why am I getting permission denied on file with re

I have a docker container which runs GOCD server (java app) under user account 'go' inside the container.

this container mounts /etc/hosts as 644 (readable for all users) but 'go' account doesn't seem to be able to read this file.

here is the proof:

[~] # docker -v
Docker version 1.10.2, build 0762ca4

# first enter the container as root and read the contents of 
# /etc/hosts
~] # docker exec  -it 0dac9bf0eab5 bash
  root@gocd:/# ls -la /etc/hosts
  -rw-r--r--+ 1 root root 164 Jun  2 22:03 /etc/hosts

    #no problem - file is readable
   root@gocd:/# cat /etc/hosts
   127.0.0.1    localhost
   ::1  localhost ip6-localhost ip6-loopback
   10.0.3.2 gocd
   root@gocd:/#

  # now change user to 'go'
   root@gocd:/# su - go -c bash
   go@gocd:/$ id
   uid=999(go) gid=999(go) groups=999(go)

   # check permissions - still 644
   go@gocd:/$ ls -la /etc/hosts
    -rw-r--r--+ 1 root root 164 Jun  2 22:03 /etc/hosts

   # but trying to read the file - causes error:
     go@gocd:/$ cat /etc/hosts
     cat: /etc/hosts: Permission denied

any ideas why this is happening?

the issue is related to ACL permissions which restrict the READ access to /etc/hosts and /etc/resolv.conf only to the root.

in result, the application which is running under any other account inside the container, can't read these files and this causes issues with network stack. E.g java application which needs to resolve host to ip would get UnknownHost Exception.

The issue happens in QNAP system if the container is created with ContainerStation. There are apparently no settings in ContainerStation to change this behaviour but it is possible to fix with the following commands added to the startup script in the container:

# modify ACL so go user would have read access
# to /etc/hosts and /etc/resolv.conf
# this is to avoid HostUnknown exception which happends
# when the gocd container is used on QNAP with ContainerStation
setfacl -m user:${USER_ID}:r /etc/resolv.conf
setfacl -m user:${USER_ID}:r /etc/hosts

For users of QNAP who want to run GOCD server I have created a docker container on docker hub which already includes this fix:

https://hub.docker.com/r/rshestakov/docker-gocd-server/