Docker data volume container. I can't seem to get to backup

Question

Reading these links:

1. https://docs.docker.com/userguide/dockervolumes/#backup-restore-or-migrate-data-volumes
2. Backing up data volume containers off machine

My understanding is I can take a data volume container and archive its backup. However reading the first link I can't seem to get it to work.

docker create -v /sonatype-work --name sonatype-work sonatype/nexus /bin/true

I launch sonatype/nexus image in a container using:

--volumes-from sonatype-nexus

All good, after running nexus, i inspect the data volume, i can see the innards created, and stop and remove nexus and start again, all changes saved.

CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                    NAMES
f84abb054d2e        sonatype/nexus      "/bin/sh -c 'java   -"   22 seconds ago      Up 21 seconds       0.0.0.0:8081->8081/tcp   nexus
1aea2674e482        sonatype/nexus      "/bin/true"              25 seconds ago      Created                                      sonatype-work

I want to now back up sonatype-work, but with no luck.

[root@ansible22 ~]# pwd
/root
[root@ansible22 ~]# docker run --volumes-from sonatype-work -v $(pwd):/backup ubuntu tar cvf /backup/sonatype-work-backup.tar /sonatype-work
tar: /backup/sonatype-work-backup.tar: Cannot open: Permission denied
tar: Error is not recoverable: exiting now

I have tried running as -u root, I also tried with:

/root/sonatype-work-backup.tar

When doing so, i can see it taring stuff, but I don't see the tar file. Based on the example and my understanding I don't think thats right anyway.

Can anyone see what I'm doing wrong?

EDIT: Linux Version Info

Fedora release 22 (Twenty Two)
NAME=Fedora
VERSION="22 (Twenty Two)"
ID=fedora
VERSION_ID=22
PRETTY_NAME="Fedora 22 (Twenty Two)"
ANSI_COLOR="0;34"
CPE_NAME="cpe:/o:fedoraproject:fedora:22"
HOME_URL="https://fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=22
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=22
PRIVACY_POLICY_URL=https://fedoraproject.org/wiki/Legal:PrivacyPolicy
VARIANT="Server Edition"
VARIANT_ID=server
Fedora release 22 (Twenty Two)
Fedora release 22 (Twenty Two)

Answer 1

The reason for this is related to selinux labelling. There are a couple of good Project Atomic pages on this:

Docker and Linux

The default type for a confined container process is svirt_lxc_net_t. This type is permitted to read and execute all files types under /usr and most types under /etc. svirt_lxc_net_t is permitted to use the network but is not permitted to read content under /var, /home, /root, /mnt … svirt_lxc_net_t is permitted to write only to files labeled svirt_sandbox_file_t and docker_var_lib_t. All files in a container are labeled by default as svirt_sandbox_file_t.

Then in Using Volumes with Docker can Cause Problems with SELinux:

This will label the content inside the container with the exact MCS label that the container will run with, basically it runs chcon -Rt svirt_sandbox_file_t -l s0:c1,c2 /var/db where s0:c1,c2 differs for each container.

(In this case not /var/db but /root)

If you volume mount a image with -v /SOURCE:/DESTINATION:z docker will automatically relabel the content for you to s0. If you volume mount with a Z, then the label will be specific to the container, and not be able to be shared between containers.

So either z or Z are suitable in this case but one might usually prefer Z for the isolation.

Answer 2

The reason I'm getting permission denied is because of selinux. I am not sure why yet, but will edit this answer when/if I find out. Disabling selinux and restarting, i was able to take a back up.