I need your help to understand my problem.
I updated my macintosh with Catalina last week, then i updated docker for mac.
Since those updates, i have ownership issues on shared volumes.
I can reproduce with a small example. I just create a small docker-compose which build a nginx container. I have a folder src with a PHP file like this "src/index.php".
I build the container and start it. Then i go to /app/www/mysrc (shared volume) and tape "ls -la" to check if the index.php is OK and i get :
ls: cannot open directory '.': Operation not permitted
Here is a simple docker-compose file : docker-compose.yml :
version: "3"
services:
test-nginx:
restart: always
image: 'nginx:1.17.3'
ports:
- "8082:80"
volumes:
- ./src:/app/www/mysrc
When i build and start the container, i get :
$ docker-compose exec test-nginx sh
# cd /app/www
# ls -la
total 8
drwxr-xr-x 3 root root 4096 Oct 21 07:58 .
drwxr-xr-x 3 root root 4096 Oct 21 07:58 ..
drwxr-xr-x 3 root root 96 Oct 21 07:51 mysrc
# cd mysrc
# ls -la
ls: cannot open directory '.': Operation not permitted
# whoami
root
So, my nginx server is down because nginx can't access to the source files.
Thanks for your help.
Docker containers are designed to be accessed as root users to execute commands that non-root users can't execute. We can run a command in a running container using the docker exec. We'll use the -i and -t option of the docker exec command to get the interactive shell with TTY terminal access.
Running containers as root is a bad idea for security. This has been shown time and time again. Hackers find new ways of escaping out of the container, and that grants unfettered access to the host or Kubernetes node.
If running elevated Docker commands does not fix the permission denied error, verify that your Docker Engine is running. Similar to running a docker command without the sudo command, a stopped Docker Engine triggers the permission denied error. How do you fix the error? By restarting your Docker engine.
Running the container as root brings a lot of risks. Although being root inside the container is not the same as root on the host machine (some more details here) and you're able to deny a lot of capabilities during container startup, it is still the recommended approach to avoid being root .
In order to exec using the root user inside the Docker container, we'll use the –u option: Using the “-u” option of the docker exec command, we define the id of the root user. We can also use the user name in this command: In order to check the current user details, we'll run the whoami command:
Docker containers are designed to be accessed as root users to execute commands that non-root users can't execute. We can run a command in a running container using the docker exec. We'll use the -i and -t option of the docker exec command to get the interactive shell with TTY terminal access. 3.1. Using the Non-Root User
This is only a guess but the reason might be that Docker performs the UID map first for the image and then modifies /etc/sub {u,g}id resulting in different UID map rules -> Docker cannot map the user inside the container. You can verify this by running docker inspect <image name> and checking the directories in "LowerDir" part.
chmod +x scripts/myScript.sh docker build . docker will keep the permissions when it copies the files. Show activity on this post. Changing permissions of files you do not own in Linux requires root access, and the COPY command is most likely copying the file as root.
If it was working prior to the update to Catalina, the issue is due to the new permissions requested by Catalina.
Now, macOS requests permissions for everything, even for accessing a directory. So, probably you had a notification about granting Docker for Mac permission to access the shared folder, you didn't grant it, and now you are facing the outcome of such action.
To grant privileges now, go to System preferences > Security & Privacy > Files and Folders, and add Docker for Mac and your shared directory.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With