Why does docker container prompt "Permission denied"?
Solution 1
A permission denied within a container for a shared directory could be due to the fact that this shared directory is stored on a device. By default containers cannot access any devices. Adding the option $docker run --privileged allows the container to access all devices and performs Kernel calls. This is not considered as secure.
A cleaner way to share device is to use the option docker run --device=/dev/sdb (if /dev/sdb is the device you want to share).
From the man page:
--device=[] Add a host device to the container (e.g. --device=/dev/sdc:/dev/xvdc:rwm) --privileged=true|false Give extended privileges to this container. The default is false. By default, Docker containers are “unprivileged” (=false) and cannot, for example, run a Docker daemon inside the Docker container. This is because by default a container is not allowed to access any devices. A “privileged” container is given access to all devices. When the operator executes docker run --privileged, Docker will enable access to all devices on the host as well as set some configuration in AppArmor to allow the container nearly all the same access to the host as processes running outside of a container on the host.
Solution 2
I had a similar issue when sharing an nfs mount point as a volume using docker-compose. I was able to resolve the issue with:
docker-compose up --force-recreate
Eventhough you found the issue, this may help someone else.
Solution 3
I got answer from a comment under: Why does docker container prompt Permission denied?
man docker-run gives the proper answer:
Labeling systems like SELinux require that proper labels are placed on volume content mounted into a container. Without a label, the security system might prevent the processes running inside the container from using the content. By default, Docker does not change the labels set by the OS.
To change a label in the container context, you can add either of two suffixes :z or :Z to the volume mount. These suffixes tell Docker to relabel file objects on the shared volumes. The z option tells Docker that two containers share the volume content. As a result, Docker labels the content with a shared content label. Shared volume labels allow all containers to read/write content. The Z option tells Docker to label the content with a private unshared label. Only the current container can use a private volume.
For example:
docker run -it --name oracle_install -v /root/database:/tmp/install/database:z ...
Solution 4
Another reason is a mismatch with the UID/GID. This often shows up as being able to modify a mount as root but not as the containers user
You can set the UID, so for an ubuntu container running as ubuntu you may need to append :uid=1000 (check with id -u) or set the UID locally depending on your use case.
uid=value and gid=value
Set the owner and group of the files in the filesystem (default: uid=gid=0)
There is a good blog about it here with this tmpfs example
docker run \
--rm \
--read-only \
--tmpfs=/var/run/prosody:uid=100 \
-it learning/tmpfs
Related videos on Youtube
05 : 10
13 : 08
06 : 52
05 : 16
08 : 42
02 : 40
![[Solved] How To Fix Permission Denied Error inside Docker Container? Docker Non-Root User Error](https://i.ytimg.com/vi/WUwjbzX-vR4/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLDgPygk5a0kOixC9tZzqHcrKPlL8g)
04 : 38
16 : 17
Nan Xiao
Updated on January 16, 2021Comments
-
Nan Xiao over 3 years
I use following command to run a docker container, and map a directory from host(
/root/database) to container(/tmp/install/database):# docker run -it --name oracle_install -v /root/database:/tmp/install/database bofm/oracle12c:preinstall bashBut in container, I find I can't use
lsto list contents in/tmp/install/database/though I amrootand have all privileges:[root@77eb235aceac /]# cd /tmp/install/database/ [root@77eb235aceac database]# ls ls: cannot open directory .: Permission denied [root@77eb235aceac database]# id uid=0(root) gid=0(root) groups=0(root) [root@77eb235aceac database]# cd .. [root@77eb235aceac install]# ls -alt ...... drwxr-xr-x. 7 root root 4096 Jul 7 2014 databaseI check
/root/databasein host, and all things seem OK:[root@localhost ~]# ls -lt ...... drwxr-xr-x. 7 root root 4096 Jul 7 2014 databaseWhy does docker container prompt "Permission denied"?
Update:
The root cause is related toSELinux. Actually, I met similar issue last year.-
Auzias about 8 yearsCould try by adding--privilegedto thedocker runcommand and tell us if the permission is still denied. Also, could you perform (on the host)# ls -lh /tmp/install/databaseplease? -
Nan Xiao about 8 years@Auzias: Yes, add
--privilegedworks! Thanks! Could you write an answer and explain what is the difference of using this option or not though working as a root user in container? -
Nan Xiao about 8 years@Auzias: I update in the
OP, please check, thanks! -
Auzias about 8 yearsNot really yet as I'm unsure of the reason. could you perform (on the host)
# ls -lh /tmp/install/databaseplease? (you providedls -ldh /root/databaseno the /tmp one). Also, is you/tmpon a specific device? -
Nan Xiao about 8 years@Auzias: There is no
/tmp/install/databaseon host, it is in container. -
Auzias about 8 yearsOh yeah, sorry! Indeed, not fully awoke. is your
/tmpon a specific device? -
Nan Xiao about 8 years@Auzias: No. Just the same hard disk as other directories. I check the
docker run --help, but the explanation seems a little simple. -
Auzias about 8 yearsLet us continue this discussion in chat.
-
-
Nan Xiao about 8 yearsthe root cause has been found: it is caused by
selinux. Actually, I encountered similar issue about one year ago: Why does docker prompt “Permission denied” when backing up the data volume?. -
sschuberth over 2 yearsIf "By default, Docker does not change the labels set by the OS", how can it then be that I can run a certain executable fine on the host, but when mounting the same executable to a Docker container, I get "Permission denied" when running it? (And specifying
:zdoes fix it.) -
B.Z. over 2 years@sschuberth selinux requires the process label matches the label of the file that it tries to access. Docker running in a different context from host processes, so it has different process label. That's why a process in the host can access an executable, but a process in docker container can't. :z would relabels the file to make sure that docker container can access the file too.
