24

I have this container based on debian:jessie (but this is not very relevant as I had the same issue with alpine:3.3). I get to the point where I need to

mount --bind /htdocs/www /home/user/example.com/www

and I get

mount: permission denied

I can't find anything in any kernel log, and -vvv yields nothing interesting. I obviously can do this on the host (with any other pair of subtree/node). In my example above /htdocs/www is the mountpoint of a Docker volume, but it doesn't appear like it's of any importance, as I can't mount --bind any pair of subtree/node inside the container.

Morpheu5
  • 2,610
  • 6
  • 39
  • 72
  • 3
    Is there a reason to mount from inside the container? Running the container with `-v /home/user/example.com/www:/htdocs/www` may be a better solution, as its transparent to the container where those files came from, and it doesn't require giving the container additional privileges – thaJeztah Apr 11 '16 at 18:22
  • Good point. However, that forces me to recreate the container every time I want to add a new user and/or another site to an existing user. I want to be able to do this on a running container, without having to interrupt it. – Morpheu5 Apr 11 '16 at 20:53
  • you shouldn't put multiple sites in a container; spinning up a container takes roughly 300 milliseconds. Having just a single site in a container, makes it a lot cleaner as well; you only have what's needed for -that- site, and (e.g.) you don't need to worry about possibly conflicting (site-a, site-b) – thaJeztah Apr 11 '16 at 22:27
  • 1
    I never said I was going to put multiple sites in a container. In fact, every subdomain will have its own apache/php container. What I'm doing here is having a single sftp-server container. Unfortunately I can't do hostname-based proxying with ssh/ftp, so this is the way it has to be: one container, multiple users, mount-binds and/or symlinks (depending on the chroot status). I could have said that this question was related to this http://stackoverflow.com/questions/36546147/how-do-i-change-the-umask-of-a-shared-docker-volume which in turn was related to another one. – Morpheu5 Apr 12 '16 at 09:18
  • ah, right, thanks for explaining – thaJeztah Apr 12 '16 at 11:46

3 Answers3

34

For using the mount system call, you need the CAP_SYS_ADMIN capability. By default, Docker drops all capabilities when spawning a container (meaning that even as root, you're not allowed to do everything). See the mount(2) man page for more information.

You can start your container with the --cap-add=SYS_ADMIN flag to add this capability to your container:

root@host > docker run --rm -it --cap-add=SYS_ADMIN debian:jessie
root@ee0b1d5fe546:/# mkdir /mnt/test
root@ee0b1d5fe546:/# mount --bind /home /mnt/test/
root@ee0b1d5fe546:/#

Use this with caution. Do not run untrusted software in a privileged container.

helmbert
  • 35,797
  • 13
  • 82
  • 95
  • 8
    I promise I'll be very careful :) Thanks. – Morpheu5 Apr 11 '16 at 21:15
  • 1
    I get: `/# mount --bind /home /mnt/test/ mount: /home is write-protected, mounting read-only mount: cannot mount /home read-only` – Nathan Osman Jan 21 '20 at 07:14
  • 1
    This changed the error from "permission denied" to "failed". Even adding all capabilities still fails. Using privileged=true as per Javier's answer works. – mhost Mar 08 '21 at 18:52
  • This used to work for me with --cap-add=SYS_ADMIN - but recently I found that it works only with --privileged – svinther Jul 20 '23 at 10:36
8

Try with --privileged flag:

docker run --rm -it --privileged=true debian
mkdir /mnt/test
mount --bind /home /mnt/test/
Javier
  • 151
  • 1
  • 6
0

I was searching some info's for Docker/Kubernetes to give capabilities permission, and found some informations

docker run --rm -it --security-opt apparmor:unconfined --cap-add=SYS_ADMIN debian:jessie
mkdir /mnt/test
mount --bind /home /mnt/test/

would help.

Kyroo0
  • 39
  • 1
  • 6