How does docker run differ from running a command from a shell within the container
I’m having a problem where I get permission denied when attempting to run logstash within the container and accessing configurations provided via a host volume. But if I explicitly run the command within a shell it works fine.
$ docker run -it --rm -v "$PWD/logstash/config":/etc/logstash/conf.d:Z logstash:latest logstash -f /etc/logstash/conf.d The error reported is: Permission denied - /etc/logstash/conf.d/logstash.conf $ docker run -it --rm -v "$PWD/logstash/config":/etc/logstash/conf.d:Z logstash:latest sh -c 'logstash -f /etc/logstash/conf.d' Settings: Default pipeline workers: 4 Logstash startup completed $ docker run -it --rm -v "$PWD/logstash/config":/etc/logstash/conf.d:Z logstash:latest ls -lZ /etc/logstash/conf.d total 4 -rw-------. 1 1000 1000 system_u:object_r:svirt_sandbox_file_t:s0:c78,c159 125 Mar 9 17:57 logstash.conf
This tells me that there’s something different about the environment in the shell but I have no clue what would cause these permissions issues.
2 Solutions collect form web for “How does docker run differ from running a command from a shell within the container”
As a first clue, I see in the logstash
Dockerfile that its
# Run as user "logstash" if the command is "logstash" if [ "$1" = 'logstash' ]; then set -- gosu logstash "$@" fi
That would explain the difference between
sh -c 'logstash...': the first parameter is no longer
So you need to make sure
$PWD/logstash/config is, once mounted, accessible to user ‘
The OP Mark Caudill adds in the comments:
:Zmodifier to the
-vparameter sets the correct SELinux labels on the files and directories
- logstash is running as
chcon -R system_u:object_r:svirt_sandbox_file_t:s0 ./on each directory being mounted as a host volume
These points allow the
logstashprocess to access the host volume.
I don’t fully understand your questions but this should help …
RUN runs the specified command inside a container at
DOCKER BUILD time.
ENTRYPOINT runs the specified command inside a container at
DOCKER RUN time.
When mounting a volume, the files inside the container that exist inside the image (at build time) will be overwritten. The files inside the container that were created at docker run time will be accessible in the mounted volume, and thus will be accessible both inside the container and from the host.
You should either:
volumes-fromif you only need to share files between containers