如何在 Docker 容器中挂载 --bind？

Question

I have this container based on debian:jessie (but this is not very relevant as I had the same issue with alpine:3.3 ). I get to the point where I need to

mount --bind /htdocs/www /home/user/example.com/www

and I get

mount: permission denied

I can't find anything in any kernel log, and -vvv yields nothing interesting. I obviously can do this on the host (with any other pair of subtree/node). In my example above /htdocs/www is the mountpoint of a Docker volume, but it doesn't appear like it's of any importance, as I can't mount --bind any pair of subtree/node inside the container.

Answer 1

For using the mount system call, you need the CAP_SYS_ADMIN capability. By default, Docker drops all capabilities when spawning a container (meaning that even as root , you're not allowed to do everything). See the mount(2) man page for more information.

You can start your container with the --cap-add=SYS_ADMIN flag to add this capability to your container:

root@host > docker run --rm -it --cap-add=SYS_ADMIN debian:jessie
root@ee0b1d5fe546:/# mkdir /mnt/test
root@ee0b1d5fe546:/# mount --bind /home /mnt/test/
root@ee0b1d5fe546:/# 

Use this with caution . Do not run untrusted software in a privileged container.

Answer 2

Try with --privileged flag:

docker run --rm -it --privileged=true debian
mkdir /mnt/test
mount --bind /home /mnt/test/

Answer 3

I was searching some info's for Docker/Kubernetes to give capabilities permission, and found some informations

docker run --rm -it --security-opt apparmor:unconfined --cap-add=SYS_ADMIN debian:jessie
mkdir /mnt/test
mount --bind /home /mnt/test/

would help.