Change permissions for named volumes in Docker

Bennie_C · April 29, 2022, 8:32pm

I have Docker container with named volume running on non-root user started with the following command:

docker run -v backup:/backup someimage

In the image, there's a backup script which is trying to save files in /backup directory but it fails. Mounted backup volume in /backup dir belongs to root user.

How to change permissions for /backup directory?

-----EDIT1:

mcve below:

Run docker container with Gerrit:

docker run -v backupgerrit:/backup --name gerrit gerritcodereview/gerrit

Now on other terminal window try to save something in /backup dir:

docker exec gerrit touch /backup/testfile

You will get:

touch: cannot touch '/backup/testfile': Permission denied

Billie_C · April 29, 2022, 8:36pm

Named volumes are initialized when first created to the contents of the image at the mount location. That initialization includes the owner and permissions. If /backup does not exist in your image, then an empty directory will be created and owned by root. You can:

Option 1: Create the directory in your Dockerfile with the appropriate ownership and permissions:

FROM your-image
USER root
RUN mkdir -p /backup \
 && chown -R your-user /backup
USER your-user

Note, this only works when the backup named volume does not already exist or is empty. And it needs to be a named volume, not a host volume.

Option 2: Initialize the named volume, including some content inside the volume (an empty file would work) using another temporary container:

docker run --rm -v backupgerrit:/backup busybox \
  /bin/sh -c 'touch /backup/.initialized && chown -R 1000:1000 /backup'

Option 3: Adjust the permissions after the volume is mounted, requiring root inside your container:

docker exec -u 0:0 your-container chown -R your-user /backup

Rowan_R · April 29, 2022, 8:41pm

Working solution here. Docker on default settings keeps volumes data in /var/lib/docker/volumes/. Basing on example from question files of backupgerrit named volume are keep in /var/lib/docker/volumes/backupgerrit/_data. Essential dir is _data and its permissions. In this example, Gerrit container uses a user with id 1000. The solution is to set ownership of this _data dir to 1000:1000.

# chown 1000:1000 /var/lib/docker/volumes/backupgerrit/_data
# ls -ln /var/lib/docker/volumes/backupgerrit/
drwxr-xr-x 2 1000 1000 4096 Feb 25 12:19 _data/

And this is how it looks from container side:

# docker ps
CONTAINER ID   IMAGE                     COMMAND            CREATED          STATUS          PORTS                 NAMES
eaa816980be5   gerritcodereview/gerrit   "/entrypoint.sh"   31 minutes ago   Up 31 minutes   8080/tcp, 29418/tcp   gerrit
# docker exec gerrit id
uid=1000(gerrit) gid=1000(gerrit) groups=1000(gerrit)
# docker exec gerrit ls -l / | grep backup
drwxr-xr-x   2 gerrit gerrit 4096 Feb 25 11:19 backup
# docker exec gerrit touch /backup/testfile
# docker exec gerrit ls -l /backup
total 0
-rw-r--r-- 1 gerrit gerrit 0 Feb 25 11:19 testfile

Permissions of _data dir are persistent till removing volume with

# docker volume rm backupgerrit