Files Written to Mounted Host Directory Owned by Root User

[osterman]

what

• The user's shell inside Geodesic runs as root
• The script that launches Geodesic bind-mounts the host user's $HOME to /localhost to provide access to configuration files and allow for editing of host files
• Depending on the way Docker is set up, it is possible that files created under /localhost from within Geodesic will be set to the same owner UID and GID (that is, owned by root) on the host as they have within Geodesic.
• This appears to affect users running the Docker daemon as root under Linux or Windows Subsystem for Linux (WSL). It does not affect Docker for Mac, nor does it affect Docker for Linux when run in "rootless" mode.

Resolution

The recommended solution for Linux users is to run Docker in "rootless" mode. In this mode, the Docker daemon runs as the host user (rather than as root) and files created by the root user in Geodesic are owned by the host user on the host. Not only does this configuration solve this issue, but it provides much better system security overall.

Geodesic, as of v0.151.0, provides an alternative solution: BindFS mapping of file owner and group IDs. To enable this solution in Geodesic v4.0.0 or later, either set the shell environment variable MAP_FILE_OWNERSHIP=true (can be set in launch-options.sh) or launch Geodesic with the command line option --map-file-ownership. (To enable this solution in Geodesic prior to version 4.0.0, either set (and export) the shell environment variable GEODESIC_HOST_BINDFS_ENABLED=true or launch Geodesic with the command line option --geodesic-host-bindfs-enabled.) When this option is enabled, Geodesic will output

# Enabling BindFS mapping of file system owner and group ID.

among its startup messages. Note that if you enable BindFS mapping while running in "rootless" mode, it will actually cause files on the host to be created with a different owner and group, not root and not the host user. If you see this behavior, do not use BindFS mapping.

[Nuru]

@osterman @sboardwell
I think we can use BindFS to solve this problem without risking the "works in my environment" problems that could come up if some users were running inside Geodesic as root and some were not.

It would require further customization of the launch script, so that on Linux we mount $HOME to /localhost.bindfs instead of /localhost and then inside Geodesic use BindFS to map /localhost.bindfs to /localhost with UID/GID mapping using --create-for-user and --create-for-group, but I think once we get that right, everything else falls into place, and it should not be as hard as supporting Windows was.

[drmikecrowe]

@Nuru @osterman

I'd like to propose this solution (please advise if this is universal enough):

1. We support Linux user 1000 (which appears to be the default uid for distributions).
2. If running linux, the wrapper script does DOCKER_ARGS+=(--user="$(id -u):$(id -g)")
3. The Dockerfile.alpine and Dockerfile.debian will include useradd/groupadd/sudo support for user 1000 performing root operations.
4. Major: We have to change the ownership inside the containers of /conf, /home and fix permissions of /var/tmp to allow usage by user 1000

Dockerfile additions:

RUN \
  groupadd -g 1000 geouser && \
  useradd -d /conf -G sudo -g geouser -u 1000 geouser && \
  sed -i 's/sudo[[:space:]]ALL=(ALL:ALL) ALL/sudo ALL=(ALL) NOPASSWD: ALL/' /etc/sudoers && \
  chown -R 1000:1000 /conf /home && \
  chmod 777 /var/tmp

[Nuru]

@drmikecrowe wrote:

I'd like to propose this solution (please advise if this is universal enough):

1. We support Linux user 1000 (which appears to be the default uid for distributions).

...

@drmikecrowe If you would be willing, I would prefer you try the BindFS solution I proposed and let us know how that goes.

Steps:

1. Create a custom Geodesic image that includes the bindfs package.

2. In the wrapper, if running Linux:

• pass environment variables GEODESIC_HOST_UID="$(id -u)" and GEODESIC_HOST_GID="$(id -g)"
• mount $HOME to /localhost.bindfs instead of /localhost

3. Then, at the start of _workdir.sh:

• Check if env vars are set and file system is mounted on /localhost.bindfs and if so, set up bindfs to mirror it to /localhost with the desired owner and group:

if [[ -n $GEODESIC_HOST_UID ]] && [[ -n $GEODESIC_HOST_GID ]] && df -a | grep -q /localhost.bindfs; then
  bindfs --create-for-user="$GEODESIC_HOST_UID" --create-for-group="$GEODESIC_HOST_GID" /localhost.bindfs /localhost

• Fix file_on_host if needed. I can take care of that if you just get me the output of df -a on a system where the BindFS fix is active and working as we would like it to work.

My hope is that this will solve all the file ownership problems and not get hung up on whatever the host UID and GID are, while also not requiring any further changes to Geodesic.

[drmikecrowe]

@Nuru see this PR

I think this is what we want, but would appreciate any feedback

[Nuru]

@drmikecrowe OK, I have not been able to reproduce and fix the problem, so I need more information from you.

This is not an issue with Docker v20 on Ubuntu (tested on 20.04 LTS) when running in rootless mode. As with macOS, this configuration correctly translates file ownership between the root UID and GID inside the container to the user's UID and GID on the host.

When running Docker as root, and launching Geodesic using sudo geodesic, the geodesic wrapper does not get the user's UID and GID or home directory, so BindFS does not help and we do not get the right home directory mapped to /localhost anyway.

How are you launching Geodesic? Are you able to find the non-root user's UID, GID, and $HOME?