How does docker run differ from running a command from a shell within the container

I’m having a problem where I get permission denied when attempting to run logstash within the container and accessing configurations provided via a host volume. But if I explicitly run the command within a shell it works fine.

$ docker run -it --rm -v "$PWD/logstash/config":/etc/logstash/conf.d:Z logstash:latest logstash -f /etc/logstash/conf.d
The error reported is:
  Permission denied - /etc/logstash/conf.d/logstash.conf

$ docker run -it --rm -v "$PWD/logstash/config":/etc/logstash/conf.d:Z logstash:latest sh -c 'logstash -f /etc/logstash/conf.d'
Settings: Default pipeline workers: 4
Logstash startup completed

$ docker run -it --rm -v "$PWD/logstash/config":/etc/logstash/conf.d:Z logstash:latest ls -lZ /etc/logstash/conf.d
total 4
-rw-------. 1 1000 1000 system_u:object_r:svirt_sandbox_file_t:s0:c78,c159 125 Mar  9 17:57 logstash.conf

This tells me that there’s something different about the environment in the shell but I have no clue what would cause these permissions issues.

  • share ports between docker and vagrant
  • Connection refused for Docker application on OSX
  • Is it feasible to control Docker from inside a container?
  • '--link' does not seem to work to connect two Docker containers
  • org.jolokia:docker-maven-plugin:0.10.4:push (code: 500, Internal Server Error)
  • Wildfly standalone file not being added in dockerfile
  • Installing Jenkins Plugins to Docker Jenkins
  • Python invoke Docker build command line only one layer is built
  • Looking for a Docker image that automatically detects the application language
  • Docker compose how to mount path from one to another container?
  • Changing Locale in Docker Stops Many Commands From Executing?
  • How to define a disk quota for docker containers?
  • 2 Solutions collect form web for “How does docker run differ from running a command from a shell within the container”

    As a first clue, I see in the logstash Dockerfile that its ENTRYPOINT is

    # Run as user "logstash" if the command is "logstash"
    if [ "$1" = 'logstash' ]; then
        set -- gosu logstash "$@"

    That would explain the difference between logstash and sh -c 'logstash...': the first parameter is no longer logstash.

    So you need to make sure $PWD/logstash/config is, once mounted, accessible to user ‘logstash‘.

    The OP Mark Caudill adds in the comments:

    1. adding :Z modifier to the -v parameter sets the correct SELinux labels on the files and directories
    2. logstash is running as root
    3. chcon -R system_u:object_r:svirt_sandbox_file_t:s0 ./ on each directory being mounted as a host volume

    These points allow the logstash process to access the host volume.

    I don’t fully understand your questions but this should help …

    RUN runs the specified command inside a container at DOCKER BUILD time. ENTRYPOINT runs the specified command inside a container at DOCKER RUN time.

    When mounting a volume, the files inside the container that exist inside the image (at build time) will be overwritten. The files inside the container that were created at docker run time will be accessible in the mounted volume, and thus will be accessible both inside the container and from the host.

    You should either:

    1. Consider using ENTRYPOINT instead of RUN

    2. Use volumes-from if you only need to share files between containers

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.