LSIO baseimage permissions and volumes

I’m having trouble understanding how to get the LSIO image volumes to mount and not give permissions errors.

Here are the steps to reproduce the problem I’m encountering.

  1. Create a directory on the host to use as a volume on the LSIO guest
    mkdir /var/local/dockertest
  2. Chown the directory to a UID that we want to use
    chown 3000:3000 /var/local/dockertest
  3. Run an LSIO image, in this case just the alpine base image
    docker run \
      --env PUID=3000 \
      --env PGID=3000 \
      --mount type=bind,src=/var/local/dockertest,dst=/config \ \

This should spawn a docker container, map the /var/local/dockertest directory on the host to the /config directory in the container, run uname and exit

When I run this though the container spawns and shows this output

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing... 
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing... 

          _         ()
         | |  ___   _    __
         | | / __| | |  /  \ 
         | | \__ \ | | | () |
         |_| |___/ |_|  \__/

Brought to you by

To support LSIO projects visit:

User uid:    3000
User gid:    3000

chown: changing ownership of '/config': Operation not permitted
[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 99-custom-files: executing... 
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[cmd] uname exited 0
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

Note the error
chown: changing ownership of '/config': Operation not permitted

This happens if I

  • chown /var/local/dockertest to root
  • chmod /var/local/dockertest to 777
  • remove --env PUID=3000 --env PGID=3000 from docker run

If I go into the container and look at the /config directory, it’s owned by nobody:nobody

The only thing that prevents this permission issue that I’ve found is if I don’t mount the volume. This works and doesn’t give the permission error.

docker run uname

How is this meant to work? How does one take advantage of the /config mountable volume and the PUID/GUID environment variables?

My goal is to be able to run an s6 managed process in the LSIO container as a UID of say 3000 and then have a directory host that’s also owned by UID 3000 and mount it to /config

Thanks in advance for any guidance on how I’m thinking about this wrong.

This is on Docker 20.10.5 on Ubuntu 20.04

Attempting this same sequence on an Ubuntu 18.04 installation running the same version of docker, Docker 20.10.5, does not reproduce the problem.

  • I’ve tried disabling Apparmor but that doesn’t resolve the issue
  • On both hosts I have /etc/subuid and /etc/subgid files created for isolating containers with a user namespace which may be affecting things. I’ll explore this

I’ve discovered the cause of this issue. It was because I’d enabled user namespace remapping.

I had a file, /etc/docker/daemon.json, containing the string {"userns-remap": "default"}.

When I removed this the problem I described above went away.

Looks like the user model doesn’t work with Docker user namespace remapping