SoFunction
Updated on 2025-04-11

Summary of the Docker container access mount file permissions

Problem description

When deploying a project using docker-compose, the yaml file is as follows:

version: '3'
services:
  purchasing-contract-consumer:
    image: /consumer:latest
    environment:
      - TZ=Asia/Shanghai
      - app_env=prod
    restart: always
    working_dir: /app
    command: python 
    volumes:
      - type: bind
        source: /home/admin/deploy/consumer/
        target: /app/

When starting the application, an error was reported:

PermissionError: [Errno 13] Permission denied: '/app/'

Cause analysis

In my application, the file needs to be written in the container, and this file is mounted to the host machine. Because my host system is CentOS, SELinux is enabled by default. Under SELinux policy, the type of the container process is container_t type, and the file on the host is user_home_t type by default. The types of the two do not match, and the container process cannot access the files mounted on the host.

Solution

Scheme 1, Disable SELinux, not recommended.

The temporary disabling SELinux scheme is as follows:

sudo setenforce 0

Scheme 2: Modify the file type to svirt_sandbox_file_t on the host machine

chcon -t svirt_sandbox_file_t

If you need to permanently modify the file type

semanage fcontext -a -t svirt_sandbox_file_t ""
restorecon

After modifying the file type to svirt_sandbox_file_t, since the docker container process is of container_t type, SELinux allows container_t type processes to access files of svirt_sandbox_file_t type.

Scheme 3: Use:Z when mounting, which will set the mounted file to the container_file_t type to ensure that the container process can access the mounted file. The updated yaml file is as follows. (recommend)

version: '3'
services:
  purchasing-contract-consumer:
    image: /consumer:latest
    environment:
      - TZ=Asia/Shanghai
      - app_env=prod
    restart: always
    working_dir: /app
    command: python 
    volumes:
      -  /home/admin/deploy/consumer/:/app/:Z

After running, check the SELinux context type

[admin@myhost consumer]$ ls -lZ
-rw-rw-r--. admin admin system_u:object_r:container_file_t:s0:c716,c748 
drwxr-xr-x. root  root  system_u:object_r:container_file_t:s0:c97,c362 config
-rwxr-xr-x. admin admin unconfined_u:object_r:user_home_t:s0 
-rw-rw-r--. admin admin unconfined_u:object_r:user_home_t:s0 
-rwxrwxr-x. admin admin unconfined_u:object_r:user_home_t:s0

The file type mounted using:Z is container_file_t, which can be accessed by the container process. The default file type is user_home_t and cannot be accessed by the container process.

When solving the problem using Scheme 3, the specified bing mount cannot be displayed. as follows

    volumes:
      - type: bind
        source: /home/admin/deploy/consumer/
        target: /app/:Z #Invalid, the container cannot modify the SELinux type on the host    volumes:
      -  /home/admin/deploy/consumer/:/app/:Z #efficient,The container successfully modified the host machineSELinuxtype

The sample code isGiteeSync on top

This is the article about the permissions of Docker container access to mount files. For more information about Docker container access to mount files, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!