Permission denied within mounted volume inside Docker/Podman container
Thanks to the people here, the solution is quite simple (but not obvious):
My GNU/Linux container host has SELinux activated, and that's why I was having permissions problems. The solution is to simply append a :z
to the podman run
volume argument so that this:
podman run -it -v /host/foobar:/src_dir /bin/bash
becomes this:
podman run -it -v /host/foobar:/src_dir:z /bin/bash
That's it.
Related videos on Youtube
hpy
Updated on September 18, 2022Comments
-
hpy over 1 year
I am starting to learn about containers using
podman
that came with RHEL8.1 (which AFAIK can be used in place ofdocker
), and have the following babyDockerfile
as a learning exercise:# Use Alpine Linux base image FROM alpine:latest # Install pacakges RUN apk --no-cache add bash gcc make # Make a directory for source code RUN mkdir /src_dir # Set working directory to the same directory WORKDIR /src_dir # Set this directory as a volume VOLUME [ "/src_dir" ]
As you can see, I've installed the most basic
gcc
andmake
into this container with the goal of mounting a set of source files on my container host into the/src_dir
directory within the container.I next build the container image in the host directory containing the
Dockerfile
:podman build -t my_image .
I then start the container with this command
podman run -it -v /host/foobar:/src_dir /bin/bash
Where
/host/foobar/
on my host is an arbitrary directory containing some arbitrary source code, all of which my local user on the host has full read/write access to. For example, there is one file/host/foobar/test.c
. This then brings me to abash
prompt inside the container. I can see that I'm at the correct place because:bash-5.0# pwd /src_dir
However, I have absolutely no read/write access to
/src_dir
. Bothls -lh
andcat test.c
gave me permission denied errors. If I change to the root directory (or any other directory) of the container, I can see and access other things. Strangely, if I runls -lh /
I can see/src_dir
as being owned byroot:root
, so I don't understand why as the container's root user I can't access anything in it.I also tried
podman inspect [container ID]
, and in the output I can see:... "Mounts": [ { "Type": "bind", "Name": "", "Source": "/host/foobar", "Destination": "/src_dir", "Driver": "", "Mode": "", "Options": [ "rbind" ], "RW": true, "Propagation": "rprivate" } ] ...
Which suggests that there is read/write permission?
Perhaps I'm missing something obvious as a beginner, but what do I have to do so that I can run the
gcc
andmake
inside this container on the source files mounted in/src_dir
so that the container essentially acts as a complete development environment?Thank you!
P.S. I've read that it's a good idea to use a separate non-root user in the container, but I haven't figured that out yet... Is this easy to achieve given my situation?
-
user2557607 over 3 yearsI 've spent so many hours trying to understand the cause of a similar error on my rpi4 running fedora iot, experimenting with linuxserver.io containers. Finally I understood the problem well enough that I was able to find this answer! Thank you! The following red hat post appears to have some more information redhat.com/sysadmin/user-namespaces-selinux-rootless-containers