Skip to content
Advertisement

“Permission denied” in Docker container unless –privileged=true

I’m trying to run an nginx container as a service and share 2 volumes between the host machine and container, so that files in one directory are automatically shared with the other paired directory.

My docker-compose.yml is the following:

version: '2'

services:
  nginx:
    image: nginx
    build: .
    ports:
     - "5000:80"
    volumes:
     - /home/user1/share:/share/user1
     - /home/user2/share:/share/user2
    restart: always

The only way I can get this to work currently is by adding privileged: true to the docker-compose file, however I am not allowed to due this due to security requirements.

When trying to access the volume in the container, I get the following error:

[root@host docker-nginx]# docker exec -it dockernginx_nginx_1 bash
root@2d574f9c6131:/# ls /share/user1/
ls: cannot open directory /share/user1/: Permission denied

Even attaching myself to bash on the container with the following parameters denies me of accessing the resource (or at least listing the contents):
docker exec -it --privileged=true -u 6004:6004 dockernginx_nginx_1 bash
(Note: 6004:6004 happens to be the id:gid ownership that is passed on to /share/user1/)

Is there any way of accessing the contents without building the nginx service with elevated privileges?

Perhaps the issue lies in SELinux restrictions enforced in the container?
The container is running Debian GNU/Linux 8 (jessie) and the host is running CentOS Linux 7 (Core)

Related questions:

Advertisement

Answer

Docker was running with --selinux-enabled=true, this prohibited me from accessing the contents of directories in the container.
Read more: http://www.projectatomic.io/blog/2016/07/docker-selinux-flag/

The solution was to disable it, it can either be done by (1) configuring or by (2) installing the non-selinux CentOS package, I went with option 2:

I made sure to reinstall and update Docker from 1.10 to 1.12.1 and not install docker-engine-selinux.noarch but instead have docker-engine.x86_64 and have the SELinux package installed as a dependency (yum does this automatically). By doing this and starting the Docker daemon, you can verify with ps aux | grep "docker" that docker-containerd is not started with the --selinux-enabled=true option.

User contributions licensed under: CC BY-SA
9 People found this is helpful
Advertisement