Allow to set ACLs

[JohannesWiesner]

In my institution, we don't have root rights on our machines. This leads to the situation that one cannot manipulate or delete files that were created by the "internal" docker users. One solution to avoid this is to use the --user option by passing the host user's id and group id to the container (see these old fmriprep docs for more information). This solution however comes with various issues.

• You don't have a home directory when using this option and I am not sure if nipype likes this (and I guess nipype is a major reason for people using neurodocker in the first place)
• When miniconda is installed, it is currently not possible to have an already activated conda environment at container startup. This would require a bash script that is called and activates the environment at startup. See here

Another solution that I tried out is to not use the --user option but instead to use the acl package and set full permissions for other users on all necessary folders.

Example:

Currently, you can not set the ACLs within the Dockerfile so we have to use a workaround derived from this thread: Create a bash script (e.g. setfacl.sh) that is called at startup using the CMD command. This script will set full permissions to other users (which includes the host user) on the directories of choice. The -d option enables inheritance so the permissions rules also apply to future directories and folders. Make sure that the container keeps running after the ACLs were set by adding /usr/bin/env bash at the end:

#!/bin/bash

# sets access control list on folders inside docker container. Allow other users to have full permissions
setfacl -Rdm o::rwx /code && setfacl -Rdm o::rwx /data && setfacl -Rdm o::rwx /cache && setfacl -Rdm o::rwx /output

# we want the container to keep running after setting the ACLs so we run this
/usr/bin/env bash

And this would be the Dockerfile:

RUN mkdir /code
RUN mkdir /data
RUN mkdir /cache
RUN mkdir /output
COPY ["setfacl.sh","/tmp"]
CMD ["/tmp/setfacl.sh"]

Problem: The acl package is only available with never Linux distros. Right now I have to create my own Dockerfiles because I need SPM and the installation of newer distros + SPM is currently not possible with neurodocker

[kaczmarj]

i think i understand. would a potential solution be to use --user with the host user id and group id, mount the user's home directory, and also mount /etc/passwd so the user info is available? that's doesn't solve the miniconda issue though.

[JohannesWiesner]

You don't have a home directory when using this option and I am not sure if nipype likes this (and I guess nipype is a major reason for people using neurodocker in the first place)

Right now, we are indeed solving the issue by using the --user flag and then setting ENV HOME=/tmp (see this link). Not sure if this "solves" the first issue but it works! Nipype now treats /tmp as $HOME and therefore has a directory where it can write stuff into!

When miniconda is installed, it is currently not possible to have an already activated conda environment at container startup. This would require a bash script that is called and activates the environment at startup. See #506 (comment)

I think the whole conda problem can be quite easily solved by baking everything that conda init does into the Dockerfile (which boils down to a list of environmental variables that need to be harcoded into the Dockerfile). See this link:

conda/conda#12858 (comment)

Credits to @travishathaway!

[JohannesWiesner]

Note, that setting ACLs via an entrypoint also works (it's just two ways of fixing the same issues that come with the --user flag). But as already mentioned this requires a more recent base-image.

[github-actions]

This issue is stale because it has been open for 30 days with no activity.

[github-actions]

This issue was closed because it has been inactive for 14 days since being marked as stale.