Petrus K. Petrus K. - 2 months ago 18
Linux Question

"Permission denied" in Docker container unless --privileged=true

I'm trying to run an nginx container as a service and share 2 volumes between the host machine and container, so that files in one directory are automatically shared with the other paired directory.

My docker-compose.yml is the following:

version: '2'

services:
nginx:
image: nginx
build: .
ports:
- "5000:80"
volumes:
- /home/user1/share:/share/user1
- /home/user2/share:/share/user2
restart: always


The only way I can get this to work currently is by adding
privileged: true
to the docker-compose file, however I am not allowed to due this due to security requirements.

When trying to access the volume in the container, I get the following error:

[root@host docker-nginx]# docker exec -it dockernginx_nginx_1 bash
root@2d574f9c6131:/# ls /share/user1/
ls: cannot open directory /share/user1/: Permission denied


Even attaching myself to bash on the container with the following parameters denies me of accessing the resource (or at least listing the contents):

docker exec -it --privileged=true -u 6004:6004 dockernginx_nginx_1 bash


(Note:
6004:6004
happens to be the id:gid ownership that is passed on to
/share/user1/
)

Is there any way of accessing the contents without building the
nginx service
with elevated privileges?

Perhaps the issue lies in SELinux restrictions enforced in the container?

The container is running
Debian GNU/Linux 8 (jessie)
and the host is running
CentOS Linux 7 (Core)


Related questions:


Answer

Docker was running with --selinux-enabled=true, this prohibited me from accessing the contents of directories in the container.
Read more: http://www.projectatomic.io/blog/2016/07/docker-selinux-flag/

The solution was to disable it, it can either be done by (1) configuring or by (2) installing the non-selinux CentOS package, I went with option 2:

I made sure to reinstall and update Docker from 1.10 to 1.12.1 and not install docker-engine-selinux.noarch but instead have docker-engine.x86_64 and have the SELinux package installed as a dependency (yum does this automatically). By doing this and starting the Docker daemon, you can verify with ps aux | grep "docker" that docker-containerd is not started with the --selinux-enabled=true option.