Docker mount directory access rights

Question

I've got a docker container running a MongoDB database. To keep the data persistant I mount a volume on the container which is a AWS EBS volume formatted with xfs (the MongoDB recommendation).

The run command is the following:

$ docker run --name MongoDB -p 27017:27017 --volume /data/mongo/db:/data/db --volume /data/mongo/conf:/data/configdb mongo:3.4 --config /data/configdb/mongodb.conf

But I always get the following errors:

chown: cannot read directory '/data/configdb': Permission denied
chown: cannot read directory '/data/db': Permission denied

I try many chmod and chown command on all /data/mongo dir and subdirectory until I came to the chmod -R 777 /data/mongo but wihtout success anymore. On the mongo Dockerfile I see that the entrypoint chown /data/db and /data/configdb : https://github.com/docker-library/mongo/blob/30d09dbd6343d3cbd1bbea2d6afde49f5d9a9295/3.4/docker-entrypoint.sh

chown -R mongodb /data/configdb /data/db

So i'm stuck with this directory access rights.

---

More info. I'm on AWS, ECS, Centos 7.

 $ docker info
Containers: 1
 Running: 0
 Paused: 0
 Stopped: 1
Images: 3
Server Version: 1.12.5
Storage Driver: devicemapper
 Pool Name: docker-202:1-86279-pool
 Pool Blocksize: 65.54 kB
 Base Device Size: 10.74 GB
 Backing Filesystem: xfs
 Data file: /dev/loop0
 Metadata file: /dev/loop1
 Data Space Used: 481.6 MB
 Data Space Total: 107.4 GB
 Data Space Available: 6.486 GB
 Metadata Space Used: 1.167 MB
 Metadata Space Total: 2.147 GB
 Metadata Space Available: 2.146 GB
 Thin Pool Minimum Free Space: 10.74 GB
 Udev Sync Supported: true
 Deferred Removal Enabled: false
 Deferred Deletion Enabled: false
 Deferred Deleted Device Count: 0
 Data loop file: /var/lib/docker/devicemapper/devicemapper/data
 WARNING: Usage of loopback devices is strongly discouraged for production use. Use `--storage-opt dm.thinpooldev` to specify a custom block storage device.
 Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
 Library Version: 1.02.135-RHEL7 (2016-11-16)
Logging Driver: journald
Cgroup Driver: systemd
Plugins:
 Volume: local
 Network: bridge host null overlay
Swarm: inactive
Runtimes: runc docker-runc
Default Runtime: docker-runc
Security Options: seccomp selinux
Kernel Version: 3.10.0-514.6.1.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
Number of Docker Hooks: 2
CPUs: 2
Total Memory: 14.53 GiB
Name: ip-172-31-25-123.eu-west-1.compute.internal
ID: 44WV:6KIZ:LHMK:5HDN:S3EC:YEQG:GFZZ:7TIV:6PCT:GPVF:E6IV:24Q5
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Insecure Registries:
 127.0.0.0/8
Registries: docker.io (secure)

Answer 1

Ok, I just realise that SELinux is activated on my Centos7 Box:

 $ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

So I just have to add :Z after each volume mount and MongoDB is starting as expected.