Fixing Docker Volume Permission Issues in Docker-Compose

amazon ec2amazon-ebsdockerdocker-compose

I have installed Docker on an Amazon Linux server and given it permissions with sudo usermod -aG docker $USER. When I start my Jenkins docker containers (which have the home directories on an EBS mounted volume, mounted at /var/lib/docker/volumes) from the command line;

docker run -d \
--restart=always \
--name=jenkins-core \
--hostname=jenkins-core \
-p 8080:8080 \
-p 50000:50000 \
--env JENKINS_OPTS="--prefix=/core" \
-v jenkins-core:/var/jenkins_home \
jenkins/jenkins:lts

Everything works fine. However when I try to start it from docker-compose up -d or sudo docker-compose up -d I get;

touch: cannot touch '/var/jenkins_home/copy_reference_file.log': Permission denied
Can not write to /var/jenkins_home/copy_reference_file.log. Wrong volume permissions?

and the docker containers go into a boot loop trying to restart. I cannot figure out why the permissions are wrong on docker-compose but fine on docker.

I have tried sudo chown $(whoami):$(whoami) /usr/local/bin/docker-compose but it didn't work. I installed docker-compose from here; https://docs.docker.com/compose/install/

here is the docker-compose.yml there is also a .env file for the variables (not attached)

version: "3.6"
services:
  jenkins-core:
    image:           jenkins/jenkins:lts
    container_name:  jenkins-core
    restart:         always
    ports:
      - ${JENKINS_CORE_HOST_PORT_8080}:${JENKINS_PORT_8080}
      - ${JENKINS_CORE_HOST_PORT_50000}:${JENKINS_PORT_50000}
    environment:
      - JENKINS_OPTS=--prefix=${JENKINS_CORE_PREFIX}
      - JAVA_OPTS=-Duser.timezone=${TZ}
    volumes:
      - ${JENKINS_CORE_HOME_DIR}:/var/jenkins_home
  jenkins-integrations:
    image:           jenkins/jenkins:lts
    container_name:  jenkins-integrations
    restart:         always
    ports:
      - ${JENKINS_INTEGRATIONS_HOST_PORT_8080}:${JENKINS_PORT_8080}
      - ${JENKINS_INTEGRATIONS_HOST_PORT_50000}:${JENKINS_PORT_50000}
    environment:
      - JENKINS_OPTS=--prefix=${JENKINS_INTEGRATIONS_PREFIX}
      - JAVA_OPTS=-Duser.timezone=${TZ}
    volumes:
      - ${JENKINS_INTEGRATIONS_HOME_DIR}:/var/jenkins_home
  portainer:
    image:           portainer/portainer
    container_name:  portainer
    restart:         always
    environment:
      - TZ=${TZ}
    ports:
      - ${PORTAINER_PORT_9000}:9000
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock
      - ${DOCKERCONFDIR}/portainer:/data
    command:         -H unix:///var/run/docker.sock
  watchtower:
    image:           v2tec/watchtower
    container_name:  watchtower
    restart:         always
    environment:
      - TZ=${TZ}
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    command:         --schedule 0 0 4 * * * --cleanup

Best Answer

Please have a look here: https://github.com/jenkinsci/docker/blob/master/README.md under Usage. It says NOTE: Avoid using a bind mount from a folder on the host machine into /var/jenkins_home, as this might result in file permission issues (the user used inside the container might not have rights to the folder on the host machine)...

So the reason why your docker run works is because of -v jenkins-core:/var/jenkins_home where jenkins-core is a docker volume. In the compose however you use a bind mount to some folder on the host.

Purpose of the `volumes` key

It is there to create named volumes.

If you do not use it, then you will find yourself with a bunch of hashed values for your volumes. Example:

$ docker volume ls 
DRIVER              VOLUME NAME
local               f004b95d8a3ae11e9b871074e9415e24d536742abfe86b32ffc867f7b7063e55
local               9a148e167e1c722cbdb67c8edc36f02f39caeb2d276e9316e64de36e7bc2c35d

With named volumes, you get something like the following:

$ docker volume ls
local               projectname_someconf
local               projectname_otherconf

How to create named volumes

The docker-compose.yml syntax is:

version: '2'

services:
    app:
        container_name: app
        volumes_from:
            - appconf
    appconf:
        container_name: appconf
        volumes:
            - ./Docker/AppConf:/var/www/conf

volumes:
    appconf:

networks:
    front:
        driver: bridge

This something like above shown named volumes.

How to remove volumes in bulk

When you have a bunch of hashes, it can be quite hard to clean up. Here's a one-liner:

docker volume rm $(docker volume ls |awk '{print $2}')

Edit: As @ArthurTacca pointed out in the comments, there's an easier to remember way:

docker volume rm $(docker volume ls -q)

How to get details about a named volume

Now that you do not have to look up hashes anymore, you can go on it and call them by their … name:

docker volume inspect <volume_name>

# Example:
$ docker volume inspect projectname_appconf

[
    {
        "Name": "projectname_appconf",
        "Driver": "local",
        "Mountpoint": "/mnt/sda1/var/lib/docker/volumes/projectname_appconf/_data"
    }
]

Sidenote: You might want to docker-compose down your services to get a fresh start before going to create volumes.

In case you are using Boot2Docker/ Docker Machine, you will have to docker-machine ssh and sudo -i before doing a ls -la /mnt/… of that volume – you host machine is the VM provisioned by Docker Machine.

EDIT: Another related answer about named volumes on SO.

Docker – Check is container/service running with docker-compose

docker-compose ps -q <service_name> will display the container ID no matter it's running or not, as long as it was created.
docker ps shows only those that are actually running.

Let's combine these two commands:

if [ -z `docker ps -q --no-trunc | grep $(docker-compose ps -q <service_name>)` ]; then
  echo "No, it's not running."
else
  echo "Yes, it's running."
fi

docker ps shows short version of IDs by default, so we need to specify --no-trunc flag.

UPDATE: It threw "grep usage" warning if the service was not running. Thanks to @Dzhuneyt, here's the updated answer.

if [ -z `docker-compose ps -q <service_name>` ] || [ -z `docker ps -q --no-trunc | grep $(docker-compose ps -q <service_name>)` ]; then
  echo "No, it's not running."
else
  echo "Yes, it's running."
fi

Best Answer

Related Solutions

Docker – How is Docker Compose version 2 “volumes” syntax supposed to look

Purpose of the volumes key

How to create named volumes

How to remove volumes in bulk

How to get details about a named volume

Docker – Check is container/service running with docker-compose

Related Topic

Purpose of the `volumes` key