Why docker container can't create folders in mounted folders

Question

I'm trying to start docker.bintray.io/jfrog/artifactory-oss:4.11.1 on MacOS using Docker version 1.9.1, build a34a1d5

Their guide recommends to map data and config folders to host to make them persistent which is fair suggestion: https://www.jfrog.com/confluence/display/RTF/Running+with+Docker#RunningwithDocker-RunningArtifactoryasaDockerPrivateRegistry

The problem is that container doesn't start. It complains on files from mounted volumes it can't create artifactory specific folders and files in mounted volumes

/usr/bin/java
Starting Artifactory tomcat as user artifactory...
Max number of open files: 1048576
Using ARTIFACTORY_HOME: /var/opt/jfrog/artifactory
Using ARTIFACTORY_PID: /var/opt/jfrog/run/artifactory.pid
touch: cannot touch `/opt/jfrog/artifactory/tomcat/logs/catalina.out': Permission denied
/opt/jfrog/artifactory/tomcat/bin/catalina.sh: line 401: /opt/jfrog/artifactory/tomcat/logs/catalina.out: Permission denied

** ERROR: Artifactory Tomcat server did not start. Please check the logs

my docker command looks like:

export ARTIFACTORY_HOME=$HOME/local.artifactory
# just cleanup for now
rm -rf $ARTIFACTORY_HOME

docker run -d --name local.artifactory \
--hostname local.artifactory \
--privileged=true \
-p 80:80 \
-p 8081:8081 \
-p 443:443 \
-v $ARTIFACTORY_HOME/data:/var/opt/jfrog/artifactory/data \
-v $ARTIFACTORY_HOME/logs:/var/opt/jfrog/artifactory/logs \
-v $ARTIFACTORY_HOME/backup:/var/opt/jfrog/artifactory/backup \
-v $ARTIFACTORY_HOME/etc:/var/opt/jfrog/artifactory/etc \
docker.bintray.io/jfrog/artifactory-oss:4.11.1

When I set mounted volumes to /tmp

export ARTIFACTORY_HOME=/tmp/local.artifactory

docker container starts, but my mounts appear on docker-machine VM and I can access them...

Answer 1

When you mount a host volume that doesn't currently exist, the folder will be created as and mounted with root permissions (with the default umask, that's 755). The fix is to create the data, logs, etc, ... folders after your cleanup step, and configure them with permissions that can be written to as the container uid.

Here's an example of where you're seeing the issue:

$ docker run -v $HOME/data/docker/test-missing:/missing -u 100 --rm -it busybox
/ $ ls -al /missing
total 8
drwxr-xr-x    2 root     root          4096 Aug 18 19:18 .
drwxr-xr-x   19 root     root          4096 Aug 18 19:18 ..
/ $ touch /missing/file
touch: /missing/file: Permission denied
/ $ exit
$ ls -al $HOME/data/docker/test-missing/
total 8
drwxr-xr-x  2 root   root   4096 Aug 18 15:18 .
drwxr-xr-x 31 bmitch bmitch 4096 Aug 18 15:18 ..

The lines to add between your rm and docker run to fix your script would be:

mkdir -p $ARTIFACTORY_HOME/data $ARTIFACTORY_HOME/logs \
    $ARTIFACTORY_HOME/backup $ARTIFACTORY_HOME/etc
chmod -R 777 $ARTIFACTORY_HOME/data $ARTIFACTORY_HOME/logs \
    $ARTIFACTORY_HOME/backup $ARTIFACTORY_HOME/etc

Note that the second command isn't recommended for a multi-user environment, it allows anyone to read and write to the folder. A better solution is to change the owner to the uid used by the container, gid of the user, and mode 775, or to add the host user to the gid inside the container with the same permissions. But if you don't want to get into uid and gid complexities on a single user system, 777 is the quick solution.

---

Edit: With Docker on MacOS or Windows, you also need to make sure that the folder being mounted into the container as a host volume is also shared from your Mac/Win machine into the Docker Linux VM. Within Docker for Windows and Docker for Mac is a settings menu to adjust the shared drives or directories. On MacOS, pay attention to the case of the directory names.