42

Docker works great on a Mac for me, but I have to run docker host inside of a VirtualBox (or Parallels, or VMWare Fusion), since Mac's kernel doesn't support docker.

So I tried to setup my application and a docker-compose on an Ubuntu Desktop - natively, where both docker client and docker host run physically on the same system. This worked, but my running docker containers can't write into a mounted host volume.

I use docker-compose with the following settings:

volumes:
   - ./api:/usr/src/app

So I'm mounting the "api" directory of the host Ubuntu OS into docker container under /usr/src/app.

docker inspect <container ID> shows that the volume is writable

"Destination": "/usr/src/app",
"Mode": "rw",
"RW": true

However it is not: I get permission denied when I try to create a directory or edit a file from within the docker container.

I googled for this issue, of course, and I came across a few SELinux issues of CentOS/RHEL, but I'm running Ubuntu 15.10, 64 bit edition, not CentOS.

Improve this question

3 Answers 3

Reset to default
47

If your uid on the host (id -u) isn't the same as the uid of the user in the docker container (often "docker") then you can have this problem. You can try:

  1. Making the UIDs the same between your user and the user in the docker container.
  2. Setting the group permissions on the directory to be writable for a group that both you and docker belong to.
  3. You could also use the nuclear option:

chmod a+rwx -R project-dir/

The nuclear option will make your git workspace filthy, which will annoy you greatly, so isn't the best long-term solution. It stops the bleeding tho.

For further understanding the problem, you might find these useful:

  1. https://github.com/docker/docker/issues/7906
  2. https://github.com/docker/docker/issues/7198
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Both "nuclear option" and uid fix worked. For uid fix I just added "usermod -u 1000 docker" to the Dockerfile.
In my case setting the owner on the volume directory to the user helped (UIDs were already the same).
but for me its not working after giving container uid:gid ownership to host dir.but if i mount docker volume it works. Fails in case of -v empty/dir:/opt/nifi-registry/nifi-registry-0.4.0 but works fine -v volume_data:/opt/nifi-registry/nifi-registry-0.4.
How do you do option 1?
"It stops the bleeding", but may open a whole new blackhole.
31

New answer:

This questions seems to have a lot of traffic and there is better solution available now: fixuid

As the name suggests it's a magic executable to change the container user's UID & GID on container startup (using -u somebody:somebody).

For a more in-depth explanation see: https://web.archive.org/web/20211023202034/https://boxboat.com/2017/07/25/fixuid-change-docker-container-uid-gid/

Old answer:

As of Docker version 1.7 you have the option to mount a host directory with permissions to a container using the :Z or :z flags like so:

docker run -v ./api:/usr/src/app:Z
  • :z - will add permissions to all containers using label 'svirt_sandbox_file_t'
  • :Z - will add permissions only to the current container label

As of Docker Compose v1.4.0, you can use it in docker-compose.yml like this:

volumes:
   - ./api:/usr/src/app:Z

Although I should add I still have some problems with this (see Adding permissions to host directory with docker-compose).

References:

Improve this answer

1 Comment

what is svirt_sandbox_file_t
0

If your local config for the bind /etc/named/named.conf.options not contain the directory "/var/..." then it's probably try to put files into another directory without the server access. Add it to local config that will goes into container

Note: it's applicable for specific bind9 docker container, don't forget to backup your config files first and make sure nothing important will be affected

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.