Container unable to access volume despite UID having access

General
1

Hi There

I am trying to use docker compose (as a learning exercise for myself) to run a Jellyfin container with 2 volumes for config and cache and a bind mount for the media.

My compose file is specifying that user should be 113:119 which is the UID/GID ownership of the folders where the volumes are configured

version: '3.5'
services:
  jellyfin:
    image: jellyfin/jellyfin
    container_name: jellyfin
    user: 113:119
    network_mode: 'host'
    volumes:
      - /jftest-config:/config
      - /jftest-cache:/cache
      - type: bind
        source: ./jftest-m
        target: /media
        read_only: true

The folders involved in the volumes / bind mounts have the following permissions

user@host:~/jellyfin-compose$ ls -aln / | grep jftest
drwxr-xr-x   2  113  119       4096 Jun 29 21:36 jftest-cache
drwxr-xr-x   2  113  119       4096 Jun 29 21:36 jftest-config

The container is running with the UID/GID specified, which is the ones that owns the folders above

user@host:~/jellyfin-compose$ docker inspect -f '{{.Config.User}}' jellyfin
113:119

Yet, I get this error in the container indicating that the volume /config (which is on host path /jftest-config) is not accesible by the application in the container

Unhandled exception. System.UnauthorizedAccessException: Access to the path '/config/log' is denied.
 ---> System.IO.IOException: Permission denied

Any idea what I am doing wrong ?

Thanks in advance.

2

Your “volumes” are still bind mounts, as far as I can tell.

3

Whenever aligning the UID:GID of the process inside the container and a bind mounted volume path doesn’t work, usually an access control mechanism like ACLs, SELinux or AppArmor is involved.

We usually need the following information to understand the issue:

  1. What platform are you using? Windows, Linux or macOS? Which version of the operating systems? In case of Linux, which distribution?

  2. How did you install Docker? Sharing the platform almost answers it, but only almost. Direct links to the followed guide can be useful.

  3. On debian based Linux, the following commands can give us some idea and recognize incorrectly installed Docker:

    docker info
docker version

    Review the output before sharing and remove confidential data if any appears (public IP for example)

    dpkg -l | grep docker
snap list docker

    When you share the outputs, always format your posts according to the following guide: How to format your forum posts

1 Like
4

You are probably right about the access control. My bind mounts were on / but I moved them to another directory and it worked. I was only using / to make the path shorter for my testing it never occurred to me I would run into access control issues.