File permission has a lot question marks

[liudonghua123]

• [x] This is a bug report
• [ ] This is a feature request
• [x] I searched existing issues before opening this one

I wrote a Dockerfile, the last contents are

RUN echo "root:root" | chpasswd
RUN echo "beakerx:beakerx" | chpasswd
RUN usermod -aG sudo beakerx

RUN echo beakerx | sudo -S chown -R beakerx:beakerx /home/beakerx/.local
RUN echo beakerx | sudo -S find /home/beakerx/.local -type d -exec chmod 755 {} \;
RUN echo beakerx | sudo -S find /home/beakerx/.local -type f -exec chmod 644 {} \;

RUN id
RUN ls -la /home/beakerx/.local
RUN ls -la /home/beakerx/.local/share

USER beakerx

RUN id
RUN ls -la /home/beakerx/.local
RUN ls -la /home/beakerx/.local/share

When I build this image, it gave me the following errors.

Step 17/29 : RUN echo "root:root" | chpasswd
 ---> Running in b07756b764ef
 ---> 11a182191463
Removing intermediate container b07756b764ef
Step 18/29 : RUN echo "beakerx:beakerx" | chpasswd
 ---> Running in 2f2bc836b1af
 ---> dee6ebdf5b9c
Removing intermediate container 2f2bc836b1af
Step 19/29 : RUN usermod -aG sudo beakerx
 ---> Running in 8a1ccfffd565
 ---> d7815406e070
Removing intermediate container 8a1ccfffd565
Step 20/29 : RUN echo beakerx | sudo -S chown -R beakerx:beakerx /home/beakerx/.local
 ---> Running in 19aebc73f517
 ---> a8cb84a563c5
Removing intermediate container 19aebc73f517
Step 21/29 : RUN echo beakerx | sudo -S find /home/beakerx/.local -type d -exec chmod 755 {} \;
 ---> Running in 7c2434fa279a
 ---> 5ce4b0b0e859
Removing intermediate container 7c2434fa279a
Step 22/29 : RUN echo beakerx | sudo -S find /home/beakerx/.local -type f -exec chmod 644 {} \;
 ---> Running in 5f57457f1fe5
 ---> 1bb42b3ef8f3
Removing intermediate container 5f57457f1fe5
Step 23/29 : RUN id
 ---> Running in 101209499f50
uid=0(root) gid=0(root) groups=0(root)
 ---> e45945b090ab
Removing intermediate container 101209499f50
Step 24/29 : RUN ls -la /home/beakerx/.local
 ---> Running in d337b58c1571
total 12
drwxr-xr-x  6 beakerx beakerx 4096 Sep  7 01:30 .
drwxr-xr-x 25 beakerx beakerx 4096 Sep  7 01:30 ..
drwxr-xr-x  6 beakerx beakerx 4096 Sep  7 01:30 share
 ---> 7fd474369e15
Removing intermediate container d337b58c1571
Step 25/29 : RUN ls -la /home/beakerx/.local/share
 ---> Running in e05cd55aaae6
total 12
drwxr-xr-x 6 beakerx beakerx 4096 Sep  7 01:30 .
drwxr-xr-x 6 beakerx beakerx 4096 Sep  7 01:30 ..
drwxr-xr-x 6 beakerx beakerx 4096 Sep  7 01:30 jupyter
 ---> 03191c2d9fc8
Removing intermediate container e05cd55aaae6
Step 26/29 : USER beakerx
 ---> Running in 40b2d522ea0f
 ---> 604503b2152b
Removing intermediate container 40b2d522ea0f
Step 27/29 : RUN id
 ---> Running in e7b8ed6a1165
uid=1000(beakerx) gid=1000(beakerx) groups=1000(beakerx),27(sudo)
 ---> 5987e9d9f0bb
Removing intermediate container e7b8ed6a1165
Step 28/29 : RUN ls -la /home/beakerx/.local
 ---> Running in 4c65bd4a383e
ls: cannot access '/home/beakerx/.local/share': Permission denied
total 8
drwxr-xr-x  6 beakerx beakerx 4096 Sep  7 01:30 .
drwxr-xr-x 25 beakerx beakerx 4096 Sep  7 01:30 ..
d?????????  ? ?       ?          ?            ? share
ERROR: Service 'beakerx-cling-prebuild' failed to build: The command '/bin/sh -c ls -la /home/beakerx/.local' returned a non-zero code: 1

Expected behavior

Work as expected.

Actual behavior

Build failed

Steps to reproduce the behavior

My full Dockerfile with some debugging info is

FROM beakerx/beakerx

MAINTAINER liudonghua123 <liudonghua123@gmail.com>

# not works
#RUN conda install xeus-cling notebook -c QuantStack -c conda-forge -y --quiet

USER root
# install gcc7
RUN add-apt-repository -y ppa:jonathonf/gcc-7.2
RUN apt-get update -y
RUN apt-get install -y gcc-7

# revert to beakerx user
#USER beakerx

RUN id && whoami
RUN cat /etc/passwd

ARG CLING_FILENAME=cling_2018-09-04_ubuntu16
RUN echo "use ${CLING_FILENAME} for build"
# add the prebuild cling packages
ADD ${CLING_FILENAME}.tar.bz2 /home/beakerx
ENV PATH=/home/beakerx/${CLING_FILENAME}/bin:$PATH
USER root
RUN pip install --upgrade pip
# install steps, https://github.com/root-project/cling/tree/master/tools/Jupyter
RUN cd /home/beakerx/${CLING_FILENAME}/share/cling/Jupyter/kernel && pip install -e . && jupyter-kernelspec install --user cling-cpp17 && jupyter-kernelspec install --user cling-cpp1z && jupyter-kernelspec install --user cling-cpp14 && jupyter-kernelspec install --user cling-cpp11
RUN ln -s /usr/bin/gcc-7 /usr/bin/gcc

RUN echo "root:root" | chpasswd
RUN echo "beakerx:beakerx" | chpasswd
RUN usermod -aG sudo beakerx

RUN echo beakerx | sudo -S chown -R beakerx:beakerx /home/beakerx/.local
RUN echo beakerx | sudo -S find /home/beakerx/.local -type d -exec chmod 755 {} \;
RUN echo beakerx | sudo -S find /home/beakerx/.local -type f -exec chmod 644 {} \;

RUN id
RUN ls -la /home/beakerx/.local
RUN ls -la /home/beakerx/.local/share

USER beakerx

RUN id
RUN ls -la /home/beakerx/.local
RUN ls -la /home/beakerx/.local/share

#COPY start-notebook.sh /usr/local/bin/start-notebook.sh
#RUN chmod a+x /usr/local/bin/start-notebook.sh

ldh@ldh55:~/docker/cling/jupinger/beakerx-cling-prebuild$ cat Dockerfile 
FROM beakerx/beakerx

MAINTAINER liudonghua123 <liudonghua123@gmail.com>

# not works
#RUN conda install xeus-cling notebook -c QuantStack -c conda-forge -y --quiet

USER root
# install gcc7
RUN add-apt-repository -y ppa:jonathonf/gcc-7.2
RUN apt-get update -y
RUN apt-get install -y gcc-7

# revert to beakerx user
#USER beakerx

RUN id && whoami
RUN cat /etc/passwd

ARG CLING_FILENAME=cling_2018-09-04_ubuntu16
RUN echo "use ${CLING_FILENAME} for build"
# add the prebuild cling packages
ADD ${CLING_FILENAME}.tar.bz2 /home/beakerx
ENV PATH=/home/beakerx/${CLING_FILENAME}/bin:$PATH
USER root
RUN pip install --upgrade pip
# install steps, https://github.com/root-project/cling/tree/master/tools/Jupyter
RUN cd /home/beakerx/${CLING_FILENAME}/share/cling/Jupyter/kernel && pip install -e . && jupyter-kernelspec install --user cling-cpp17 && jupyter-kernelspec install --user cling-cpp1z && jupyter-kernelspec install --user cling-cpp14 && jupyter-kernelspec install --user cling-cpp11
RUN ln -s /usr/bin/gcc-7 /usr/bin/gcc

RUN echo "root:root" | chpasswd
RUN echo "beakerx:beakerx" | chpasswd
RUN usermod -aG sudo beakerx

RUN echo beakerx | sudo -S chown -R beakerx:beakerx /home/beakerx/.local
RUN echo beakerx | sudo -S find /home/beakerx/.local -type d -exec chmod 755 {} \;
RUN echo beakerx | sudo -S find /home/beakerx/.local -type f -exec chmod 644 {} \;

RUN id
RUN ls -la /home/beakerx/.local
RUN ls -la /home/beakerx/.local/share

USER beakerx

RUN id
RUN ls -la /home/beakerx/.local
RUN ls -la /home/beakerx/.local/share

#COPY start-notebook.sh /usr/local/bin/start-notebook.sh
#RUN chmod a+x /usr/local/bin/start-notebook.sh

Output of docker version:

$ docker -v
Docker version 17.03.1-ce, build c6d412e

(paste your output here)

Output of docker info:

$ docker info
Containers: 134
 Running: 58
 Paused: 0
 Stopped: 76
Images: 635
Server Version: 17.03.1-ce
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 1326
 Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins: 
 Volume: local
 Network: bridge host macvlan null overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 4ab9917febca54791c5f071a9d1f404867857fcc
runc version: 54296cf40ad8143b62dbcaa1d90e520a2136ddfe
init version: 949e6fa
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.4.0-43-generic
Operating System: Ubuntu 16.04.2 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 31.41 GiB
Name: ldh55.liudonghua.com
ID: BK3U:E6HW:NWFC:A3HA:NHFZ:QANX:NURK:CZHI:5AAT:OFTH:Z5K4:OPQD
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Username: liudonghua123
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
Experimental: false
Insecure Registries:
 127.0.0.0/8
Registry Mirrors:
 http://fc54583c.m.daocloud.io
Live Restore Enabled: false

(paste your output here)

Additional environment details (AWS, VirtualBox, physical, etc.)

[liudonghua123]

This problem is related to the storage-driver bug, see https://github.com/moby/moby/issues/28391, https://github.com/moby/moby/issues/20240. Currently I can only change storage-driver to overlay, use the default aufs or recommended overlay2 will break.

[seemethere]

Have you tried updating to a newer version? 17.03 is over a year old and currently out of support.

[liudonghua123]

@seemethere I haved updated to the latest version 18.06.1-ce, build e68fc7a, but this problem still remains.

[AkihiroSuda]

overlay2 will break

plz make sure docker info contains Supports d_type: true

[liudonghua123]

@AkihiroSuda Hi, I can find Supports d_type: true contained in docker info, but it still did not work using aufs or overlay, maybe I should upgrade the kernel to 4.6 or upon. These are some info of my linux and docker.

ldh@ldh55:~$ uname -a
Linux ldh55.liudonghua.com 4.4.0-43-generic #63-Ubuntu SMP Wed Oct 12 13:48:03 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
ldh@ldh55:~$ 
ldh@ldh55:~$ 
ldh@ldh55:~$ cat /etc/issue
Ubuntu 16.04.2 LTS \n \l

ldh@ldh55:~$ docker info
Containers: 20
 Running: 11
 Paused: 0
 Stopped: 9
Images: 169
Server Version: 18.06.1-ce
Storage Driver: overlay
 Backing Filesystem: extfs
 Supports d_type: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 468a545b9edcd5932818eb9de8e72413e616e86e
runc version: 69663f0bd4b60df09991c08812a60108003fa340
init version: fec3683
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.4.0-43-generic
Operating System: Ubuntu 16.04.2 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 31.41GiB
Name: ldh55.liudonghua.com
ID: BK3U:E6HW:NWFC:A3HA:NHFZ:QANX:NURK:CZHI:5AAT:OFTH:Z5K4:OPQD
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Username: liudonghua123
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Registry Mirrors:
 http://fc54583c.m.daocloud.io/
Live Restore Enabled: false

WARNING: No swap limit support
ldh@ldh55:~$ 
ldh@ldh55:~$ docker -v
Docker version 18.06.1-ce, build e68fc7a
ldh@ldh55:~$

[wujun4code]

@liudonghua123 Hi, I finally get you here. Sorry for interrupting you in this issue, But I tried every way to make a touch with you, please take a look at liudonghua123/gatsby-remark-sequence#1. Thanks for your good job with that plugin, but it does not work now, I made a pr, please take a look, Sorry for this way to let you know I am looking for you.

Big sorry and Big thanks for your great works.

[levyndot]

Sorry for up this old issue but today, I have also the same. Any solution for the question marks for file permissions in containers ? I'm in v19.03 on CentOS 7.

# docker -v Docker version 19.03.3, build a872fc2f86 # docker-compose -v docker-compose version 1.24.1, build 4667896b

Thanks.

[AkihiroSuda]

@guitaro docker info?

[levyndot]

Yes sorry, here is output :

docker info

Client: Debug Mode: false

Server: Containers: 6 Running: 4 Paused: 0 Stopped: 2 Images: 14 Server Version: 19.03.3 Storage Driver: overlay2 Backing Filesystem: extfs Supports d_type: true Native Overlay Diff: false Logging Driver: json-file Cgroup Driver: cgroupfs Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog Swarm: inactive Runtimes: runc Default Runtime: runc Init Binary: docker-init containerd version: 894b81a4b802e4eb2a91d1ce216b8817763c29fb runc version: 425e105d5a03fabd737a126ad93d62a9eeede87f init version: fec3683 Security Options: seccomp Profile: default Kernel Version: 3.10.0-514.6.2.el7.x86_64 Operating System: CentOS Linux 7 (Core) OSType: linux Architecture: x86_64 CPUs: 8 Total Memory: 7.639GiB Name: vmw-odigo-paas-04 ID: 5WG4:XZWI:RMVR:4GM6:RAZG:O4XE:MCOA:PK64:ZVZC:PW6R:3F2C:Z47Z Docker Root Dir: /appli/docker Debug Mode: true File Descriptors: 54 Goroutines: 62 System Time: 2019-10-16T09:40:49.516623703+02:00 EventsListeners: 0 Registry: https://index.docker.io/v1/ Labels: Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false

[AkihiroSuda]

@dmcgowan PTAL?

[sebastienhasa]

I got the same problem and my storage driver is overlay2.

I run on Fedora 30:

Linux 5.3.8-200.fc30.x86_64

With docker version 1.13.1, build 47e2230/1.13.1:

docker info
Containers: 15
 Running: 2
 Paused: 0
 Stopped: 13
Images: 96
Server Version: 1.13.1
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: journald
Cgroup Driver: systemd
Plugins: 
 Volume: local
 Network: bridge host macvlan null overlay
 Authorization: rhel-push-plugin
Swarm: inactive
Runtimes: runc oci
Default Runtime: oci
Init Binary: /usr/libexec/docker/docker-init-current
containerd version:  (expected: aa8187dbd3b7ad67d8e5e3a15115d3eef43a7ed1)
runc version: N/A (expected: 9df8b306d01f59d3a8029be411de015b7304dd8f)
init version: N/A (expected: 949e6facb77383876aeff8a6944dde66b3089574)
Security Options:
 seccomp
  WARNING: You're not using the default seccomp profile
  Profile: /etc/docker/seccomp.json
 selinux
Kernel Version: 5.3.8-200.fc30.x86_64
Operating System: Fedora 30 (Workstation Edition)
OSType: linux
Architecture: x86_64
Number of Docker Hooks: 2
CPUs: 4
Total Memory: 11.58 GiB
Name: %
ID: WL5N:W3LH:72MH:63MT:REKR:I6UI:2GH5:Z2KL:LZSD:Y6WQ:KEU7:JX3C
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: true
Registries: docker.io (secure), registry.fedoraproject.org (secure), quay.io (secure), registry.access.redhat.com (secure), registry.centos.org (secure), docker.io (secure)

[AkihiroSuda]

1.13.1 is ancient and unsupported.

[sebastienhasa]

Soooo, my problem was caused because one of the 3 volumes was not mounted with the ":z" option and Selinux block the access to one of my filffes

[alexanderadam]

It's also happening on Docker version 19.03.7, build 7141c199a2.

In my case it's happening for a volume mounted with the shared flag.

docker info:

Client:
 Debug Mode: false

Server:
 Containers: 28
  Running: 27
  Paused: 0
  Stopped: 1
 Images: 99
 Server Version: 19.03.7
 Storage Driver: overlay2
  Backing Filesystem: <unknown>
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 7ad184331fa3e55e52b890ea95e65ba581ae3429
 runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
 init version: fec3683
 Security Options:
  apparmor
  seccomp
   Profile: default
 Kernel Version: 4.4.0-165-generic
 Operating System: Ubuntu 16.04.6 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 5.824GiB
 Name: 32642.hostserv.eu
 ID: ULG6:F6GP:JJIN:2RM6:N53H:XIEJ:C2OL:Y57I:BZ72:JIRY:HDHQ:CJ3U
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

[haozhenxiao]

Disabling selinux works for me.

[ryan-williams]

Here is an image built with a small Dockerfile (see below) that demonstrates the problem:

docker run --rm -it runsascoded/docker-bug:debian

Output

``` + ls -la /root ls: cannot access '/root/dir': Permission denied total 12 drwxr-xr-x 5 root root 75 Dec 11 20:07 . drwxr-xr-x 40 root root 79 Dec 11 20:37 .. -rw-r-xr-x 1 root root 570 Jan 31 2010 .bashrc -rw-r-xr-x 1 root root 148 Aug 17 2015 .profile -rw-r-xr-x 1 root root 4 Dec 11 20:07 aaa ?????????? ? ? ? ? ? dir + echo Failed Failed + sudo ls -la /root total 12 drwxr-xr-x 5 root root 75 Dec 11 20:07 . drwxr-xr-x 40 root root 79 Dec 11 20:37 .. -rw-r-xr-x 1 root root 570 Jan 31 2010 .bashrc -rw-r-xr-x 1 root root 148 Aug 17 2015 .profile -rw-r-xr-x 1 root root 4 Dec 11 20:07 aaa drwxr-xr-x 2 root root 24 Dec 11 20:07 dir + ls -la /root total 12 drwxr-xr-x 5 root root 75 Dec 11 20:07 . drwxr-xr-x 40 root root 79 Dec 11 20:37 .. -rw-r-xr-x 1 root root 570 Jan 31 2010 .bashrc -rw-r-xr-x 1 root root 148 Aug 17 2015 .profile -rw-r-xr-x 1 root root 4 Dec 11 20:07 aaa drwxr-xr-x 2 root root 24 Dec 11 20:07 dir ```

ls as non-root user gives erroneous Permission denied errors and returns lines like ?????????? ? ? ? ? ? dir. Performing the same ls once as root snaps the storage layer into correct behavior, and performing ls again as user works for the rest of the container's lifetime.

docker version

``` Client: Version: 18.06.3-ce API version: 1.38 Go version: go1.10.3 Git commit: d7080c1 Built: Wed Feb 20 02:27:13 2019 OS/Arch: linux/amd64 Experimental: false Server: Engine: Version: 18.06.3-ce API version: 1.38 (minimum version 1.12) Go version: go1.10.3 Git commit: d7080c1 Built: Wed Feb 20 02:25:38 2019 OS/Arch: linux/amd64 Experimental: false ```

docker info

``` Containers: 3030 Running: 22 Paused: 0 Stopped: 3008 Images: 820 Server Version: 18.06.3-ce Storage Driver: aufs Backing Filesystem: xfs Dirs: 7342 Dirperm1 Supported: true Logging Driver: json-file Cgroup Driver: cgroupfs Plugins: Volume: local Network: bridge host macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog Swarm: inactive Runtimes: runc Default Runtime: runc Init Binary: docker-init containerd version: 468a545b9edcd5932818eb9de8e72413e616e86e runc version: a592beb5bc4c4092b1b1bac971afed27687340c5 init version: fec3683 Kernel Version: 4.4.0-121-generic Operating System: Ubuntu 14.04.5 LTS OSType: linux Architecture: x86_64 Debug Mode (client): false Debug Mode (server): false Registry: https://index.docker.io/v1/ Labels: Experimental: false Live Restore Enabled: false ```

Dockerfile

```Dockerfile FROM debian@sha256:d70fe252be511834ae8f685a90b0a658539c99c4a87f79c41831b09be0fee705 WORKDIR /root RUN echo "111" > aaa WORKDIR /root/dir RUN echo "222" > bbb RUN chmod -R go+rx /root RUN apt-get update && apt-get install -y sudo WORKDIR / RUN useradd -m -G sudo user \ && perl -pi -e "s/^%sudo(.*ALL=).*/user\1(ALL) NOPASSWD: ALL/" /etc/sudoers WORKDIR /home/user COPY test.sh ./ RUN chown user:user test.sh USER user ENTRYPOINT ["./test.sh"] ```

test.sh

```bash #!/bin/bash set -ex # Permission denied! ls -la /root || echo 'Failed' # Peek as root sudo ls -la /root # Now it works 🤔 ls -la /root ```

I also built a version on Alpine:

docker run --rm -it runsascoded/docker-bug:alpine

Output

``` + ls -la /root ls: /root/dir: Permission denied total 4 drwxr-xr-x 5 root root 38 Dec 11 19:22 . drwxr-xr-x 39 root root 79 Dec 12 14:51 .. -rw-r-xr-x 1 root root 4 Dec 11 19:22 aaa + echo Failed Failed + sudo ls -la /root total 4 drwxr-xr-x 5 root root 38 Dec 11 19:22 . drwxr-xr-x 39 root root 79 Dec 12 14:51 .. -rw-r-xr-x 1 root root 4 Dec 11 19:22 aaa drwxr-xr-x 2 root root 24 Dec 11 19:22 dir + ls -la /root total 4 drwxr-xr-x 5 root root 38 Dec 11 19:22 . drwxr-xr-x 39 root root 79 Dec 12 14:51 .. -rw-r-xr-x 1 root root 4 Dec 11 19:22 aaa drwxr-xr-x 2 root root 24 Dec 11 19:22 dir ```

This time it omits the ?????????? ? ? ? ? ? dir line, but still shows Permission denied (and fails to display the /root/dir in question altogether).

[thaJeztah]

@ryan-williams your case may be specific to aufs. I see you're running docker 18.06 (which reached EOL two years ago), and Ubuntu 14.04 (which also reached EOL); if possible, I'd recommend upgrading both, because both have unpatched vulnerabilities.

[bozhidarc]

I have similar problem as @ryan-williams.

An external volume which is mounted to two containers, one Alpine and one Debian, on the second one with user which is not root (www-data) the files permissions and owners are listed with question marks (?????).

docker version

``` Client: Cloud integration: 1.0.17 Version: 20.10.7 API version: 1.41 Go version: go1.16.4 Git commit: f0df350 Built: Wed Jun 2 11:56:23 2021 OS/Arch: darwin/arm64 Context: desktop-linux Experimental: true Server: Docker Engine - Community Engine: Version: 20.10.7 API version: 1.41 (minimum version 1.12) Go version: go1.13.15 Git commit: b0f5bc3 Built: Wed Jun 2 11:55:36 2021 OS/Arch: linux/arm64 Experimental: false containerd: Version: 1.4.6 GitCommit: d71fcd7d8303cbf684402823e425e9dd2e99285d runc: Version: 1.0.0-rc95 GitCommit: b9ee9c6314599f1b4a7f497e1f1f856fe433d3b7 docker-init: Version: 0.19.0 GitCommit: de40ad0 ```

docker info

``` Client: Context: desktop-linux Debug Mode: false Plugins: buildx: Build with BuildKit (Docker Inc., v0.5.1-docker) compose: Docker Compose (Docker Inc., 2.0.0-beta.4) scan: Docker Scan (Docker Inc., v0.8.0) Server: Containers: 4 Running: 4 Paused: 0 Stopped: 0 Images: 29 Server Version: 20.10.7 Storage Driver: overlay2 Backing Filesystem: extfs Supports d_type: true Native Overlay Diff: true userxattr: false Logging Driver: json-file Cgroup Driver: cgroupfs Cgroup Version: 1 Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog Swarm: inactive Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc Default Runtime: runc Init Binary: docker-init containerd version: d71fcd7d8303cbf684402823e425e9dd2e99285d runc version: b9ee9c6314599f1b4a7f497e1f1f856fe433d3b7 init version: de40ad0 Security Options: seccomp Profile: default Kernel Version: 5.10.25-linuxkit Operating System: Docker Desktop OSType: linux Architecture: aarch64 CPUs: 4 Total Memory: 1.928GiB Name: docker-desktop ID: MLSG:XYLE:2FO7:QFMO:UVEL:57LG:LSGS:4VXB:S6ZJ:4H24:LGOQ:NIGJ Docker Root Dir: /var/lib/docker Debug Mode: false HTTP Proxy: http.docker.internal:3128 HTTPS Proxy: http.docker.internal:3128 Registry: https://index.docker.io/v1/ Labels: Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false ```

[thaJeztah]

@bozhidarc That can be expected; Linux may show ???? if it's unable to "stat" a directory / file (if it does not have permissions to read), see (e.g.) https://stackoverflow.com/a/541644/1811501

You can reproduce this in a container;

Build an image that has a directory, owned by root, with 0744 (drwxr--r--) permissions. The image has user 123:123 set as default user;

docker build -t foo -<<EOF
FROM debian
RUN mkdir /somedir && chmod 0744 /somedir
USER 123:123
CMD ls -lsa /somedir
EOF

Run a container from that image, and see it shows ???:

docker run --rm foo
ls: cannot access '/somedir/.': Permission denied
ls: cannot access '/somedir/..': Permission denied
total 0
? d????????? ? ? ? ?            ? .
? d????????? ? ? ? ?            ? ..

Run the container as root, and see that it shows the permissions normally:

docker run --rm --user root:root foo
total 8
4 drwxr--r-- 2 root root 4096 Jul  6 08:04 .
4 drwxr-xr-x 1 root root 4096 Jul  6 08:08 ..

Note that it depends on the container's base image how this case is presented. For example, doing the same with an alpine base image:

docker build -t foo -<<EOF
FROM alpine
RUN mkdir /somedir && chmod 0744 /somedir
USER 123:123
CMD ls -lsa /somedir
EOF

Then running the container does not show the question marks, but only the permission denied error:

docker run --rm foo
total 0
ls: /somedir/.: Permission denied
ls: /somedir/..: Permission denied