Permission denied on accessing host directory in d

2019-01-08 02:37发布

站内问答 / Docker
664 9 4

In short: I am trying to mount a host directory in Docker, but then I can not access it from within the container, even if the access permissions look good.

The details:

I am doing 

sudo docker run -i -v /data1/Downloads:/Downloads ubuntu bash

and then 

ls -al

It gives me: 

total 8892
drwxr-xr-x.  23 root root    4096 Jun 18 14:34 .
drwxr-xr-x.  23 root root    4096 Jun 18 14:34 ..
-rwxr-xr-x.   1 root root       0 Jun 18 14:34 .dockerenv
-rwx------.   1 root root 9014486 Jun 17 22:09 .dockerinit
drwxrwxr-x.  18 1000 1000   12288 Jun 16 11:40 Downloads
drwxr-xr-x.   2 root root    4096 Jan 29 18:10 bin
drwxr-xr-x.   2 root root    4096 Apr 19  2012 boot
drwxr-xr-x.   4 root root     340 Jun 18 14:34 dev
drwxr-xr-x.  56 root root    4096 Jun 18 14:34 etc
drwxr-xr-x.   2 root root    4096 Apr 19  2012 home

and a lot more lines like that (I think this is the relevant portion).

If I do

cd /Downloads
ls

the result is

ls: cannot open directory .: Permission denied

The host is Fedora 20, with Docker 1.0.0 and go1.2.2.

Any ideas what is going wrong?

9条回答
我想做一个坏孩纸
2楼-- · 2019-01-08 03:15

I resolved that issue by using a data container, this also has the advantage of isolating the data from the application layer. You could run it like this:

docker run --volumes-from=<container-data-name> ubuntu

This tutorial provides a good explanation on the use of data containers.

查看更多
0人赞 添加讨论(0) 举报
再贱就再见
3楼-- · 2019-01-08 03:18

I had a similar issue, mine was caused by a mismatch between the UID of the host and the UID of the container's user. The fix was to pass the UID of the user as an argument to the docker build and create the container's user with the same UID.

In the DockerFile:

ARG UID=1000
ENV USER="ubuntu"
RUN useradd -u $UID -ms /bin/bash $USER

In the build step:

docker build <path/to/Dockerfile> -t <tag/name> --build-arg UID=$UID

After that, running the container and commands as per the OP gave me the expected result.

查看更多
0人赞 添加讨论(0) 举报
爷的心禁止访问
4楼-- · 2019-01-08 03:19

It is an selinux issue.

You can temporarily issue

su -c "setenforce 0"

on the host to access or else add an selinux rule by running

chcon -Rt svirt_sandbox_file_t /path/to/volume
查看更多
0人赞 添加讨论(0) 举报
霸刀☆藐视天下
5楼-- · 2019-01-08 03:20

I verified that chcon -Rt svirt_sandbox_file_t /path/to/volume does work and you don't have to run as a privileged container.

This is on :

  • Docker version 0.11.1-dev, build 02d20af/0.11.1
  • centos7 as the host and container with selinux enabled.
查看更多
0人赞 添加讨论(0) 举报
劫难
6楼-- · 2019-01-08 03:25

sudo -s did the trick for me on MAC

查看更多
0人赞 添加讨论(0) 举报
啃猪蹄的小仙女
7楼-- · 2019-01-08 03:26

See this Project Atomic blog post about Volumes and SELinux for the full story.

Specifically:

This got easier recently since Docker finally merged a patch which will be showing up in docker-1.7 (We have been carrying the patch in docker-1.6 on RHEL, CentOS, and Fedora).

This patch adds support for "z" and "Z" as options on the volume mounts (-v).

For example:

docker run -v /var/db:/var/db:z rhel7 /bin/sh

Will automatically do the chcon -Rt svirt_sandbox_file_t /var/db described in the man page.

Even better, you can use Z.

docker run -v /var/db:/var/db:Z rhel7 /bin/sh

This will label the content inside the container with the exact MCS label that the container will run with, basically it runs chcon -Rt svirt_sandbox_file_t -l s0:c1,c2 /var/db where s0:c1,c2 differs for each container.

查看更多
0人赞 添加讨论(0) 举报
1 2 下一页
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)