Accessing files on Linux container from host sans root

Solution 1:

it says that vg-our-runner-0 does not exist, despite ls -ld saying otherwise

Well, those aren't the same thing. It is true that the group doesn't "exist" in /etc/group where usermod looks – it's a virtual group defined by systemd-machined. It is also true that the group "exists" when the getgrnam() or getgrid() functions are called by ls – because they collect information from more places than just /etc/group.

The /etc/passwd and /etc/group files are not only source of passwd & group information on Linux. When a program like ls -l tries to look up a group name or GID, multiple nsswitch modules can supply this information. (They're all listed in /etc/nsswitch.conf, and the 'libnss_files' module is what actually reads /etc/group.)

In particular, ls -l also asks the 'libnss_mymachines' module which is installed by systemd and provides information on the fly about currently running containers. It's also why the group suddenly stops being recognized when the container is stopped. (It's also why all vu-/vg- names stop being recognized whenever systemd-machined exits on idle...)

Fortunately, nsswitch has a special case for groups where it supports merging membership results from several modules; if you manually add this group to /etc/group, making sure to preserve its GID, then you will be able to add members to it.

So you could look up the GID using ls -ldn (e.g. 1164378112 in this case) and add a new line to /etc/group like this:

echo "vg-our-runner-0:x:1164378112:www-data" >> /etc/group

Now tools like id www-data or groups www-data (which collect group memberships through nsswitch) will report the new GID. It doesn't matter to the kernel where the group was defined – a GID is a GID.