Why does docker container prompt "Permission denied"?

linux docker permissions permission-denied user-permissions
Nan Xiao picture Nan Xiao · Feb 25, 2016 · Viewed 54.3k times · Source

I use following command to run a docker container, and map a directory from host(/root/database) to container(/tmp/install/database): 

# docker run -it --name oracle_install -v /root/database:/tmp/install/database bofm/oracle12c:preinstall bash

But in container, I find I can't use ls to list contents in /tmp/install/database/ though I am root and have all privileges: 

[root@77eb235aceac /]# cd /tmp/install/database/
[root@77eb235aceac database]# ls
ls: cannot open directory .: Permission denied
[root@77eb235aceac database]# id
uid=0(root) gid=0(root) groups=0(root)
[root@77eb235aceac database]# cd ..
[root@77eb235aceac install]# ls -alt
......
drwxr-xr-x. 7 root root  4096 Jul  7  2014 database

I check /root/database in host, and all things seem OK: 

[root@localhost ~]# ls -lt
......
drwxr-xr-x.  7 root root       4096 Jul  7  2014 database

Why does docker container prompt "Permission denied"?

Update:
The root cause is related to SELinux. Actually, I met similar issue last year.

Answer

Auzias picture Auzias · Feb 25, 2016

A permission denied within a container for a shared directory could be due to the fact that this shared directory is stored on a device. By default containers cannot access any devices. Adding the option $docker run --privileged allows the container to access all devices and performs Kernel calls. This is not considered as secure.

A cleaner way to share device is to use the option docker run --device=/dev/sdb (if /dev/sdb is the device you want to share).

From the man page:

  --device=[]
      Add a host device to the container (e.g. --device=/dev/sdc:/dev/xvdc:rwm)

  --privileged=true|false
      Give extended privileges to this container. The default is false.

      By default, Docker containers are “unprivileged” (=false) and cannot, for example, run a Docker daemon inside the Docker container. This is because by default  a  container is not allowed to access any devices. A “privileged” container is given access to all devices.

      When  the  operator  executes  docker run --privileged, Docker will enable access to all devices on the host as well as set some configuration in AppArmor to allow the container nearly all the same access to the host as processes running outside of a container on the host.

Related questions

Understanding user file ownership in docker: how to avoid changing permissions of linked volumes

Consider the following trivial Dockerfile: FROM debian:testing RUN adduser --disabled-password --gecos '' docker RUN adduser --disabled-password --gecos '' bob in a working directory with nothing else. Build the docker image: docker build -t test . and then run a bash …

Read More
Docker mounting volume. Permission denied

I have a problem with creating new files in mounted docker volume. Firstly after installation docker i added my user to docker group. sudo usermod -aG docker $USER Created as my $USER folder: mkdir -p /srv/redis And starting container: …

Read More
Docker can't connect to docker daemon

After I update my Docker version to 0.8.0, I get an error message while entering sudo docker version: Client version: 0.8.0 Go version (client): go1.2 Git commit (client): cc3a8c8 2014/02/19 12:54:16 Can't connect to docker daemon. Is 'docker -d' running on this …

Read More