{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 趁早两清 的问题《why am I getting permission denied on file with re》','https://www.manongdao.com/q-903492.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have a docker container which runs GOCD server (java app) under user account 'go' inside the container.
this container mounts /etc/hosts as 644 (readable for all users) but 'go' account doesn't seem to be able to read this file.
here is the proof:
[~] # docker -v
Docker version 1.10.2, build 0762ca4
# first enter the container as root and read the contents of
# /etc/hosts
~] # docker exec -it 0dac9bf0eab5 bash
root@gocd:/# ls -la /etc/hosts
-rw-r--r--+ 1 root root 164 Jun 2 22:03 /etc/hosts
#no problem - file is readable
root@gocd:/# cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
10.0.3.2 gocd
root@gocd:/#
# now change user to 'go'
root@gocd:/# su - go -c bash
go@gocd:/$ id
uid=999(go) gid=999(go) groups=999(go)
# check permissions - still 644
go@gocd:/$ ls -la /etc/hosts
-rw-r--r--+ 1 root root 164 Jun 2 22:03 /etc/hosts
# but trying to read the file - causes error:
go@gocd:/$ cat /etc/hosts
cat: /etc/hosts: Permission denied
any ideas why this is happening?
the issue is related to ACL permissions which restrict the READ access to /etc/hosts and /etc/resolv.conf only to the root.
in result, the application which is running under any other account inside the container, can't read these files and this causes issues with network stack. E.g java application which needs to resolve host to ip would get UnknownHost Exception.
The issue happens in QNAP system if the container is created with ContainerStation. There are apparently no settings in ContainerStation to change this behaviour but it is possible to fix with the following commands added to the startup script in the container:
For users of QNAP who want to run GOCD server I have created a docker container on docker hub which already includes this fix:
https://hub.docker.com/r/rshestakov/docker-gocd-server/