- The instance is set up to mount the root filesystem of the target machine to the instance volume, so when the instance starts it immediately loads a chroot into that volume. This gives us the root of the machine. After running the command, we traverse into the /mnt directory and found out flag.txt. Docker run -v /root:/mnt -it alpine.
- In order to do that, I created a volume over the NFS and bound it to the POD through the related volume claim. When I try to write or accede the shared folder I got a 'permission denied' message, since the NFS is apparently read-only. The following is the json file I used to create the volume.
Permissions the painful side of use volumes docker doentation use bind mounts docker doentation docker volumes how to create get started volume mount permission denied.
Estimated reading time: 13 minutes
Docker Volume Mount Permission
Bind mounts have been around since the early days of Docker. Bind mounts havelimited functionality compared to volumes. When you use a bindmount, a file or directory on the host machine is mounted into a container.The file or directory is referenced by its absolute path on the hostmachine. By contrast, when you use a volume, a new directory is created withinDocker’s storage directory on the host machine, and Docker manages thatdirectory’s contents.
The file or directory does not need to exist on the Docker host already. It iscreated on demand if it does not yet exist. Bind mounts are very performant, butthey rely on the host machine’s filesystem having a specific directory structureavailable. If you are developing new Docker applications, consider usingnamed volumes instead. You can’t use Docker CLI commands to directlymanage bind mounts.
Choose the -v or --mount flag
In general, --mount
is more explicit and verbose. The biggest difference is thatthe -v
syntax combines all the options together in one field, while the --mount
syntax separates them. Here is a comparison of the syntax for each flag.
Tip: New users should use the --mount
syntax. Experienced users maybe more familiar with the -v
or --volume
syntax, but are encouraged touse --mount
, because research has shown it to be easier to use.
-v
or--volume
: Consists of three fields, separated by colon characters(:
). The fields must be in the correct order, and the meaning of each fieldis not immediately obvious.- In the case of bind mounts, the first field is the path to the file ordirectory on the host machine.
- The second field is the path where the file or directory is mounted inthe container.
- The third field is optional, and is a comma-separated list of options, suchas
ro
,z
, andZ
. These optionsare discussed below.
--mount
: Consists of multiple key-value pairs, separated by commas and eachconsisting of a<key>=<value>
tuple. The--mount
syntax is more verbosethan-v
or--volume
, but the order of the keys is not significant, andthe value of the flag is easier to understand.- The
type
of the mount, which can bebind
,volume
, ortmpfs
. Thistopic discusses bind mounts, so the type is alwaysbind
. - The
source
of the mount. For bind mounts, this is the path to the fileor directory on the Docker daemon host. May be specified assource
orsrc
. - The
destination
takes as its value the path where the file or directoryis mounted in the container. May be specified asdestination
,dst
,ortarget
. - The
readonly
option, if present, causes the bind mount to be mounted intothe container as read-only. - The
bind-propagation
option, if present, changes thebind propagation. May be one ofrprivate
,private
,rshared
,shared
,rslave
,slave
. - The
--mount
flag does not supportz
orZ
options for modifyingselinux labels.
- The
The examples below show both the --mount
and -v
syntax where possible, and--mount
is presented first.
Differences between -v
and --mount
behavior
Because the -v
and --volume
flags have been a part of Docker for a longtime, their behavior cannot be changed. This means that there is one behaviorthat is different between -v
and --mount
.
If you use -v
or --volume
to bind-mount a file or directory that does notyet exist on the Docker host, -v
creates the endpoint for you. It isalways created as a directory.
If you use --mount
to bind-mount a file or directory that does notyet exist on the Docker host, Docker does not automatically create it foryou, but generates an error.
Start a container with a bind mount
Consider a case where you have a directory source
and that when you build thesource code, the artifacts are saved into another directory, source/target/
.You want the artifacts to be available to the container at /app/
, and youwant the container to get access to a new build each time you build the sourceon your development host. Use the following command to bind-mount the target/
directory into your container at /app/
. Run the command from within thesource
directory. The $(pwd)
sub-command expands to the current workingdirectory on Linux or macOS hosts.
The --mount
and -v
examples below produce the same result. Youcan’t run them both unless you remove the devtest
container after running thefirst one.
Use docker inspect devtest
to verify that the bind mount was createdcorrectly. Look for the Mounts
section:
This shows that the mount is a bind
mount, it shows the correct source anddestination, it shows that the mount is read-write, and that the propagation isset to rprivate
.
Stop the container:
Mount into a non-empty directory on the container
If you bind-mount into a non-empty directory on the container, the directory’sexisting contents are obscured by the bind mount. This can be beneficial,such as when you want to test a new version of your application withoutbuilding a new image. However, it can also be surprising and this behaviordiffers from that of docker volumes.
This example is contrived to be extreme, but replaces the contents of thecontainer’s /usr/
directory with the /tmp/
directory on the host machine. Inmost cases, this would result in a non-functioning container.
The --mount
and -v
examples have the same end result.
The container is created but does not start. Remove it:
Docker Mount Permission Denied
Use a read-only bind mount
For some development applications, the container needs towrite into the bind mount, so changes are propagated back to theDocker host. At other times, the container only needs read access.
This example modifies the one above but mounts the directory as a read-onlybind mount, by adding ro
to the (empty by default) list of options, after themount point within the container. Where multiple options are present, separatethem by commas.
The --mount
and -v
examples have the same result.
Use docker inspect devtest
to verify that the bind mount was createdcorrectly. Look for the Mounts
section:
Stop the container:
Configure bind propagation
Bind propagation defaults to rprivate
for both bind mounts and volumes. It isonly configurable for bind mounts, and only on Linux host machines. Bindpropagation is an advanced topic and many users never need to configure it.
Bind propagation refers to whether or not mounts created within a givenbind-mount or named volume can be propagated to replicas of that mount. Considera mount point /mnt
, which is also mounted on /tmp
. The propagation settingscontrol whether a mount on /tmp/a
would also be available on /mnt/a
. Eachpropagation setting has a recursive counterpoint. In the case of recursion,consider that /tmp/a
is also mounted as /foo
. The propagation settingscontrol whether /mnt/a
and/or /tmp/a
would exist.
Propagation setting | Description |
---|---|
shared | Sub-mounts of the original mount are exposed to replica mounts, and sub-mounts of replica mounts are also propagated to the original mount. |
slave | similar to a shared mount, but only in one direction. If the original mount exposes a sub-mount, the replica mount can see it. However, if the replica mount exposes a sub-mount, the original mount cannot see it. |
private | The mount is private. Sub-mounts within it are not exposed to replica mounts, and sub-mounts of replica mounts are not exposed to the original mount. |
rshared | The same as shared, but the propagation also extends to and from mount points nested within any of the original or replica mount points. |
rslave | The same as slave, but the propagation also extends to and from mount points nested within any of the original or replica mount points. |
rprivate | The default. The same as private, meaning that no mount points anywhere within the original or replica mount points propagate in either direction. |
Before you can set bind propagation on a mount point, the host filesystem needsto already support bind propagation.
For more information about bind propagation, see theLinux kernel documentation for shared subtree.
The following example mounts the target/
directory into the container twice,and the second mount sets both the ro
option and the rslave
bind propagationoption.
The --mount
and -v
examples have the same result.
Now if you create /app/foo/
, /app2/foo/
also exists.
Configure the selinux label
If you use selinux
you can add the z
or Z
options to modify the selinuxlabel of the host file or directory being mounted into the container. Thisaffects the file or directory on the host machine itself and can haveconsequences outside of the scope of Docker.
- The
z
option indicates that the bind mount content is shared among multiplecontainers. - The
Z
option indicates that the bind mount content is private and unshared.
Use extreme caution with these options. Bind-mounting a system directorysuch as /home
or /usr
with the Z
option renders your host machineinoperable and you may need to relabel the host machine files by hand.
Important: When using bind mounts with services, selinux labels(:Z
and :z
), as well as :ro
are ignored. Seemoby/moby #32579 for details.
This example sets the z
option to specify that multiple containers can sharethe bind mount’s contents:
It is not possible to modify the selinux label using the --mount
flag.
Next steps
- Learn about volumes.
- Learn about tmpfs mounts.
- Learn about storage drivers.