Why does setfacl not work in docker container?

Question

I have trouble with ACL in my docker container.

As you can see below, I set read/write permissions for user "ts" on "/opt/transfer_station/webapp/logs". This works for the folder "/opt/transfer_station/webapp/logs" but not for the file /opt/transfer_station/webapp/logs/debug.log in it. Why does it not work?

[root@lx-ts logs]# setfacl -Rdm u:ts:rw,g:ts:rw /opt/transfer_station/webapp/logs
[root@lx-ts logs]# echo $?
0
[root@lx-ts logs]# getfacl /opt/transfer_station/webapp/logs
getfacl: Removing leading '/' from absolute path names
# file: opt/transfer_station/webapp/logs
# owner: apache
# group: apache
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:apache:rw-
default:user:ts:rw-
default:group::r-x
default:group:apache:rw-
default:group:ts:rw-
default:mask::rwx
default:other::r-x

[root@lx-ts logs]# getfacl /opt/transfer_station/webapp/logs/debug.log
getfacl: Removing leading '/' from absolute path names
# file: opt/transfer_station/webapp/logs/debug.log
# owner: root
# group: root
user::rw-
group::r--
other::r--

[root@lx-ts logs]# whoami
root

Btw. I tried it with docker option OPTIONS='--storage-driver=devicemapper' and without it. SELinux is in permissive mode and does therefore not block anything.

If I attach to the container, create a test file in the folder, the ACLs are inherited as I expect:

[root@lx-ts transfer_station]# touch webapp/logs/test
[root@lx-ts transfer_station]# getfacl webapp/logs/test
# file: webapp/logs/test
# owner: root
# group: root
user::rw-
user:apache:rw-
user:ts:rw-
group::r-x                      #effective:r--
group:apache:rw-
group:ts:rw-
mask::rw-
other::r--

I am running Centos 7.1 and Docker version 1.7.1, build 446ad9b/1.7.1.

I have also added the CAP_FOWNER to the container (using --cap-add=FOWNER) but that does not solve the problem neither.

Any ideas?

Why does setfacl not work in docker container?

Answers (1)

Related Questions