Estimated reading time: 13 minutes
Otherwise you may get Mounts denied or cannot start service errors at runtime. File share settings are: Add a Directory: Click + and navigate to the directory you want to add. Apply & Restart makes the directory available to containers using Docker's bind mount (-v) feature. Tips on shared folders, permissions, and volume mounts. Posted January 21, 2020 By sagarjethi. After an upgrade I got the permission denied. Doing the steps of ‘mkb' post install steps don't have change anything because my user was already in the 'docker' group; I retry-it twice any way without success. It's worth noting here that if you're ssh'd into the boot2docker VM as the docker user, after running the sshfs command above if you try and ls -la on the docker home dir to test that your mount worked you won't have access. Docker@boot2docker:$ ll /home/docker/ ls: /home/docker/osx: Permission denied total 4 - 1 docker staff 29 Jan 1 1970 boot2docker, please format-me.
Bind mounts have been around since the early days of Docker. Bind mounts havelimited functionality compared to volumes. When you use a bindmount, a file or directory on the host machine is mounted into a container.The file or directory is referenced by its absolute path on the hostmachine. By contrast, when you use a volume, a new directory is created withinDocker's storage directory on the host machine, and Docker manages thatdirectory's contents.
The file or directory does not need to exist on the Docker host already. It iscreated on demand if it does not yet exist. Bind mounts are very performant, butthey rely on the host machine's filesystem having a specific directory structureavailable. If you are developing new Docker applications, consider usingnamed volumes instead. You can't use Docker CLI commands to directlymanage bind mounts.
Choose the -v or --mount flag
In general, --mount is more explicit and verbose. The biggest difference is thatthe -v syntax combines all the options together in one field, while the --mountsyntax separates them. Here is a comparison of the syntax for each flag.
Tip: New users should use the --mount syntax. Experienced users maybe more familiar with the -v or --volume syntax, but are encouraged touse --mount, because research has shown it to be easier to use.
-vor--volume: Consists of three fields, separated by colon characters(:). The fields must be in the correct order, and the meaning of each fieldis not immediately obvious.- In the case of bind mounts, the first field is the path to the file ordirectory on the host machine.
- The second field is the path where the file or directory is mounted inthe container.
- The third field is optional, and is a comma-separated list of options, suchas
ro,z, andZ. These optionsare discussed below.
--mount: Consists of multiple key-value pairs, separated by commas and eachconsisting of a=tuple. The--mountsyntax is more verbosethan-vor--volume, but the order of the keys is not significant, andthe value of the flag is easier to understand.- The
typeof the mount, which can bebind,volume, ortmpfs. Thistopic discusses bind mounts, so the type is alwaysbind. - The
sourceof the mount. For bind mounts, this is the path to the fileor directory on the Docker daemon host. May be specified assourceorsrc. - The
destinationtakes as its value the path where the file or directoryis mounted in the container. May be specified asdestination,dst,ortarget. - The
readonlyoption, if present, causes the bind mount to be mounted intothe container as read-only. - The
bind-propagationoption, if present, changes thebind propagation. May be one ofrprivate,private,rshared,shared,rslave,slave. - The
--mountflag does not supportzorZoptions for modifyingselinux labels.
- The
Tip: New users should use the --mount syntax. Experienced users maybe more familiar with the -v or --volume syntax, but are encouraged touse --mount, because research has shown it to be easier to use.
-vor--volume: Consists of three fields, separated by colon characters(:). The fields must be in the correct order, and the meaning of each fieldis not immediately obvious.- In the case of bind mounts, the first field is the path to the file ordirectory on the host machine.
- The second field is the path where the file or directory is mounted inthe container.
- The third field is optional, and is a comma-separated list of options, suchas
ro,z, andZ. These optionsare discussed below.
--mount: Consists of multiple key-value pairs, separated by commas and eachconsisting of a=tuple. The--mountsyntax is more verbosethan-vor--volume, but the order of the keys is not significant, andthe value of the flag is easier to understand.- The
typeof the mount, which can bebind,volume, ortmpfs. Thistopic discusses bind mounts, so the type is alwaysbind. - The
sourceof the mount. For bind mounts, this is the path to the fileor directory on the Docker daemon host. May be specified assourceorsrc. - The
destinationtakes as its value the path where the file or directoryis mounted in the container. May be specified asdestination,dst,ortarget. - The
readonlyoption, if present, causes the bind mount to be mounted intothe container as read-only. - The
bind-propagationoption, if present, changes thebind propagation. May be one ofrprivate,private,rshared,shared,rslave,slave. - The
--mountflag does not supportzorZoptions for modifyingselinux labels.
- The
The examples below show both the --mount and -v syntax where possible, and--mount is presented first.
Differences between -v and --mount behavior
Because the -v and --volume flags have been a part of Docker for a longtime, their behavior cannot be changed. This means that there is one behaviorthat is different between -v and --mount.
If you use -v or --volume to bind-mount a file or directory that does notyet exist on the Docker host, -v creates the endpoint for you. It isalways created as a directory.
If you use --mount to bind-mount a file or directory that does notyet exist on the Docker host, Docker does not automatically create it foryou, but generates an error.
Start a container with a bind mount
Consider a case where you have a directory source and that when you build thesource code, the artifacts are saved into another directory, source/target/.You want the artifacts to be available to the container at /app/, and youwant the container to get access to a new build each time you build the sourceon your development host. Use the following command to bind-mount the target/directory into your container at /app/. Run the command from within thesource directory. The $(pwd) sub-command expands to the current workingdirectory on Linux or macOS hosts.
The --mount and -v examples below produce the same result. Youcan't run them both unless you remove the devtest container after running thefirst one.
Use docker inspect devtest to verify that the bind mount was createdcorrectly. Look for the Mounts section:
This shows that the mount is a bind mount, it shows the correct source anddestination, it shows that the mount is read-write, and that the propagation isset to rprivate.
Stop the container:
Mount into a non-empty directory on the container
If you bind-mount into a non-empty directory on the container, the directory'sexisting contents are obscured by the bind mount. This can be beneficial,such as when you want to test a new version of your application withoutbuilding a new image. However, it can also be surprising and this behaviordiffers from that of docker volumes.
This example is contrived to be extreme, but replaces the contents of thecontainer's /usr/ directory with the /tmp/ directory on the host machine. Inmost cases, this would result in a non-functioning container.
The --mount and -v examples have the same end result.
The container is created but does not start. Remove it:
Use a read-only bind mount
For some development applications, the container needs towrite into the bind mount, so changes are propagated back to theDocker host. At other times, the container only needs read access.
This example modifies the one above but mounts the directory as a read-onlybind mount, by adding ro to the (empty by default) list of options, after themount point within the container. Where multiple options are present, separatethem by commas.
The --mount and -v examples have the same result.
Use docker inspect devtest to verify that the bind mount was createdcorrectly. Look for the Mounts section:
Stop the container:
Docker Volume Permission Denied
Configure bind propagation
Bind propagation defaults to rprivate for both bind mounts and volumes. It isonly configurable for bind mounts, and only on Linux host machines. Bindpropagation is an advanced topic and many users never need to configure it.
Bind propagation refers to whether or not mounts created within a givenbind-mount or named volume can be propagated to replicas of that mount. Considera mount point /mnt, which is also mounted on /tmp. The propagation settingscontrol whether a mount on /tmp/a would also be available on /mnt/a. Eachpropagation setting has a recursive counterpoint. In the case of recursion,consider that /tmp/a is also mounted as /foo. The propagation settingscontrol whether /mnt/a and/or /tmp/a would exist.
| Propagation setting | Description |
|---|---|
shared | Sub-mounts of the original mount are exposed to replica mounts, and sub-mounts of replica mounts are also propagated to the original mount. |
slave | similar to a shared mount, but only in one direction. If the original mount exposes a sub-mount, the replica mount can see it. However, if the replica mount exposes a sub-mount, the original mount cannot see it. |
private | The mount is private. Sub-mounts within it are not exposed to replica mounts, and sub-mounts of replica mounts are not exposed to the original mount. |
rshared | The same as shared, but the propagation also extends to and from mount points nested within any of the original or replica mount points. |
rslave | The same as slave, but the propagation also extends to and from mount points nested within any of the original or replica mount points. |
rprivate | The default. The same as private, meaning that no mount points anywhere within the original or replica mount points propagate in either direction. |
Before you can set bind propagation on a mount point, the host filesystem needsto already support bind propagation.
For more information about bind propagation, see theLinux kernel documentation for shared subtree.
The following example mounts the target/ directory into the container twice,and the second mount sets both the ro option and the rslave Scrap mechanic free play no download. bind propagationoption.
The --mount and -v examples have the same result.
Now if you create /app/foo/, /app2/foo/ also exists.
Configure the selinux label
If you use selinux you can add the z or Z options to modify the selinuxlabel of the host file or directory being mounted into the container. Thisaffects the file or directory on the host machine itself and can haveconsequences outside of the scope of Docker.
- The
zoption indicates that the bind mount content is shared among multiplecontainers. - The
Zoption indicates that the bind mount content is private and unshared.
Docker 18 For Mac Volume Mount Permission Denied File
Use extreme caution with these options. Bind-mounting a system directorysuch as /home or /usr with the Z option renders your host machineinoperable and you may need to relabel the host machine files by hand.
Docker File Permission Denied
Important: When using bind mounts with services, selinux labels(:Z and :z), as well as :ro are ignored. Seemoby/moby #32579 for details.
Docker Ubuntu Volume Permission Denied
This example sets the z option to specify that multiple containers can sharethe bind mount's contents:
It is not possible to modify the selinux label using the --mount flag.
Next steps
Docker 18 For Mac Volume Mount Permission Denied Windows 10
- Learn about volumes.
- Learn about tmpfs mounts.
- Learn about storage drivers.
