Mismatched host/container volume ownership

When installing Conjur Enterprise 12.9 onto a RHEL 8 with Docker. The server is provisioned for me by the server admins with docker installed and configured.

When I deploy the container(with :Z for selinux) after manually creating the folders to be used for the container volumes as described in the conjur install documentation. Everything appears to work as expected. However, when I try to copy files into the container I get an error “Error response from deamon: container ID cannot be mapped to Host ID” I compared folder permissions and ownership for the mount locations. Host folder owner is root:root as expected, but the container owner shows nobody:nogroup…

I then remove the container from docker and remove all conjur related mount folders from the host. This time I redeploy the conjur container without manually creating the host folders for the volumes and let docker do the work. This time everything appears to work properly. I can copy files into the mounted volumes in the container and can see them on the corresponding folder on the host. However, I did notice that host owner:group show up as random numbers like 231081:231081… There is not a user or group name/Uid,Gid by those numbers on the host or container.

After some digging, I noticed that the server admins build the Docker environment with a custom root directory /var/lib/docker/231081.231081. which matches exactly the owner/group of 231081:231081 of the conjur volume folders on the host. If I chown to root:root on the host, the container owner changes to nobody:nogroup and “docker cp” no longer works.

So, my question really is. Will Conjur enterprise image/containers work properly with custom Docker root directories?

After additional digging, I now realize this is for user namespace configuration.

1 Like