Docker-compose and named volume permission denied

Question

There is docker-compose that uses base Dockerfile created image for application.

Dockerfile looks similar to below. Some lines are omitted for reason.

FROM ubuntu:18.04

RUN set -e -x ;\
    apt-get -y update ;\
    apt-get -y upgrade ;

...

USER service

When using this image in docker-compose and adding named volume to service, folder in named volume is not accessible, with message Permission denied. Part from docker-compose looks as below.

version: "3.1"
    services:
        myapp:
            image: myappimage
            command:
                - /myapp
            ports:
                - 12345:1234
            volumes:
                - logs-folder:/var/log/myapp

volumes:
    logs-folder:

My assumption was that USER service line is issue, which I confirmed by setting user: root in myapp service.

Now, question is next. I would like to avoid manually creating volume and setting permissions. I would like it to be automated using docker-compose.

Is this possible and if yes, how can this be done?

are you able to do the same in docker compose? – codeSeeker Dec 27 '21 at 18:25 — codeSeeker, Dec 27 '21 at 18:25

Mafor · Accepted Answer · 2020-09-23T18:27:37.007

12

Yes, there is a trick. Not really in the docker-compose file, but in the Docker file. You need to create the /var/log/myapp folder and set its permissions before switching to the service user:

FROM ubuntu:18.04

RUN useradd myservice
RUN mkdir /var/log/myapp
RUN chown myservice:myservice /var/log/myapp

...

USER myservice:myservice

Docker-compose will preserve permissions.

See Docker Compose mounts named volumes as 'root' exclusively

edited Sep 23 '20 at 18:27

answered Sep 23 '20 at 18:21

Mafor

9,668
2
21
36

1

Thanks, I was afraid of that. I wanted to avoid this, since image is created using bazel build tool, and I am not sure where will it be created. I think same issue happens with host folders mounted as volumes, am i right? – EnterSB Sep 23 '20 at 20:40
2

@EnterSB With host folders it's even worst, the trick above won't work. There is another hack though. See my response to this question: https://stackoverflow.com/a/64006395/9090751 – Mafor Sep 23 '20 at 20:56
I will check that entry point service. It might be helpful and cleaner than Dockerfile, as its image is just base for my bazel container image creator routine. – EnterSB Sep 23 '20 at 22:03
can you please add that second solution here as well? I ended up using it instead of this one, it is cleaner then updating image. Thank you very much – EnterSB Sep 24 '20 at 13:24

score 0 · Answer 2 · answered Dec 15 '21 at 13:33

0

I had a similar issue but mine was related to a file shared via a volume to a service I was not building with a Dockerfile, but pulling. I had shared a shell script that I used in docker-compose but when I executed it, did not have permission.

I resolved it by using chmod in the command of docker compose

command: -c "chmod a+x ./app/wait-for-it.sh && ./app/wait-for-it.sh -t 150 -h ..."
volumes:
    - ./wait-for-it.sh:/app/wait-for-it.sh

answered Dec 15 '21 at 13:33

KeaganFouche

581
5
12

I later did something similar, where volume is same one used in other service. Only problem is which command to run, but I managed to use `chown` instead of `chmod`. – EnterSB May 12 '22 at 01:05

Docker-compose and named volume permission denied

2 Answers2

Linked