Docker Community Forums

Share and learn in the Docker community.

Permission denied on volumes in multiple containers


(Steven Roose) #1

I’m having a simple docker-compose setup, but I’m actually trying out only one container at a time.

I have a ./data folder in the Compose directory where I want to persist important storage and also use it as a shared folder between multiple containers.

I tried with a container on Docker Hub, but also with a customly built container based on the certbot container for Let’s Encrypt. As far as I know, both these containers don’t use a specific user inside the container, they just run as root.

I have the following service in Compose:

services:
  letsencrypt:
    build: ./letsencrypt
    ports:
      - "8081:80"
    volumes:
      - ./data/letsencrypt:/etc/letsencrypt:rw

I also tried having a named volume like this:

services:
  letsencrypt:
    build: ./letsencrypt
    ports:
      - "8081:80"
    volumes:
      - letsencrypt:/etc/letsencrypt:rw
volumes:
  letsencrypt:

In the entrypoint of the container, I call whoami which gives root. And I try ls -al /etc/ | grep letsencrypt and ls -al /etc/letsencrypt, which give:

drwxr-xr-x    2 root     root          4096 Jun 16 12:47 letsencrypt
ls: can't open '/etc/letsencrypt': Permission denied

On the host fs, I tried two approaches: not having the ./data folder existent when I run docker-compose. In that case, it is generated by Compose and looks like this:

drwxr-xr-x. 2 root root 4096 Jun 16 14:47 letsencrypt

So it was created by the host root user and owned by it too.

The user I’m running docker-compose with is not root and does not have UID 1000, but it has 1001. It’s a member of the docker group and I rebooted after adding it to the group. I tried running docker-compose as root and I had the same issue.

I also tried not using the :rw suffix, adding an ending / to the directory. I tried many things.

I’m not super experienced with Docker and volumes, but I thought permissioning was something Docker would be handling and I as a user would not have to worry about.


Background information about the environment: I setup a fresh CentOS 7 VPS, created a new user for the application (hence UID 1001) and changed to that user. I installed docker from the CentOS repos and compose using the install script. Nothing special.


(Steven Roose) #2

Solution: disable SELinux.

Thanks to IRC user salcedo for mentioning SELinux :slight_smile: