I’m trying to run an nginx container as a service and share 2 volumes between the host machine and container, so that files in one directory are automatically shared with the other paired directory.
My docker-compose.yml is the following:
version: '2' services: nginx: image: nginx build: . ports: - "5000:80" volumes: - /home/user1/share:/share/user1 - /home/user2/share:/share/user2 restart: always
The only way I can get this to work currently is by adding privileged: true
to the docker-compose file, however I am not allowed to due this due to security requirements.
When trying to access the volume in the container, I get the following error:
[root@host docker-nginx]# docker exec -it dockernginx_nginx_1 bash root@2d574f9c6131:/# ls /share/user1/ ls: cannot open directory /share/user1/: Permission denied
Even attaching myself to bash on the container with the following parameters denies me of accessing the resource (or at least listing the contents):
docker exec -it --privileged=true -u 6004:6004 dockernginx_nginx_1 bash
(Note: 6004:6004
happens to be the id:gid ownership that is passed on to /share/user1/
)
Is there any way of accessing the contents without building the nginx service
with elevated privileges?
Perhaps the issue lies in SELinux restrictions enforced in the container?
The container is running Debian GNU/Linux 8 (jessie)
and the host is running CentOS Linux 7 (Core)
Related questions:
Advertisement
Answer
Docker was running with --selinux-enabled=true
, this prohibited me from accessing the contents of directories in the container.
Read more: http://www.projectatomic.io/blog/2016/07/docker-selinux-flag/
The solution was to disable it, it can either be done by (1) configuring or by (2) installing the non-selinux CentOS package, I went with option 2:
I made sure to reinstall and update Docker from 1.10 to 1.12.1 and not install docker-engine-selinux.noarch
but instead have docker-engine.x86_64
and have the SELinux package installed as a dependency (yum does this automatically). By doing this and starting the Docker daemon, you can verify with ps aux | grep "docker"
that docker-containerd
is not started with the --selinux-enabled=true
option.