109

While going through the docker docs, I came across volumes-from (https://docs.docker.com/engine/reference/commandline/run/) option for docker run command. I didn't understand the differences between ro, rw, and z option provided as-
$ docker run --volumes-from ba8c0c54f0f2:ro -i -t ubuntu pwd
In the above command the ro option is replaced with z. I will be thankful if anyone explores on differences of using these options.

Céline Aussourd
  • 10,214
  • 4
  • 32
  • 36
Yogesh Jilhawar
  • 5,605
  • 8
  • 44
  • 59
  • see the explanations in http://stackoverflow.com/questions/34031397/running-docker-on-ubuntu-mounted-host-volume-is-not-writable-from-container – user2915097 Feb 05 '16 at 11:00
  • see also the volume labels at https://docs.docker.com/engine/userguide/containers/dockervolumes/ – user2915097 Feb 05 '16 at 11:01
  • "Adding a label " means what ? Does this only for understanding purpose or for something else ? – Yogesh Jilhawar Feb 05 '16 at 11:46
  • see https://docs.docker.com/engine/reference/commandline/run/ the section "Mount volumes from container (--volumes-from)" – user2915097 Feb 05 '16 at 12:25
  • Hmmm..Its the one that I mentioned in the question. But I didn't understand the meaning of "adding a label". It will be helpful for me if you explore a little bit more on this. – Yogesh Jilhawar Feb 05 '16 at 12:34
  • 2
    with SELinux enabled, a non privileged container cannot access files on the volume created after mounting the directory from the host system. If you need to access, from the container, files on the host, this z flag is required – user2915097 Feb 05 '16 at 12:57

4 Answers4

131

Two suffixes :z or :Z can be added to the volume mount. These suffixes tell Docker to relabel file objects on the shared volumes. The z option tells Docker that the volume content will be shared between containers. Docker will label the content with a shared content label. Shared volumes labels allow all containers to read/write content. The Z option tells Docker to label the content with a private unshared label.

https://github.com/rhatdan/docker/blob/e6473011583967df4aa5a62f173fb421cae2bb1e/docs/sources/reference/commandline/cli.md

If you use selinux you can add the z or Z options to modify the selinux label of the host file or directory being mounted into the container. This affects the file or directory on the host machine itself and can have consequences outside of the scope of Docker.

The z option indicates that the bind mount content is shared among multiple containers.
The Z option indicates that the bind mount content is private and unshared. Use extreme caution with these options. Bind-mounting a system directory such as /home or /usr with the Z option renders your host machine inoperable and you may need to relabel the host machine files by hand.

$ docker run -d \
  -it \
  --name devtest \
  -v "$(pwd)"/target:/app:z \
  nginx:latest

https://docs.docker.com/storage/bind-mounts/#configure-bind-propagation

phanaz
  • 1,188
  • 8
  • 17
amit23comp
  • 1,483
  • 1
  • 13
  • 12
  • 1
    Ok. It means if I use like this - `$ docker run --volumes-from ba8c0c54f0f2:z -i -t ubuntu pwd` then the exposed volume will be available for sharing for other container. Am I right amit23comp ? – Yogesh Jilhawar Feb 05 '16 at 11:44
  • 22
    But what does it really mean? With out the 'z' suffix the volume content will NOT be shared? What does it mean "Docker will label the content with a shared content label. "? – Alex Jan 05 '18 at 12:31
  • 12
    It's still not clear how these options affect the container, maybe some examples would be helpful. – cmcginty Feb 19 '18 at 08:04
  • 3
    what's similar option for docker-compose – Vikrant Pawar Mar 14 '20 at 06:34
8

From tests here in my machine, -z lets you share content from one container with another. Suppose this image:

FROM alpine
RUN mkdir -p /var/www/html \
    && echo "foo" > /var/www/html/index.html

Let's build it and tag as test-z:

$ docker build . -t test-z

Now create and run test-z container with the name testing-z, mapping the volume test-vol to /var/www/html and adding the z modifier

$ docker run \
    --name testing-z \
    --volume test-vol:/var/www/html:z \
    -d test-z tail -f /dev/null

The contents of /var/www/html from testing-z can be accessed from others containers by using the --volumes-from flag, like below:

$ docker run --rm --volumes-from testing-z -it nginx sh
# cat /var/www/html/index.html
foo

Obs.: I'm running Docker version 19.03.5-ce, build 633a0ea838

Fabio Montefuscolo
  • 2,258
  • 2
  • 21
  • 18
4
docker run --volumes-from a64f10cd5f0e:z -i -t rhel6 bin/bash

I have tested it, i have mounted in one container and from that container to another newly container. IT goes with rw option

BMW
  • 42,880
  • 12
  • 99
  • 116
amit23comp
  • 1,483
  • 1
  • 13
  • 12
4

I've done the following observation:

# docker run --rm -ti -v /host/path/to/flyway/scripts:/flyway/sql:z --entrypoint '' flyway/flyway ls -l /flyway/sql
total 0

# docker run --rm -ti -v /host/path/to/flyway/scripts:/flyway/sql --entrypoint '' flyway/flyway ls -l /flyway/sql
ls: cannot open directory '/flyway/sql': Permission denied

So, in this case, the container works only if :z is set. On this host, SELinux is installed. If this is not the case, the :z doesn't have a recognizable effect to me.

Alternatively to :z, one could use chcon on the host folder to change this permission:

# chcon -t svirt_sandbox_file_t /host/path/to/flyway/scripts

# docker run --rm -ti -v /host/path/to/flyway/scripts:/flyway/sql:z --entrypoint '' flyway/flyway ls -l /flyway/sql
total 0

# docker run --rm -ti -v /host/path/to/flyway/scripts:/flyway/sql --entrypoint '' flyway/flyway ls -l /flyway/sql
total 0
Daniel Alder
  • 5,031
  • 2
  • 45
  • 55