Permissions

Now you may have noticed the current setup I have achieved is not good for a multi-user environment and I’ll come back to that later. First I want to talk about cloud9's dot-folder.

When starting a container on a path, the cloud9 application creates an hidden .c9 folder to store it’s setup among other things. It’s a standard behavior for IDE no problem here. But this folder have root:root permissions. And it will apply to all the new folders/files you’ll create in that workspace.

Docker 1.10 comes with a new feature called “User Namespace” which will help us getting things right !

First try : I’ve enabled the feature in the docker daemon configuration file and restart the service :

$ cat /etc/default/docker

DOCKER_OPTS="${DOCKER_OPTS} --userns-remap=default"

The first noticeable think here is that all previously pulled images are missing. They’ve disappeared from image listing. Ok, so what I understood here is that the images are namespaced too. And we can confirm this by setting the feature on/off and note the consistency of that behavior.

Nevermind. Let’s start our c9 command and check out the new files and folders created :

$ ls -l

total 32

drwxrwxrwx 4 fronton fronton 4096 Feb 23 08:51 ./

drwxrwxr-x 11 fronton fronton 4096 Feb 23 04:20 ../

drwxr-xr-x 3 110000 110000 4096 Feb 23 01:45 .c9/

-rw-rw-r-- 1 fronton fronton 971 Feb 23 08:51 Dockerfile

drwxrwxr-x 8 fronton fronton 4096 Feb 23 09:44 .git/

-rw-rw-r-- 1 fronton fronton 4 Feb 23 02:05 .gitignore

-rw-rw-r-- 1 fronton fronton 974 Feb 23 04:18 sourceme

-rw-rw-r-- 1 fronton fronton 202 Feb 22 22:37 supervisord.conf

Well… good thing is it’s not a privileged user anymore : it will protect us from a user using “/” as workspace and deleting the whole host. But we have a fancy uid:gid, with very high value which is unknown by the server and doesn’t have write access to our workspaces.

RTFM

As usually I ended up reading the whole documentation about this feature, understood how the mapping was done and how to tune it.

Second try : I have mapped 1:1 with my real uid/gid

#=== before $ cat /etc/default/docker

DOCKER_OPTS="${DOCKER_OPTS} --userns-remap=default" $ grep fronton /etc/subuid /etc/subgid

fronton:110000:65536

fronton:110000:65536 #=== after $ cat /etc/default/docker

DOCKER_OPTS="${DOCKER_OPTS} --userns-remap=fronton" $ grep fronton /etc/subuid /etc/subgid

fronton:1006:1006

fronton:1006:1006

Restart docker service, start my c9 command …and voilà :