How does docker run differ from running a command from a shell within the container

I’m having a problem where I get permission denied when attempting to run logstash within the container and accessing configurations provided via a host volume. But if I explicitly run the command within a shell it works fine.

$ docker run -it --rm -v "$PWD/logstash/config":/etc/logstash/conf.d:Z logstash:latest logstash -f /etc/logstash/conf.d
The error reported is:
  Permission denied - /etc/logstash/conf.d/logstash.conf

$ docker run -it --rm -v "$PWD/logstash/config":/etc/logstash/conf.d:Z logstash:latest sh -c 'logstash -f /etc/logstash/conf.d'
Settings: Default pipeline workers: 4
Logstash startup completed

$ docker run -it --rm -v "$PWD/logstash/config":/etc/logstash/conf.d:Z logstash:latest ls -lZ /etc/logstash/conf.d
total 4
-rw-------. 1 1000 1000 system_u:object_r:svirt_sandbox_file_t:s0:c78,c159 125 Mar  9 17:57 logstash.conf

This tells me that there’s something different about the environment in the shell but I have no clue what would cause these permissions issues.

  • Invalid US-ASCII character using SASS
  • How do I set environment variables during the build in docker
  • Docker Expose ports dynamically
  • Can I run DCE (Docker Container Executor) on Yarn with Kerberos?
  • IdentityServer4: How to load Signing Credential from Cert Store when in Docker
  • How to mount windows folder using docker compose volumes?
  • Docker error on Windows 2016 “Client.Timeout exceeded while awaiting headers”
  • How to log container in docker swarm mode
  • is it considered bad practice to create ssh key in container?
  • nginx docker-image not reachable
  • What is the difference between Docker Hub Registery and
  • Cannot write in the Docker Quickstart Terminal
  • 2 Solutions collect form web for “How does docker run differ from running a command from a shell within the container”

    As a first clue, I see in the logstash Dockerfile that its ENTRYPOINT is

    # Run as user "logstash" if the command is "logstash"
    if [ "$1" = 'logstash' ]; then
        set -- gosu logstash "$@"

    That would explain the difference between logstash and sh -c 'logstash...': the first parameter is no longer logstash.

    So you need to make sure $PWD/logstash/config is, once mounted, accessible to user ‘logstash‘.

    The OP Mark Caudill adds in the comments:

    1. adding :Z modifier to the -v parameter sets the correct SELinux labels on the files and directories
    2. logstash is running as root
    3. chcon -R system_u:object_r:svirt_sandbox_file_t:s0 ./ on each directory being mounted as a host volume

    These points allow the logstash process to access the host volume.

    I don’t fully understand your questions but this should help …

    RUN runs the specified command inside a container at DOCKER BUILD time. ENTRYPOINT runs the specified command inside a container at DOCKER RUN time.

    When mounting a volume, the files inside the container that exist inside the image (at build time) will be overwritten. The files inside the container that were created at docker run time will be accessible in the mounted volume, and thus will be accessible both inside the container and from the host.

    You should either:

    1. Consider using ENTRYPOINT instead of RUN

    2. Use volumes-from if you only need to share files between containers

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.