ERROR

Fixing Docker Volume Permission Denial After a Recent Docker Engine Upgrade

Quick Fix Summary

TL;DR

Run `sudo chown -R $(id -u):$(id -g) /path/to/volume` on the host to reset ownership.

A Docker Engine upgrade can change the default user/group mapping for containers, causing the container process to lack write permissions on mounted host directories.

Diagnosis & Causes

  • Docker Engine's default user namespace remapping changed.
  • Host volume directory ownership is root:root but container runs as non-root user.

    • Recovery Steps

    1

    Step 1: Verify Docker User Namespace Configuration

    Check if user namespace remapping is enabled, as this is a common post-upgrade change.

    bash 
    sudo docker info --format '{{.SecurityOptions}}'
grep /etc/docker/daemon.json
    2

    Step 2: Inspect Container User and Volume Permissions

    Identify the user ID (UID) the container runs as and the permissions on the host directory.

    bash 
    docker exec <container_name_or_id> id
ls -ldn /path/to/host/volume
    3

    Step 3: Fix Ownership via Host (Quick Recovery)

    Change the host directory's ownership to match the container user's UID/GID.

    bash 
    CONTAINER_UID=$(docker exec <container_name> id -u)
sudo chown -R $CONTAINER_UID:$CONTAINER_UID /path/to/host/volume
    4

    Step 4: Fix Ownership via Docker Run (Alternative)

    Run the container with the `--user` flag to match the host directory's UID/GID.

    bash 
    HOST_UID=$(id -u)
HOST_GID=$(id -g)
docker run -v /path/to/host/volume:/container/path --user $HOST_UID:$HOST_GID your_image
    5

    Step 5: Disable User Namespace Remapping (If Enabled)

    If Step 1 shows `userns` security option, disable it in the daemon config and restart.

    bash 
    sudo systemctl stop docker
sudo rm -f /etc/docker/daemon.json # Or remove 'userns-remap' key
sudo systemctl start docker
    6

    Step 6: Use Named Volumes for Persistent Data

    For production, use Docker-managed named volumes to avoid host permission issues.

    bash 
    docker volume create my_app_data
docker run -v my_app_data:/container/path your_image

    Architect's Pro Tip

    "This often happens when upgrading from Docker Engine v19 to v20+, where the default `--userns-remap` behavior or the `dockremap` user/group creation may change. Always check `/var/log/docker.log` after an upgrade."

    Frequently Asked Questions

    Will changing host directory ownership break other services?

    Yes, if other processes use the directory. Prefer Step 4 (run container as host user) or Step 6 (use named volumes) for shared paths.

    Is it safe to disable user namespace remapping?

    It reduces container isolation. Only disable it if you understand the security trade-off and have no multi-tenant requirements.

    Related Docker Guides

    Error response from daemon: denied: requested access to the resource is denied

    Fixing 'Access Denied' to Private Registry in Hybrid Cloud Docker Builds

    Read Solution
    ERROR: failed to solve: process did not complete successfully: exit code: 137 (SIGKILL)

    Docker Build SIGKILL 137: Fixing OOM Killer Terminations During Multi-Stage Image Builds

    Read Solution
    ERROR: failed to solve: process "..." did not complete successfully: exit code: 137 (SIGKILL)

    Docker Build: Fix OOM Killer Termination During Multi-Stage Builds

    Read Solution