Strange error about permissions inside a docker container

Question

I'm running an official tomcat image ( https://github.com/docker-library/tomcat/tree/master/8.5/jre8 ) with customized permissions applied : I've created a tomcat:tomcat user and group and made him owner of /usr/local/tomcat and all subdirectories.

In /usr/local/tomcat, when I do "touch test" or "mkdir testdir", it works, but if I do the same thing in "work" subdirectory or any subdirectory, it fails.

tomcat@462080a55bca:/usr/local/tomcat$ ll | grep work
drwxr-x---  2 tomcat tomcat  4096 Jan 10 21:03 work

tomcat@462080a55bca:/usr/local/tomcat$ touch work/test
touch: cannot touch ‘work/test’: Permission denied

tomcat@462080a55bca:/usr/local/tomcat$ mkdir work/testdir
mkdir: cannot create directory ‘work/testdir’: Permission denied

Anyone can tell me why ?

Answer 1

This is a bug in linux Kernel (and maybe also on aufs/overlay2). It's fixed in kernel >= 4.7 See here for more details : https://github.com/docker/docker/issues/30285

Additional informations from Justin Cormack (engineer at Docker) : "Many of these fixes are being backported to the stable 4.4 kernels", "The new Debian stable with 4.9 kernel will be out in a few months, and Docker for AWS and Azure also have 4.9 kernels." (It will actually be 4.10 for Debian, and maybe later than expected but still first half of 2017).