How to reflect host permission in the container docker?

Question

I know that it is impossible to change the permissions of a file shared via volume, because a matter of default, and from what I understand, the permissions of the docker container, reflect the permissions of the host, however, this is not happening in my case, the docker simply changes permissions on all files to 755, and some files must have specific permissions.

HOST:

Docker Container:

Docker File:

FROM ubuntu:18.04

ARG DEBIAN_FRONTEND=noninteractive

#Updating operating system
RUN apt-get update && apt-get -y upgrade && apt-get -y dist-upgrade

##Installing essential packages
RUN apt-get -y install apt-utils software-properties-common curl bash-completion vim git supervisor


## Add Scripts
ADD ./start.sh /start.sh
EXPOSE  80
STOPSIGNAL SIGTERM
#CMD ["/start.sh"]
ENTRYPOINT echo $XDEBUG_CONFIG >> /etc/php/7.3/fpm/php.ini && service php7.3-fpm start && nginx -g "daemon off;"

docker-compose.yml

volumes:
  - ${DOCUMENT_ROOT-./www}:/usr/share/nginx/html
  - ${VHOSTS_DIR-./config/nginx/sites-enabled}:/etc/nginx/sites-enabled
  - ${PHP_INI-./config/php/php.ini}:/etc/php/7.3/fpm/conf.d/php.ini
  - ${LOG_DIR-./logs/nginx}:/var/log/nginx

Answer 1

Your assumption

I know that it is impossible to change the permissions of a file shared via volume

Is only partially correct, there is actually a set of modes — :ro & :rw – you can use when mounting a volume via docker-compose that are described in the documentation:

Standard modes are ro for read-only and rw for read-write (default).

Source: https://docs.docker.com/compose/compose-file/#short-syntax-3

You can also use the :Z and :z modes if your host uses selinux.

If you use selinux you can add the z or Z options to modify the selinux label of the host file or directory being mounted into the container. This affects the file or directory on the host machine itself and can have consequences outside of the scope of Docker.

• The z option indicates that the bind mount content is shared among multiple containers.
• The Z option indicates that the bind mount content is private and unshared.

Use extreme caution with these options. Bind-mounting a system directory such as /home or /usr with the Z option renders your host machine inoperable and you may need to relabel the host machine files by hand.

Source: https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label

Here is an example, on my host, here are the permissions of my files:

~ # ls -la ro rw 
ro:
total 0
drwxr-xr-x  3 ben  staff   96 May 23 23:06 .
drwxr-xr-x  9 ben  staff  288 May 23 23:16 ..
-rw-r--r--  1 ben  staff    0 May 23 23:06 file

rw:
total 0
drwxr-xr-x  3 ben  staff   96 May 23 23:06 .
drwxr-xr-x  9 ben  staff  288 May 23 23:16 ..
-rwxr-xr-x  1 ben  staff    0 May 23 23:06 file

Then with this docker-compose.yml

version: '3.8'

services:
  test:
    image: alpine
    volumes:
      - ./ro:/root/ro:Z
      - ./rw:/root/rw:Z
    command: sleep 100000000000

Here is the result on the container

~ # ls -la ro rw
ro:
total 4
drwxr-xr-x    3 root     root            96 May 23 21:06 .
drwx------    1 root     root          4096 May 23 21:17 ..
-rw-r--r--    1 root     root             0 May 23 21:06 file

rw:
total 4
drwxr-xr-x    3 root     root            96 May 23 21:06 .
drwx------    1 root     root          4096 May 23 21:17 ..
-rwxr-xr-x    1 root     root             0 May 23 21:06 file