Docker permission denied with volume

Asked 15/8, 2018 at 8:15 Answered 23/1, 2023 at 22:36

I'm trying to start a Nginx container that serve static content located on the host, in /opt/content.

The container is started with :

docker run -p 8080:80 -v /opt/content:/usr/share/nginx/html nginx:alpine

And Nginx keeps giving me 403 Forbidden. Moreover, when trying to inspect the content of the directory, I got strange results :

$ $ docker exec -i -t inspiring_wing /bin/sh
/ # ls -l /usr/share/nginx/
total 4
drwxrwxrwx    3 root     root          4096 Aug 15 08:08 html
/ # ls -l /usr/share/nginx/html/
ls: can't open '/usr/share/nginx/html/': Permission denied
total 0

I chmod -R 777 /opt/ to be sure there are no restriction on the host, but it doesn't change anything. I also try to add :ro flag to the volume option with no luck.

How can I make the mounted volume readable by the container ?

UPDATE : here are the full steps I done to reproduce this problem (as root, and with another directory to start from a clean config) :

mkdir /public
echo "Hello World" > /public/index.html
chmod -R 777 /public
docker run -p 8080:80 -d -v /public:/usr/share/nginx/html nginx:alpine
docker exec -i -t inspiring_wing /bin/sh
ls -l /usr/share/nginx/html

And this last command inside the container returns me : ls -l /usr/share/nginx/html. Of course, replace inspiring_wing by the name of the created container.

Dozen answered 15/8, 2018 at 8:15 Comment(0)

The problem was caused by SELinux that prevented Docker to access the file system.

If someone has the same problem than this post, here is how to check if it's the same situation :

1/ Check SELinux status: sestatus. If the mode is enforcing, it may block Docker to access filesystem.

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31

2/ Change mode to permissive: setenforce 0. There should be no more restrictions on Docker.

Dozen answered 15/8, 2018 at 18:16 Comment(0)

Instead of setting SELinux to permissive on your host entirely, I would recommend setting the correct security context for your volume source:

chcon -R -t container_file_t PATHTOHOSTDIR

Maverick answered 23/1, 2023 at 22:36 Comment(0)

You're copying from /opt/content on the host, to /usr/share/nginx/html in the container. So when you log in, you want to look in /usr/share/nginx/html for the files.

If this doesn't help enough, you can paste the content of ls -lah /usr/share/nginx/html but I think you just don't have an index page in there.

Antho answered 15/8, 2018 at 8:44 Comment(4)

You're right, I did make some wrong copy/paste... I made another try with /opt as mounting point instead of /usr/share/nginx to eliminate problems with permissions on this directory, and copy the wrong terminal... I updated the question with the good listing, you can see that /usr/share/nginx/html is inaccessible although permissions are 777. – Dozen 15/8, 2018 at 10:56

@Dozen this is interesting. I tried what you're doing and it's definitely working properly for me. Are you sure your situation isn't more complex, and for the sake of simplifying it for the question, you might have omitted some of the details that are key here? – Antho 15/8, 2018 at 11:12

Indeed, I also find surprising that something such common is not working. I've updated the question with the steps I followed from a clean configuration, and still got the problem... Am I missing something obvious ? – Dozen 15/8, 2018 at 17:51

I found what's wrong. SELinux was running on my machine (Fedora), and disabling it solve the problem. Thank you very much for your time and letting me know it should work as is. – Dozen 15/8, 2018 at 18:9

Recommended topics

Hot tags