I'm facing a permissions issue with a Docker volume and I'm struggling to figure it out. I'm using Ansible to set everything up, including the user and group for the container, which are both created with the same username, group, UID, and GID (4005:4005) on both my NAS and Docker VM. The UID and GID seem consistent as verified by examining /etc/passwd on both systems.
On my NAS, I have a ZFS dataset for my Docker Compose application storage, with ACL mode set to posix and permissions set to 0700. I've created an exports directory (not using ZFS NFS sharing) with the same application account ownership and permissions. This exports folder is a bind mount from the ZFS dataset and shared via NFS.
On the Docker VM, I set up a directory for the NFS share with proper ownership and 0700 permissions, and I can SSH into the Docker VM as the application account and access the files there. However, after modifying my Docker compose file to use this directory as a volume, I receive the error: "Error response from daemon: error while creating mount source path '/path': mkdir /path: permission denied" whenever I try to start the container with 'docker compose up -d'.
I've done several tests including checking permissions, confirming UIDs/GIDs using the id command inside the container, and restarting both the Docker daemon and the VM. Yet, I'm unsure what permissions or configurations to adjust next without broadly opening up permissions. Any suggestions would be greatly appreciated! My setup runs on Ubuntu 24.04, Docker version 29.2.0, and Docker Compose 5.0.2.
3 Answers
Remember that the operation is performed by the Docker daemon on the host, not by the user inside the container. It's possible that Docker is trying to create a directory but doesn't have the necessary permissions, or it may not be able to traverse one of the parent directories in the path. You should check the ownership and permissions of those parent directories.
Make sure that the user IDs match both inside the container and on your host system. Also, just a quick note, avoid building container images in a Windows environment if you can - it can often lead to permissions issues.
Just to clarify, I'm not building a container here. I've double-checked the UID/GID using the id command inside the container. What else should I check?
It sounds like the issue could be related to the Docker daemon attempting to create necessary folders when the container starts. Have you tried manually creating the initial folder structure on your host? That helped me resolve similar problems in the past.
I appreciate the suggestion, but the directories already exist!
I'll look into that. The parent directories are owned by root, but I'm not sure about their permissions. Since I'm not using rootless Docker, I thought the daemon should be able to traverse those.