version that has the new Git version with the new security checks on repo file ownership. |
I'd be interested in knowing if your test case also fails if using OrbStack instead of Docker Desktop. OrbStack also uses VirtioFS but all of our problems went away when we switched to it. If this is also the case with your test then that's more evidence that this is a Docker Desktop issue and not something inherent with VirtioFS. |
Had the same experience as @mike-potter. While I had always file permission related problems with gRPC Fuse and VirtioFS in Docker Desktop, OrbStack worked flawlessly for me. |
When can we expect this to be fixed? Running |
Expected behavior
Have encountered an issue in VirtioFS. Docker Desktop for Mac should handle bind mounted file permissions as you would expect on a generic Linux distribution. If a bind mount is chown'd to a specific user, it should be visible as being owned by the target user in question.
As an example. If you execute the following with or without the new virtualisation framework and VirtioFS disabled -
The userid of testuser is as expected for the directory ownership.
Actual behavior
If VirtioFS is enabled and Docker Desktop is restarted, and then, the attempt is re-issued, the permissions for that directory are incorrectly owned by root -
For the projects I manage, I make extensive use of users and volumes and at present, this renders the environment unusable owing to the individual userid's having incorrect permissions.
Information
Output of
/Applications/Docker.app/Contents/MacOS/com.docker.diagnose check
Steps to reproduce the behavior
The text was updated successfully, but these errors were encountered: