CODEWITHSUNDEEP
docker
charlie_pl
charlie_pl

Reputation: 3084

Cannot directly execute script on docker volume

Environment:

Docker version 18.06.1-ce, build e68fc7a
Description:    Ubuntu 18.04.1 LTS
Storage Driver: overlay2

Aforementioned volume: 
        {
            "Type": "volume",
            "Name": "xxx",
            "Source": "/var/lib/docker/volumes/xxx/_data",
            "Destination": "/tmp",
            "Driver": "local",
            "Mode": "",
            "RW": true,
            "Propagation": ""
        },

When I'm trying to create script in this directory (trying to replicate issue with yet-another-docker-plugin) : touch init.sh && chmod +x init.sh && ./init.sh I get "permission denied" failure.

Flags seems to be set properly by chmod: -rwxr-xr-x 1 root root

Scripts can be launched in any other directory, but not on the volumes.

What is most interesting, launching the script with command bash init.sh works!

What might be the reason of such strange behavior and how to fix it?

Upvotes: 0

Views: 1829

Answers (2)

Paul Becotte
Paul Becotte

Reputation: 9997

Was playing around a bit to try and replicate.

This series of commands worked.

docker volume create mine
docker run -it -v mine:/tmp ubuntu bash
touch init.sh && chmod +x init.sh && ./init.sh

Inspecting the volume got-

        {
            "Type": "volume",
            "Name": "mine",
            "Source": "/var/lib/docker/volumes/mine/_data",
            "Destination": "/tmp",
            "Driver": "local",
            "Mode": "z",
            "RW": true,
            "Propagation": ""
        }

The difference is the "Mode" which I think is "z" because I am not running selinux.

I tried some different options to duplicate your problem

docker run -it --mount type=volume,source=mine,target=/tmp,readonly ubuntu bash -c "cd /tmp && touch init.sh && chmod +x init.sh && ./init.sh"
touch: cannot touch 'init.sh': Read-only file system

But I couldn't. Looking into some links I found this issue, which links to an article https://github.com/moby/moby/issues/7054 https://lwn.net/Articles/281157/

The article says that bind mounts inherit mount options (such as noexec) from the mount. So... is your docker folder on a mount that is mounted with noexec?

Upvotes: 1

Mornor
Mornor

Reputation: 3803

I guess it is because the POSIX of /tmp does not allow you to execute the script. You can verify that by issuing getfacl init.sh.

By using chmod +x init.sh, you only add the execute permission for all users to the existing permissions.

By using chmod 755 init.sh, you set the full permissions for the owner as well as read and execute permission for others.

I believe that should do the trick.

Upvotes: 0

Related Questions