Question 259469 in Docker Question posted in
The official documentation can be found here.

Docker – Inconsistent setfacl behaviour between Windows and Linux with bind mounts

There is an inconsistent behavior of setfacl between Windows (and possibly MacOS) and Linux. Seems that setfacl cannot be used with folders in a bind-mount on Linux, only on Windows (and possibly MacOS).

You can try it yourself with this minimal repository.

Given:

  • folder-volume: a Docker volume
  • folder-bind: a regular folder inside a Docker bind-mount

The problem

Running setfacl on folder-volume:

setfacl -dR -m u:www-data:rwX -m u:"$(whoami)":rwX /workspace/folder-volume

  • ✅ Windows works fine
  • ✅ Linux works fine

Running setfacl command on folder-bind:

setfacl -dR -m u:www-data:rwX -m u:"$(whoami)":rwX /workspace/folder-bind

  • ✅ Windows works fine
  • ❌ Linux throws the error Not supported

setfacl

I’m seeing this after switching to Linux for work. Anyone has a solution or as noted the same?

Tags:

2

Answers


  1. 0

    Actually,ACLs are used to set permissions beyond the traditional Unix permissions and on Linux the setfacl may not work as expected on bind-mounted folders because the underlying file system may not support ACLs,so this is likely why you are getting the Not supported error, but Windows or MacOS have their own implementations of ACLs, which may work differently and support ACLs on bind-mounted folders.

    if ACLs are crucial for your use case and you need consistent behavior across different operating systems, so just use different methods, such as network file system (NFS) or a distributed file system that supports ACLs consistently across platforms.

    Login or Signup to reply.
  2. 0

    The reason is that Linux does not support setting ACLs on bind mounts, while Windows and MacOS do.

    On Linux, when you mount a directory into a container using -v host_dir:container_dir (bind mount), the host directory ACLs are not preserved.

    The bind mount ignores the ACLs on the host.

    So when you try to run setfacl on the bind mounted directory inside the container, it fails with "not supported" error on Linux.

    Whereas on Windows and MacOS, ACLs are preserved in bind mounts.

    So setfacl works as expected on a bind mounted directory inside a Docker container.

    The workaround on Linux is to use a Docker volume instead of a bind mount, as you have demonstrated.

    Docker volumes support ACLs on Linux, so setfacl will work as expected there.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search