How does docker run differ from running a command from a shell within the container

I’m having a problem where I get permission denied when attempting to run logstash within the container and accessing configurations provided via a host volume. But if I explicitly run the command within a shell it works fine.

$ docker run -it --rm -v "$PWD/logstash/config":/etc/logstash/conf.d:Z logstash:latest logstash -f /etc/logstash/conf.d
The error reported is:
  Permission denied - /etc/logstash/conf.d/logstash.conf

$ docker run -it --rm -v "$PWD/logstash/config":/etc/logstash/conf.d:Z logstash:latest sh -c 'logstash -f /etc/logstash/conf.d'
Settings: Default pipeline workers: 4
Logstash startup completed

$ docker run -it --rm -v "$PWD/logstash/config":/etc/logstash/conf.d:Z logstash:latest ls -lZ /etc/logstash/conf.d
total 4
-rw-------. 1 1000 1000 system_u:object_r:svirt_sandbox_file_t:s0:c78,c159 125 Mar  9 17:57 logstash.conf

This tells me that there’s something different about the environment in the shell but I have no clue what would cause these permissions issues.

  • How to get contents generated by a docker container on the local fileystem
  • Getting “connection refused” when trying to access etcd from within a Docker container
  • How to grant privileges on mysql from Dockerfile?
  • How to write and persist data in a VOLUME of an image FROM which my Dockerfile is based?
  • Deploy to elasticbeanstalk via CLI deploy command with
  • docker-exec failed: “cd”: executable file not found in $PATH
  • Where are Docker images stored on the host machine?
  • Contents in the container's bind-mounted dir keep unchanged after mounting/umounting removable drive from the host
  • docker Job for docker.service failed because the control process exited with error code
  • Correct way to access url/api endpoints of other docker containers in the same docker network?
  • Windows 10 Docker Host - Display GUI application from Linux Container
  • Dockerfile CMD instruction will exit the container just after running it
  • 2 Solutions collect form web for “How does docker run differ from running a command from a shell within the container”

    As a first clue, I see in the logstash Dockerfile that its ENTRYPOINT is

    # Run as user "logstash" if the command is "logstash"
    if [ "$1" = 'logstash' ]; then
        set -- gosu logstash "$@"

    That would explain the difference between logstash and sh -c 'logstash...': the first parameter is no longer logstash.

    So you need to make sure $PWD/logstash/config is, once mounted, accessible to user ‘logstash‘.

    The OP Mark Caudill adds in the comments:

    1. adding :Z modifier to the -v parameter sets the correct SELinux labels on the files and directories
    2. logstash is running as root
    3. chcon -R system_u:object_r:svirt_sandbox_file_t:s0 ./ on each directory being mounted as a host volume

    These points allow the logstash process to access the host volume.

    I don’t fully understand your questions but this should help …

    RUN runs the specified command inside a container at DOCKER BUILD time. ENTRYPOINT runs the specified command inside a container at DOCKER RUN time.

    When mounting a volume, the files inside the container that exist inside the image (at build time) will be overwritten. The files inside the container that were created at docker run time will be accessible in the mounted volume, and thus will be accessible both inside the container and from the host.

    You should either:

    1. Consider using ENTRYPOINT instead of RUN

    2. Use volumes-from if you only need to share files between containers

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.