Permission denied on accessing host directory in Docker

Question

I am trying to mount a host directory in Docker, but then I cannot access it from within the container, even if the access permissions look good.

I am doing

sudo docker run -i -v /data1/Downloads:/Downloads ubuntu bash 

and then

ls -al 

It gives me:

total 8892 drwxr-xr-x.  23 root root    4096 Jun 18 14:34 . drwxr-xr-x.  23 root root    4096 Jun 18 14:34 .. -rwxr-xr-x.   1 root root       0 Jun 18 14:34 .dockerenv -rwx------.   1 root root 9014486 Jun 17 22:09 .dockerinit drwxrwxr-x.  18 1000 1000   12288 Jun 16 11:40 Downloads drwxr-xr-x.   2 root root    4096 Jan 29 18:10 bin drwxr-xr-x.   2 root root    4096 Apr 19  2012 boot drwxr-xr-x.   4 root root     340 Jun 18 14:34 dev drwxr-xr-x.  56 root root    4096 Jun 18 14:34 etc drwxr-xr-x.   2 root root    4096 Apr 19  2012 home 

and a lot more lines like that (I think this is the relevant portion).

If I do

cd /Downloads ls 

the result is

ls: cannot open directory .: Permission denied 

The host is Fedora 20, with Docker 1.0.0 and go1.2.2.

What is going wrong?

Answer 1

See this Project Atomic blog post about Volumes and SELinux for the full story.

Specifically:

This got easier recently since Docker finally merged a patch which will be showing up in docker-1.7 (We have been carrying the patch in docker-1.6 on RHEL, CentOS, and Fedora).

This patch adds support for "z" and "Z" as options on the volume mounts (-v).

For example:

docker run -v /var/db:/var/db:z rhel7 /bin/sh 

Will automatically do the chcon -Rt svirt_sandbox_file_t /var/db described in the man page.

Even better, you can use Z.

docker run -v /var/db:/var/db:Z rhel7 /bin/sh 

This will label the content inside the container with the exact MCS label that the container will run with, basically it runs chcon -Rt svirt_sandbox_file_t -l s0:c1,c2 /var/db where s0:c1,c2 differs for each container.