Docker bind volume permission deny problem and potential solution
Given a docker run setup as follow:
docker run -d --restart=unless-stopped \
--name step-ca \
-v /ca/step:/home/step \
-p 9250:9000 \
-e "DOCKER_STEPCA_INIT_NAME=Smallstep" \
-e "DOCKER_STEPCA_INIT_DNS_NAMES=localhost,$(hostname -f)" \
smallstep/step-caIt’s expected to start a step-ca container (a certificate authority) and would put the necessary data in container’s /home/step path, and the volume bind is expected to map the container’s /home/step folder to host /ca/step folder.
The result would be as follow:
The reason is the container try to create folders inside the /home/step, but cannot be done.
When we check the container, it use an account call step (one can check this by getting into the container’s shell with following command:)
docker run -it \
--name step-ca2 \
-v /ca/step:/home/step \
-p 9250:9000 \
smallstep/step-ca sh
And checking the /etc/passwd (cat /etc/passd):
This user have no permission to access the folder at host, which is created under root.
Solution
The solution is “simple”, one can pre-create the “/ca/step” folder with user id =1000 (the container’s user “step” is having user id 1000)
One can check who is the host’s login user (whoami) and then cat the /etc/passwd and see the current useid to see if it’s 1000.
If not, one can also try to run the docker container with switch “-- user “$(id -u):$(id -g)”
