moby: --tmpfs with --user works for the first time. Fails in subsequent container starts.
I’m trying to run busybox container with --tmpfs and -u set. After starting the container the first time I can write to tmpfs volume, after stopping it and starting the second time it fails with permission denied.
I’m running Fedora 23
Linux localhost.localdomain 4.3.3-303.fc23.x86_64 #1 SMP Tue Jan 19 18:31:55 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
docker version
Client:
Version: 1.10.1
API version: 1.22
Go version: go1.5.3
Git commit: 9e83765
Built: Thu Feb 11 19:33:13 2016
OS/Arch: linux/amd64
Server:
Version: 1.10.1
API version: 1.22
Go version: go1.5.3
Git commit: 9e83765
Built: Thu Feb 11 19:33:13 2016
OS/Arch: linux/amd64
docker info
Containers: 43
Running: 1
Paused: 0
Stopped: 42
Images: 194
Server Version: 1.10.1
Storage Driver: devicemapper
Pool Name: docker-253:0-1316958-pool
Pool Blocksize: 65.54 kB
Base Device Size: 107.4 GB
Backing Filesystem: ext4
Data file: /dev/loop0
Metadata file: /dev/loop1
Data Space Used: 36.48 GB
Data Space Total: 107.4 GB
Data Space Available: 5.229 GB
Metadata Space Used: 29.13 MB
Metadata Space Total: 2.147 GB
Metadata Space Available: 2.118 GB
Udev Sync Supported: true
Deferred Removal Enabled: false
Deferred Deletion Enabled: false
Deferred Deleted Device Count: 0
Data loop file: /var/lib/docker/devicemapper/devicemapper/data
WARNING: Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning.
Metadata loop file: /var/lib/docker/devicemapper/devicemapper/metadata
Library Version: 1.02.109 (2015-09-22)
Execution Driver: native-0.2
Logging Driver: json-file
Plugins:
Volume: local
Network: bridge null host
Kernel Version: 4.3.3-303.fc23.x86_64
Operating System: Fedora 23 (Workstation Edition)
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 3.726 GiB
Name: localhost.localdomain
ID: QOYG:UF6S:FW7E:HDNU:CTP3:M4M5:6LYZ:FCEX:Q2TH:EKDR:PXYR:FU6H
To reproduce
● docker create -u 1000:1000 --tmpfs /tmpfs --name testcase busybox sleep 1000
8fec7d4d3103566ac4691b1765df540e6c3a79dab6bbc6293176a79cdebe1440
● docker start testcase
testcase
● docker exec -ti testcase touch /tmpfs/test
● docker stop testcase
testcase
● docker start testcase
testcase
● docker exec -ti testcase touch /tmpfs/test
touch: /tmpfs/test: Permission denied
Expected result: I can consistently write to tmpfs with several container restarts Actual results: I can only write to tempfs on the first container start, I need to remove and recreate container
About this issue
- Original URL
- State: open
- Created 8 years ago
- Reactions: 2
- Comments: 16 (9 by maintainers)
Commits related to this issue
- Plex: workaround for /transcode permissions See: https://github.com/moby/moby/issues/20437 — committed to corintio/plexflix by deleted user 5 years ago
- work around moby/moby#20437, add mount opts Signed-off-by: Matt Hamilton <m@tthamilton.com> Co-authored-by: Nico Berlee <nico.berlee@on2it.net> — committed to Eriner/mastodon by Eriner 2 years ago
same issue here
Trying to run a plexinc/pms-docker container but use tmpfs for /transcode directory to speedup transcoding process on slow HD, and don’t wear out ssd, but non of the method above did mount the directory with permissions that allow plex to write after a restart.
To mitigate problem I need to:
What doesn’t work:
–tmpfs /transcode:mode=1777 –tmpfs /transcode:mode=0777 –tmpfs /transcode:mode=777
–mount type=tmpfs,destination=/transcode,tmpfs-mode=1777 –mount type=tmpfs,destination=/transcode,tmpfs-mode=0777 –mount type=tmpfs,destination=/transcode,tmpfs-mode=777
always results right after run: drwxr-xr-x 2 plex plex 40 Nov 6 21:49 . after docker restart: drwxr-xr-x 2 root root 40 Nov 6 21:50 .
Docker version 18.06.1-ce, build e68fc7a215
What does work:
–tmpfs /transcode:uid=1000,gid=1000 (docker/compose#3425)
uid/gid only affect directory after container restart
$ docker exec -it plex ls -lah /transcode; docker restart plex; docker exec -it plex ls -lah /transcode; total 4.0K drwxr-xr-x 2 plex plex 40 Nov 6 22:03 . drwxr-xr-x 25 root root 4.0K Nov 6 22:03 … plex total 4.0K drwxr-xr-x 2 1001 1001 40 Nov 6 22:03 . drwxr-xr-x 25 root root 4.0K Nov 6 22:03 …
Is docker using the permissions mount options of tmpfs after start a container? In my tests the permissions only works when creating the container and the underlying directory does not exist.
I think the expected and correct behavior should be that tmpfs should always honor the mount options permissions.