Docker volume permission denied

lakano · June 25, 2019, 10:13pm

Hello!
Since 1 or 2 weeks, I can’t continue to works for my company with my Silverblue because of new permission denied errors.

docke run --rm --name apache -v /home/guillaume/path/to/my/conf/httpd.conf:/usr/local/apache2/conf/httpd.conf httpd:2.4.39-alpine
httpd: Could not open configuration file /usr/local/apache2/conf/httpd.conf: Permission denied

I can only uses named volumes, but it’s not easy because volumes are stored outside of the project.
And in all cases, when a container need root privileges this create problems. Until 2 weeks ago, this worked correctly for 80% of docker images (for mysql, I was already forced to uses a named volume)

Is anyone have the same problem ?

I’m using moby-engine installed on rpm-ostree:

Client:
Version: 18.06.3
API version: 1.38
Go version: go1.12
Git commit: d7080c1
Built: Thu Mar 28 16:22:13 2019
OS/Arch: linux/amd64
Experimental: false

Server:
Engine:
Version: dev
API version: 1.38 (minimum version 1.12)
Go version: go1.12
Git commit: d7080c1
Built: Thu Mar 28 16:21:35 2019
OS/Arch: linux/amd64
Experimental: false

State: idle
AutomaticUpdates: disabled
Deployments:
● ostree://fedora:fedora/30/x86_64/silverblue
Version: 30.20190625.0 (2019-06-25T00:41:48Z)
BaseCommit: 5a8e05b465f1c1f9a67773867cc81ba0a872e29b8bafe5f600493a3ee8bf3edb
GPGSignature: Valid signature by F1D8EC98F241AAF20DF69420EF3C111FCFC659B9
LayeredPackages: docker-compose evince fedora-workstation-repositories fprintd
fprintd-pam gstreamer1-plugins-ugly-free gvfs-nfs langpacks-fr
libfprint libnfs moby-engine zsh
LocalPackages: google-chrome-stable-75.0.3770.80-1.x86_64
Initramfs: regenerate

ostree://fedora:fedora/30/x86_64/silverblue
Version: 30.20190620.0 (2019-06-20T02:44:32Z)
BaseCommit: 9477661d701f647ae2b5c496470e63f4c19ec83751b914648e8bb1d5ed763e75
GPGSignature: Valid signature by F1D8EC98F241AAF20DF69420EF3C111FCFC659B9
LayeredPackages: docker-compose evince fedora-workstation-repositories fprintd
fprintd-pam gstreamer1-plugins-ugly-free gvfs-nfs langpacks-fr
libfprint libnfs moby-engine zsh
LocalPackages: google-chrome-stable-75.0.3770.80-1.x86_64
Initramfs: regenerate

refi64 · June 26, 2019, 1:17am

This is likely SELinux. You can append a volume with :z or :Z to relabel all its contents before mounting (the former using a label meaning any container can read it, the latter uses a label specific to the given container).

lakano · June 26, 2019, 7:19am

Yes thanks @refi64 this works, but 2 weeks ago, I could use relative path (excepted for MySQL, where I need to uses a named volume).
The problem is it’s a specific docker-compose.yml file for all our developers, so I need to create/copy a specific version of this docker-compose to works for my machine ( I suppose a :z could make problem for other developers )
BTW, if I use :z I can’t specify :rw or :ro ( I’ve tried :z:ro and :zro ), if you have an idea this could be appreciated

refi64 · June 26, 2019, 3:48pm

Try :ro,z. If the other developers are on non-SELinux systems, it shouldn’t make a difference for them at all. You can also set

security_opt:
 - label:disable

On your container to disable labeling altogether, again this would only affect SELinux-enforcing systems.

lakano · June 26, 2019, 4:41pm

Perfect !!
Again a time, you help me a lot @refi64 ! Thanks !

Topic		Replies	Views
How to run Apache (and PHP) correctly in a container on Fedora Silverblue? Project Discussion silverblue-team	15	4103	February 1, 2022
Cannot access host filesystem from podman containers Project Discussion silverblue-team	5	7148	May 10, 2022
[Silverblue] Failed to start Toolbox container! Ask Fedora f39 , silverblue	30	1340	February 21, 2024
Mounting volumes in Docker and SELinux Ask Fedora docker , selinux	1	1944	July 2, 2019
Executing podman: Permission denied Ask Fedora podman-compose , python , selinux , silverblue , postgresql	4	1834	July 30, 2024

Docker volume permission denied

Related topics