Docker Volume Mount Permission Denied 2018
With selinux enabled on the host and for the docker daemon, I get a permission denied when trying to access the volume. Propagated mount for the volume plugin is set to /var/lib/test. Running the container with -security-opt=label:disable resolves the issue.
- root@host-docker # su - user01 Last login: Thu May 24 23:17:03 IST 2018 from example.com on pts/1 user01@host-docker $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE user01 latest ab15b83d00ea 32 hours ago 1.29GB testweb latest 07d0c8441153 6 days ago 234MB.
- Mounting folders as Docker volumes July 3, 2018 valerauko. Extract its mount point from docker volume inspect. As you’ll get permission denied errors on them.
- Revisiting Docker For S Performance With Nfs Volumes Jeff Geerling. Set Up A Docker In Agent Template Cloudbees Support. Building Secure Docker Images. Python Remote Interpreter Docker Pose Permission Denied Ides Support Intellij Platform Jetbrains. Docker For Volume Mount Permission Denied 2018 Foliocolor.
- Docker run -it -mount 'type=volume,src=test,dst=c: app' microsoft/nanoserver-insider:10.0.17134.1 Mklink on c: app returns Access is denied. Friday, May 4, 2018 6:42 AM.
Recently I was leveraging Azure App Services to deploy my Docker packaged .NET Core app. My setup includes VS 2017 v15.2, Docker CE v17.03.1-ce-win12 (stable) and Windows 10 Enterprise (with Creators update).
My app ran fine locally without Docker but as soon as I tried deploying to a Linux container VS gave me a weird error:
I figured there was something funky going on with my Docker settings. Navigating to Docker Client -> Settings -> Shared Drives none of my drives were shared (also weird since I am pretty sure I had set them up earlier). Maybe the Windows 10 Creators update had something to do with that? Anyways…
Re-sharing my local drive with Docker, I uncovered another error:
I tried a number of times to share, including resetting cached credentials, using local credentials etc. No dice :(
Of course looking at the documentation sent me down some bunny trails around making sure inbound firewall rules were setup correctly between the Host and VM processes.
After a chunk of time researching the issue and trying a bunch of things, I have a solution that worked for me - one that might save you time. The solution actually has nothing to do with the error displayed!
- Make sure your target drive is unshared
Drive Properties > Sharing > Advanced > 'Share this folder' is unchecked - As part of installing Docker you should have a DockerNAT interface setup. Uncheck the File and Printer sharing property and press OK.
Adapter Properties > Networking > Uncheck File and Printer Sharing for Microsoft Networks - Now reverse what you did i.e. check the same file and printer sharing property and hit OK.
After the following the outlined steps above, I was able to share my target drive with Docker with no issues. Seems a bit voodoo no? I hope the tooling will improve to side step this issue altogether in the near future.
Estimated reading time: 13 minutes
Bind mounts have been around since the early days of Docker. Bind mounts havelimited functionality compared to volumes. When you use a bindmount, a file or directory on the host machine is mounted into a container.The file or directory is referenced by its absolute path on the hostmachine. By contrast, when you use a volume, a new directory is created withinDocker’s storage directory on the host machine, and Docker manages thatdirectory’s contents.
The file or directory does not need to exist on the Docker host already. It iscreated on demand if it does not yet exist. Bind mounts are very performant, butthey rely on the host machine’s filesystem having a specific directory structureavailable. If you are developing new Docker applications, consider usingnamed volumes instead. You can’t use Docker CLI commands to directlymanage bind mounts.
Choose the -v or --mount flag
In general, --mount is more explicit and verbose. The biggest difference is thatthe -v syntax combines all the options together in one field, while the --mountsyntax separates them. Here is a comparison of the syntax for each flag.
Tip: New users should use the --mount syntax. Experienced users maybe more familiar with the -v or --volume syntax, but are encouraged touse --mount, because research has shown it to be easier to use.
-vor--volume: Consists of three fields, separated by colon characters(:). The fields must be in the correct order, and the meaning of each fieldis not immediately obvious.- In the case of bind mounts, the first field is the path to the file ordirectory on the host machine.
- The second field is the path where the file or directory is mounted inthe container.
- The third field is optional, and is a comma-separated list of options, suchas
ro,z, andZ. These optionsare discussed below.
--mount: Consists of multiple key-value pairs, separated by commas and eachconsisting of a<key>=<value>tuple. The--mountsyntax is more verbosethan-vor--volume, but the order of the keys is not significant, andthe value of the flag is easier to understand.- The
typeof the mount, which can bebind,volume, ortmpfs. Thistopic discusses bind mounts, so the type is alwaysbind. - The
sourceof the mount. For bind mounts, this is the path to the fileor directory on the Docker daemon host. May be specified assourceorsrc. - The
destinationtakes as its value the path where the file or directoryis mounted in the container. May be specified asdestination,dst,ortarget. - The
readonlyoption, if present, causes the bind mount to be mounted intothe container as read-only. - The
bind-propagationoption, if present, changes thebind propagation. May be one ofrprivate,private,rshared,shared,rslave,slave. - The
--mountflag does not supportzorZoptions for modifyingselinux labels.
- The
The examples below show both the --mount and -v syntax where possible, and--mount is presented first.
Differences between -v and --mount behavior
Because the -v and --volume flags have been a part of Docker for a longtime, their behavior cannot be changed. This means that there is one behaviorthat is different between -v and --mount.
If you use -v or --volume to bind-mount a file or directory that does notyet exist on the Docker host, -v creates the endpoint for you. It isalways created as a directory.
If you use --mount to bind-mount a file or directory that does notyet exist on the Docker host, Docker does not automatically create it foryou, but generates an error.
Start a container with a bind mount
Consider a case where you have a directory source and that when you build thesource code, the artifacts are saved into another directory, source/target/.You want the artifacts to be available to the container at /app/, and youwant the container to get access to a new build each time you build the sourceon your development host. Use the following command to bind-mount the target/directory into your container at /app/. Run the command from within thesource directory. The $(pwd) sub-command expands to the current workingdirectory on Linux or macOS hosts.
The --mount and -v examples below produce the same result. Youcan’t run them both unless you remove the devtest container after running thefirst one.
Use docker inspect devtest to verify that the bind mount was createdcorrectly. Look for the Mounts section:
This shows that the mount is a bind mount, it shows the correct source anddestination, it shows that the mount is read-write, and that the propagation isset to rprivate.
Stop the container:
Mount into a non-empty directory on the container
If you bind-mount into a non-empty directory on the container, the directory’sexisting contents are obscured by the bind mount. This can be beneficial,such as when you want to test a new version of your application withoutbuilding a new image. However, it can also be surprising and this behaviordiffers from that of docker volumes.
This example is contrived to be extreme, but replaces the contents of thecontainer’s /usr/ directory with the /tmp/ directory on the host machine. Inmost cases, this would result in a non-functioning container.
The --mount and -v examples have the same end result.
The container is created but does not start. Remove it:
Use a read-only bind mount
For some development applications, the container needs towrite into the bind mount, so changes are propagated back to theDocker host. At other times, the container only needs read access.
This example modifies the one above but mounts the directory as a read-onlybind mount, by adding ro to the (empty by default) list of options, after themount point within the container. Where multiple options are present, separatethem by commas.
The --mount and -v examples have the same result.
Use docker inspect devtest to verify that the bind mount was createdcorrectly. Look for the Mounts section:
Stop the container:
Configure bind propagation
Bind propagation defaults to rprivate for both bind mounts and volumes. It isonly configurable for bind mounts, and only on Linux host machines. Bindpropagation is an advanced topic and many users never need to configure it.
Bind propagation refers to whether or not mounts created within a givenbind-mount or named volume can be propagated to replicas of that mount. Considera mount point /mnt, which is also mounted on /tmp. The propagation settingscontrol whether a mount on /tmp/a would also be available on /mnt/a. Eachpropagation setting has a recursive counterpoint. In the case of recursion,consider that /tmp/a is also mounted as /foo. The propagation settingscontrol whether /mnt/a and/or /tmp/a would exist.
| Propagation setting | Description |
|---|---|
shared | Sub-mounts of the original mount are exposed to replica mounts, and sub-mounts of replica mounts are also propagated to the original mount. |
slave | similar to a shared mount, but only in one direction. If the original mount exposes a sub-mount, the replica mount can see it. However, if the replica mount exposes a sub-mount, the original mount cannot see it. |
private | The mount is private. Sub-mounts within it are not exposed to replica mounts, and sub-mounts of replica mounts are not exposed to the original mount. |
rshared | The same as shared, but the propagation also extends to and from mount points nested within any of the original or replica mount points. |
rslave | The same as slave, but the propagation also extends to and from mount points nested within any of the original or replica mount points. |
rprivate | The default. The same as private, meaning that no mount points anywhere within the original or replica mount points propagate in either direction. |
Before you can set bind propagation on a mount point, the host filesystem needsto already support bind propagation.
For more information about bind propagation, see theLinux kernel documentation for shared subtree.
The following example mounts the target/ directory into the container twice,and the second mount sets both the ro option and the rslave bind propagationoption.
The --mount and -v examples have the same result.
Now if you create /app/foo/, /app2/foo/ also exists.
Configure the selinux label
If you use selinux you can add the z or Z options to modify the selinuxlabel of the host file or directory being mounted into the container. Thisaffects the file or directory on the host machine itself and can haveconsequences outside of the scope of Docker.
- The
zoption indicates that the bind mount content is shared among multiplecontainers. - The
Zoption indicates that the bind mount content is private and unshared.
Use extreme caution with these options. Bind-mounting a system directorysuch as /home or /usr with the Z option renders your host machineinoperable and you may need to relabel the host machine files by hand.
Important: When using bind mounts with services, selinux labels(:Z and :z), as well as :ro are ignored. Seemoby/moby #32579 for details.
Docker Volume Mount Permission
This example sets the z option to specify that multiple containers can sharethe bind mount’s contents:
It is not possible to modify the selinux label using the --mount flag.
Next steps
- Learn about volumes.
- Learn about tmpfs mounts.
- Learn about storage drivers.