最近在研究 Linux ServiceCentOS7上跑docker, 理論上只要寫好 docker-compose 跟一些設定檔即可.

但最後在跑的時候總是會出現要掛載的 **volume**會出現 Permission Denied (即便是把檔案屬性設定為777…)

最後繞了一圈發現, 這是在有 **SELinux**的作業系統環境下會出現的(RHEL, CentOS以及Fedora)

解決方式有二

  • A方案 : 下 chcon 指令增加權限

chcon -Rt svirt_sandbox_file_t /your/conf/file

有關於 **chcon**的說明可看此份文件

  • B方案 : 直接在compose檔案中新增 :Z 讓docker自動處理

volumes:
    - ./conf/some-conf:/etc/service/service.conf:Z

直接在最後面加上:Z再去跑即可

其實在 man docker run 底下(很下面)也會看到, 只是很少會去看(誤)

Mounting External Volumes
       To mount a host directory as a container volume, specify the absolute path to the directory and the absolute path for the container directory separated by a
       colon:

              # docker run -v /var/db:/data1 -i -t fedora bash

       When using SELinux, be aware that the host has no knowledge of container SELinux policy. Therefore, in the above example, if SELinux policy is enforced, the
       /var/db directory is not writable to the container. A "Permission Denied" message will occur and an avc: message in the host's syslog.

       To work around this, at time of writing this man page, the following command needs to be run in order for the proper SELinux policy type label to be attached to
       the host directory:

              # chcon -Rt svirt_sandbox_file_t /var/db

       Now, writing to the /data1 volume in the container will be allowed and the changes will also be reflected on the host in /var/db.

Ref-Project Atomic