Permission denied on accessing host directory in Docker
Summary
I am trying to mount a host directory in Docker, but then I can not access it from within the container, even if the access permissions look good.
Details
I am doing
sudo docker run -i -v /data1/Downloads:/Downloads ubuntu bash
and then
ls -al
It gives me:
total 8892
drwxr-xr-x. 23 root root 4096 Jun 18 14:34 .
drwxr-xr-x. 23 root root 4096 Jun 18 14:34 ..
-rwxr-xr-x. 1 root root 0 Jun 18 14:34 .dockerenv
-rwx------. 1 root root 9014486 Jun 17 22:09 .dockerinit
drwxrwxr-x. 18 1000 1000 12288 Jun 16 11:40 Downloads
drwxr-xr-x. 2 root root 4096 Jan 29 18:10 bin
drwxr-xr-x. 2 root root 4096 Apr 19 2012 boot
drwxr-xr-x. 4 root root 340 Jun 18 14:34 dev
drwxr-xr-x. 56 root root 4096 Jun 18 14:34 etc
drwxr-xr-x. 2 root root 4096 Apr 19 2012 home
and a lot more lines like that (I think this is the relevant portion).
If I do
cd /Downloads
ls
the result is
ls: cannot open directory .: Permission denied
The host is Fedora 20, with Docker 1.0.0 and go1.2.2.
What is going wrong?
Solution 1:
See this Project Atomic blog post about Volumes and SELinux for the full story.
Specifically:
This got easier recently since Docker finally merged a patch which will be showing up in docker-1.7 (We have been carrying the patch in docker-1.6 on RHEL, CentOS, and Fedora).
This patch adds support for "z" and "Z" as options on the volume mounts (-v).
For example:
docker run -v /var/db:/var/db:z rhel7 /bin/shWill automatically do the
chcon -Rt svirt_sandbox_file_t /var/dbdescribed in the man page.Even better, you can use Z.
docker run -v /var/db:/var/db:Z rhel7 /bin/shThis will label the content inside the container with the exact MCS label that the container will run with, basically it runs
chcon -Rt svirt_sandbox_file_t -l s0:c1,c2 /var/dbwheres0:c1,c2differs for each container.
Solution 2:
It is an SELinux issue.
You can temporarily issue
su -c "setenforce 0"
on the host to access or else add an SELinux rule by running
chcon -Rt svirt_sandbox_file_t /path/to/volume