In short: I am trying to mount a host directory in Docker, but then I can not access it from within the container, even if the access permissions look good.
The details:
I am doing
sudo docker run -i -v /data1/Downloads:/Downloads ubuntu bash
and then
ls -al
It gives me:
total 8892
drwxr-xr-x. 23 root root 4096 Jun 18 14:34 .
drwxr-xr-x. 23 root root 4096 Jun 18 14:34 ..
-rwxr-xr-x. 1 root root 0 Jun 18 14:34 .dockerenv
-rwx------. 1 root root 9014486 Jun 17 22:09 .dockerinit
drwxrwxr-x. 18 1000 1000 12288 Jun 16 11:40 Downloads
drwxr-xr-x. 2 root root 4096 Jan 29 18:10 bin
drwxr-xr-x. 2 root root 4096 Apr 19 2012 boot
drwxr-xr-x. 4 root root 340 Jun 18 14:34 dev
drwxr-xr-x. 56 root root 4096 Jun 18 14:34 etc
drwxr-xr-x. 2 root root 4096 Apr 19 2012 home
and a lot more lines like that (I think this is the relevant portion).
If I do
cd /Downloads
ls
the result is
ls: cannot open directory .: Permission denied
The host is Fedora 20, with Docker 1.0.0 and go1.2.2.
What is going wrong?
See this Project Atomic blog post about Volumes and SELinux for the full story.
Specifically:
This got easier recently since Docker finally merged a patch which will be showing up in docker-1.7 (We have been carrying the patch in docker-1.6 on RHEL, CentOS, and Fedora).
This patch adds support for "z" and "Z" as options on the volume mounts (-v).
For example:
docker run -v /var/db:/var/db:z rhel7 /bin/sh
Will automatically do the
chcon -Rt svirt_sandbox_file_t /var/db
described in the man page.Even better, you can use Z.
docker run -v /var/db:/var/db:Z rhel7 /bin/sh
This will label the content inside the container with the exact MCS label that the container will run with, basically it runs
chcon -Rt svirt_sandbox_file_t -l s0:c1,c2 /var/db
wheres0:c1,c2
differs for each container.