Linux file ACLs are not kept using Docker for new files/containers created by Docker daemon

docker linux file-permissions setfacl

I am trying to grant read permissions to group grafana-cloud to files under /var/lib/docker/containers:

#> ls  /var/lib/docker/containers/ | head -n1
0515ccad974eb0e4577c7b35a0c517ab889db95d996e6188e9d0377cfa2265d4

#> setfacl -Rdm g:grafana-agent:rx /var/lib/docker/containers
#> setfacl -Rm g:grafana-agent:rx /var/lib/docker/containers

Executing this snippet, it grants permissions to all the files and folders that already exists.

#> getfacl /var/lib/docker/containers/0515ccad974eb0e4577c7b35a0c517ab889db95d996e6188e9d0377cfa2265d4
getfacl: Removing leading '/' from absolute path names
# file: var/lib/docker/containers/0515ccad974eb0e4577c7b35a0c517ab889db95d996e6188e9d0377cfa2265d4
# owner: root
# group: root
user::rwx
group::---
group:grafana-agent:r-x
mask::r-x
other::---
default:user::rwx
default:group::---
default:group:grafana-agent:r-x
default:mask::r-x
default:other::---

If I create a new file or folder inside /var/lib/docker/containers, the acls are correctly kept:

#> mkdir /var/lib/docker/containers/foo
#> getfacl /var/lib/docker/containers/foo
getfacl: Removing leading '/' from absolute path names
# file: var/lib/docker/containers/foo
# owner: root
# group: root
user::rwx
group::---
group:grafana-agent:r-x
mask::r-x
other::---
default:user::rwx
default:group::---
default:group:grafana-agent:r-x
default:mask::r-x
default:other::---

The problem comes when a new container is created, where the acls seems that are not applied as I'm expecting:

#> docker run -d busybox
70216a6debce117563d2273da01a1219edc9e1357864cde5026076548b7169e8
#> getfacl /var/lib/docker/containers/70216a6debce117563d2273da01a1219edc9e1357864cde5026076548b7169e8/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/docker/containers/70216a6debce117563d2273da01a1219edc9e1357864cde5026076548b7169e8/
# owner: root
# group: root
user::rwx
group::---
group:grafana-agent:r-x     #effective:---
mask::---
other::---
default:user::rwx
default:group::---
default:group:grafana-agent:r-x
default:mask::r-x
default:other::---

#> su - grafana-agent -c "ls /var/lib/docker/containers/70216a6debce117563d2273da01a1219edc9e1357864cde5026076548b7169e8/"
ls: cannot open directory '/var/lib/docker/containers/70216a6debce117563d2273da01a1219edc9e1357864cde5026076548b7169e8/': Permission denied

If now I run again the setfacl command, the acls are applied to the new container file tree and user can read the files:

#> setfacl -Rm g:grafana-agent:rx /var/lib/docker/containers/70216a6debce117563d2273da01a1219edc9e1357864cde5026076548b7169e8/
#> su - grafana-agent -c "ls /var/lib/docker/containers/70216a6debce117563d2273da01a1219edc9e1357864cde5026076548b7169e8/"
70216a6debce117563d2273da01a1219edc9e1357864cde5026076548b7169e8-json.log  checkpoints  config.v2.json  hostconfig.json  hostname  hosts  mounts  resolv.conf  resolv.conf.hash
#> getfacl /var/lib/docker/containers/70216a6debce117563d2273da01a1219edc9e1357864cde5026076548b7169e8
getfacl: Removing leading '/' from absolute path names
# file: var/lib/docker/containers/70216a6debce117563d2273da01a1219edc9e1357864cde5026076548b7169e8
# owner: root
# group: root
user::rwx
user:grafana-agent:r-x
group::---
group:grafana-agent:r-x
mask::r-x
other::---
default:user::rwx
default:user:grafana-agent:r-x
default:group::---
default:group:grafana-agent:r-x
default:mask::r-x
default:other::---

Is there something wrong in my process? It seems acls are not applied in first place as we can read #effective:--- next to the grafana-agent user, but I could not find any I've tried granting the acls to the users instead of the group with same results.

Thank you.


ACLs only extend the standard POSIX permissions. The effective permission here is --- because the POSIX permissions for the group are --- and the (default) ACL mask is also ---.

You could instead do the following:

  1. Change the ownership of the directory: e.g. chown root:grafana-agent /var/lib/docker/containers
  2. Set its permissions with the s bit such that all new files (and directories) created inside will belong to the same group which is the owner of the directory: e.g. chmod g+rs /var/lib/docker/containers

You may need to change the group permissions for /var/lib/docker too: chmod o+x /var/lib/docker (this will allow every "other" user to list files in the directory and thus to access the containers subfolder)

Related

Shell command to filter out non-existing files in a pipe
SFTP client can't write to own home directory when chrooted there
How to calculate a working "AllowedIPs" for Wireguard on Android?
Why does tomcat like deleting my context.xml file?
Why is an nfs server mounted as rw returning read only filesystem errors
What are the pros and cons of SSH and HTTP for a git server?
Version control systems geared towards multimedia (large files)?
How do I make zsh completion act more like bash completion?
SSH Connection Error : ssh_exchange_identification: read: Connection reset by peer
How to start qemu directly in the console (*not* in curses or SDL)
AWS CloudFormation - Custom variables in templates
SQL Data-Tier Application - Export vs. Extract