[Request]: Named volume permissions consistent with local folder share volume

[mungler]

Feature or enhancement request details

If I create a named volume and attempt start a MySQL container, I get an error that the mysqld process cannot write to the specified volume:

rory@Zaphod ~> /usr/local/bin/container run --rm --publish 3336:3306 -v mysql-data:/var/lib/mysql -e MYSQL_DATABASE=<redacted> -e MYSQL_USER=<redacted> -e MYSQL_PASSWORD=<redacted> docker.io/percona/percona-server:8.0.34-26.1-multi --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci --log_bin_trust_function_creators=1
Initializing database            
mysqld: Can't create/write to file '/var/lib/mysql/is_writable' (OS errno 13 - Permission denied)

However, if instead I pass a local directory path, everything starts up fine:

rory@Zaphod ~ [1]> mkdir $DATA_ROOT/volumes/mysql-data
rory@Zaphod ~> /usr/local/bin/container run --rm --publish 3336:3306 -v $DATA_ROOT/volumes/mysql-data:/var/lib/mysql -e MYSQL_DATABASE=<redacted> -e MYSQL_USER=<redacted> -e MYSQL_PASSWORD=<redacted> docker.io/percona/percona-server:8.0.34-26.1-multi --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci --log_bin_trust_function_creators=1
Initializing database            
2025-10-09T11:51:35.049004Z 0 [Warning] [MY-011068] [Server] The syntax '--skip-host-cache' is deprecated and will be removed in a future release. Please use SET GLOBAL host_cache_size=0 instead.
2025-10-09T11:51:35.049044Z 0 [System] [MY-013169] [Server] /usr/sbin/mysqld (mysqld 8.0.34-26) initializing of server in progress as process 9
2025-10-09T11:51:35.050734Z 0 [Warning] [MY-010159] [Server] Setting lower_case_table_names=2 because file system for /var/lib/mysql/ is case insensitive
2025-10-09T11:51:35.056304Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
2025-10-09T11:51:35.297262Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended.

Shouldn't the permissions model be the same whether I use a local directory path or a named volume?

Code of Conduct

• I agree to follow this project's Code of Conduct

[jglogan]

Hi, @mungler! Could you check to see that you're not seeing the mysql version of this issue?

#333 (comment)

[mungler]

Hi @jglogan I had a look and... I might be? Truthfully i'm not totally sure I follow what the problem actually is, nor how I would go about solving it.

I want to store my MySQL instance's data externally to the container such that it persists between boots of the container. It does appear to work with a directory (e.g. -v /some/local/path/mysql-data:/var/lib/mysql) but NOT with a named volume (e.g. -v mysql-data:/var/lib/mysql).

Any help is hugely appreciated!

[pro100filipp]

Same with n8n image.

This fails to start with EACCES: permission denied, open '/home/node/.n8n/config'

container run --rm -it --name n8n -p 5678:5678 \
-e GENERIC_TIMEZONE="Europe/Moscow" \
-e TZ="Europe/Moscow" \
-e N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS=true \
-e N8N_RUNNERS_ENABLED=true \
-e N8N_SECURE_COOKIE=false \
-e N8N_CUSTOM_EXTENSIONS=/data/custom \
-v ${PWD}:/data/custom \
-v n8n:/home/node/.n8n/ \
 docker.n8n.io/n8nio/n8n

And this works just fine

container run --rm -it --name n8n -p 5678:5678 \
-e GENERIC_TIMEZONE="Europe/Moscow" \
-e TZ="Europe/Moscow" \
-e N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS=true \
-e N8N_RUNNERS_ENABLED=true \
-e N8N_SECURE_COOKIE=false \
-e N8N_CUSTOM_EXTENSIONS=/data/custom \
-v ${PWD}:/data/custom \
-v ${PWD}/n8n:/home/node/.n8n \
 docker.n8n.io/n8nio/n8n

[vsarunas]

The problem is that named volumes get ownership permissions as root, and no one else has ability to access this:

container run --rm -it -v permissions-volume:/mnt/permission --user nobody alpine:latest \
  sh -c 'ls -l /mnt/permission; touch /mnt/permission/file'

total 4
drwx------    2 root     root          4096 Oct 29 12:31 lost+found

touch: /mnt/permission/file: Permission denied

Although, the behaviour looks to be the same in Docker as well.

[pro100filipp]

Although, the behaviour looks to be the same in Docker as well.

Maybe, but if you change to docker, the command above (with named volumes one) works – so it's not only about permissions

[peterpeterparker]

I just tested the latest version which implicitly creates named volumes (that's great) and noticed that these volumes require root privileges and do not inherit permissions or ownership.

As I mentioned in the previous issue (#690), it would be great, although I am not sure how common this pattern is, if Apple Container could mimic Docker and Podman behavior so that permissions and ownership are preserved on first use.

Here is my updated reproduction.

Dockerfile:

FROM debian:stable-slim

RUN useradd -ms /bin/bash apprunner
USER apprunner

WORKDIR /test

RUN mkdir -p /test/demo
VOLUME ["/test"]

CMD ["/bin/bash"]

Docker success ✅:

docker build -t volume-test .
docker run --rm -v vol-test:/test volume-test sh -lc 'mkdir -p /test/demo && touch /test/demo/hello'

Podman success ✅:

podman build -t volume-test .
podman run --rm -v vol-test:/test volume-test sh -lc 'mkdir -p /test/demo && touch /test/demo/hello'

Apple container fails ❌:

container build -t volume-test .
container run --rm -v vol-test:/test volume-test sh -lc 'mkdir -p /test/demo && touch /test/demo/hello'
mkdir: cannot create directory '/test/demo': Permission denied

[mungler]

@peterpeterparker thank you for succinctly explaining the issue - this is exactly whats blocking me too.

[kgowtham07]

Facing same issue while starting n8n with container.

n8n volume creation Command:
container v create n8n_data

n8n start Command:
container run -it --rm --name n8n -p 5678:5678 -v n8n_data:/home/node/.n8n docker.n8n.io/n8nio/n8n

Error:

No encryption key found - Auto-generating and saving to: /home/node/.n8n/config
Error: EACCES: permission denied, open '/home/node/.n8n/config'
    at writeFileSync (node:fs:2425:20)
    at InstanceSettings.save (/usr/local/lib/node_modules/n8n/node_modules/.pnpm/n8n-core@file+packages+core_@opentelemetry+api@1.9.0_@opentelemetry+sdk-trace-base@1.30_08b575bec2313d5d8a4cc75358971443/node_modules/n8n-core/src/instance-settings/instance-settings.ts:241:16)
    at InstanceSettings.loadOrCreate (/usr/local/lib/node_modules/n8n/node_modules/.pnpm/n8n-core@file+packages+core_@opentelemetry+api@1.9.0_@opentelemetry+sdk-trace-base@1.30_08b575bec2313d5d8a4cc75358971443/node_modules/n8n-core/src/instance-settings/instance-settings.ts:218:8)
    at new InstanceSettings (/usr/local/lib/node_modules/n8n/node_modules/.pnpm/n8n-core@file+packages+core_@opentelemetry+api@1.9.0_@opentelemetry+sdk-trace-base@1.30_08b575bec2313d5d8a4cc75358971443/node_modules/n8n-core/src/instance-settings/instance-settings.ts:67:24)
    at ContainerClass.get (/usr/local/lib/node_modules/n8n/node_modules/.pnpm/@n8n+di@file+packages+@n8n+di/node_modules/@n8n/di/src/di.ts:104:16)
    at CommunityPackagesModule.loadDir (/usr/local/lib/node_modules/n8n/src/modules/community-packages/community-packages.module.ts:37:30)
    at processTicksAndRejections (node:internal/process/task_queues:105:5)
    at ModuleRegistry.loadModules (/usr/local/lib/node_modules/n8n/node_modules/.pnpm/@n8n+backend-common@file+packages+@n8n+backend-common/node_modules/@n8n/backend-common/src/modules/module-registry.ts:95:20)
    at CommandRegistry.execute (/usr/local/lib/node_modules/n8n/src/command-registry.ts:43:3)
    at /usr/local/lib/node_modules/n8n/bin/n8n:63:2

[mungler]

Any wisdom on this? We're looking to switch from Docker Desktop for our internal development environments on Mac, should we just go with the filesystem paths approach?

[jglogan]

I'm doing a little poking at this, with a script derived from your run command.

mysql works fine, which has been my experience in the past. That image doesn't have a ps but you can see that the user mysql owns the mount point and the underlying files.

I see exactly what you see for the Percona fork though. I don't run a copy of DD on this system but the Percona image starts up fine under Colima (CONTAINER=docker ./run-mysql.sh).

I'll do a bit more digging, just wanted to come back with a few observations.

Test script

#! /bin/bash -ex
CONTAINER=${CONTAINER:-container}
MYSQL_VOLUME=${MYSQL_VOLUME:-mysqlvolume}
MYSQL_IMAGE=${MYSQL_IMAGE:-docker.io/percona/percona-server:8.0.34-26.1-multi}
${CONTAINER} volume rm ${MYSQL_VOLUME} || true
${CONTAINER} volume create ${MYSQL_VOLUME}
${CONTAINER} run --name mysqldb -it --rm --publish 127.0.0.1:3336:3306 -v ${MYSQL_VOLUME}:/var/lib/mysql -e MYSQL_DATABASE=mysqldb -e MYSQL_USER=mysqluser -e MYSQL_ROOT_PASSWORD=mysqlrootpassword ${MYSQL_IMAGE} --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci --log_bin_trust_function_creators=1

Percona run - failure

% ./run-mysql.sh 
+ CONTAINER=container
+ MYSQL_VOLUME=mysqlvolume
+ MYSQL_IMAGE=docker.io/percona/percona-server:8.0.34-26.1-multi
+ container volume rm mysqlvolume
mysqlvolume
+ container volume create mysqlvolume
mysqlvolume
+ container run --name mysqldb -it --rm --publish 127.0.0.1:3336:3306 -v mysqlvolume:/var/lib/mysql -e MYSQL_DATABASE=mysqldb -e MYSQL_USER=mysqluser -e MYSQL_ROOT_PASSWORD=mysqlrootpassword docker.io/percona/percona-server:8.0.34-26.1-multi --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci --log_bin_trust_function_creators=1
Initializing database                                                                            
mysqld: Can't create/write to file '/var/lib/mysql/is_writable' (OS errno 13 - Permission denied)
2025-12-04T17:51:20.121237Z 0 [Warning] [MY-011068] [Server] The syntax '--skip-host-cache' is deprecated and will be removed in a future release. Please use SET GLOBAL host_cache_size=0 instead.
2025-12-04T17:51:20.121269Z 0 [System] [MY-013169] [Server] /usr/sbin/mysqld (mysqld 8.0.34-26) initializing of server in progress as process 9
2025-12-04T17:51:20.121955Z 0 [ERROR] [MY-010460] [Server] --initialize specified but the data directory exists and is not writable. Aborting.
2025-12-04T17:51:20.121958Z 0 [ERROR] [MY-013236] [Server] The designated data directory /var/lib/mysql/ is unusable. You can remove all files that the server added to it.
2025-12-04T17:51:20.121993Z 0 [ERROR] [MY-010119] [Server] Aborting
2025-12-04T17:51:20.122045Z 0 [System] [MY-010910] [Server] /usr/sbin/mysqld: Shutdown complete (mysqld 8.0.34-26)  Percona Server (GPL), Release 26, Revision 0fe62c85.

mysql run - success

% MYSQL_IMAGE=docker.io/library/mysql:latest ./run-mysql.sh 
+ CONTAINER=container
+ MYSQL_VOLUME=mysqlvolume
+ MYSQL_IMAGE=docker.io/library/mysql:latest
+ container volume rm mysqlvolume
mysqlvolume
+ container volume create mysqlvolume
mysqlvolume
+ container run --name mysqldb -it --rm --publish 127.0.0.1:3336:3306 -v mysqlvolume:/var/lib/mysql -e MYSQL_DATABASE=mysqldb -e MYSQL_USER=mysqluser -e MYSQL_ROOT_PASSWORD=mysqlrootpassword docker.io/library/mysql:latest --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci --log_bin_trust_function_creators=1
2025-12-04 17:51:39+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 9.5.0-1.el9 started.
2025-12-04 17:51:39+00:00 [Note] [Entrypoint]: Switching to dedicated user 'mysql'
2025-12-04 17:51:39+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 9.5.0-1.el9 started.
2025-12-04 17:51:39+00:00 [Warn] [Entrypoint]: MYSQL_USER specified, but missing MYSQL_PASSWORD; MYSQL_USER will not be created
2025-12-04 17:51:39+00:00 [Note] [Entrypoint]: Initializing database files
2025-12-04T17:51:39.348206Z 0 [System] [MY-015017] [Server] MySQL Server Initialization - start.
2025-12-04T17:51:39.348748Z 0 [System] [MY-013169] [Server] /usr/sbin/mysqld (mysqld 9.5.0) initializing of server in progress as process 77
2025-12-04T17:51:39.360757Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
2025-12-04T17:51:40.182420Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended.
2025-12-04T17:51:42.904062Z 6 [Warning] [MY-010453] [Server] root@localhost is created with an empty password ! Please consider switching off the --initialize-insecure option.
2025-12-04T17:51:46.684903Z 0 [System] [MY-015018] [Server] MySQL Server Initialization - end.
2025-12-04 17:51:46+00:00 [Note] [Entrypoint]: Database files initialized
2025-12-04 17:51:46+00:00 [Note] [Entrypoint]: Starting temporary server
mysqld will log errors to /var/lib/mysql/mysqldb.err
mysqld is running as pid 116
2025-12-04 17:51:48+00:00 [Note] [Entrypoint]: Temporary server started.
'/var/lib/mysql/mysql.sock' -> '/var/run/mysqld/mysqld.sock'
Warning: Unable to load '/usr/share/zoneinfo/iso3166.tab' as time zone. Skipping it.
Warning: Unable to load '/usr/share/zoneinfo/leap-seconds.list' as time zone. Skipping it.
Warning: Unable to load '/usr/share/zoneinfo/leapseconds' as time zone. Skipping it.
Warning: Unable to load '/usr/share/zoneinfo/tzdata.zi' as time zone. Skipping it.
Warning: Unable to load '/usr/share/zoneinfo/zone.tab' as time zone. Skipping it.
Warning: Unable to load '/usr/share/zoneinfo/zone1970.tab' as time zone. Skipping it.
2025-12-04 17:51:48+00:00 [Note] [Entrypoint]: Creating database mysqldb

2025-12-04 17:51:48+00:00 [Note] [Entrypoint]: Stopping temporary server
2025-12-04 17:51:50+00:00 [Note] [Entrypoint]: Temporary server stopped

2025-12-04 17:51:50+00:00 [Note] [Entrypoint]: MySQL init process done. Ready for start up.

2025-12-04T17:51:51.005224Z 0 [System] [MY-015015] [Server] MySQL Server - start.
2025-12-04T17:51:51.155530Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 9.5.0) starting as process 1
2025-12-04T17:51:51.155537Z 0 [System] [MY-015590] [Server] MySQL Server has access to 4 logical CPUs.
2025-12-04T17:51:51.155542Z 0 [System] [MY-015590] [Server] MySQL Server has access to 1073741824 bytes of physical memory.
2025-12-04T17:51:51.157995Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
2025-12-04T17:51:51.783677Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended.
2025-12-04T17:51:52.170984Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.
2025-12-04T17:51:52.171038Z 0 [System] [MY-013602] [Server] Channel mysql_main configured to support TLS. Encrypted connections are now supported for this channel.
2025-12-04T17:51:52.178483Z 0 [Warning] [MY-011810] [Server] Insecure configuration for --pid-file: Location '/var/run/mysqld' in the path is accessible to all OS users. Consider choosing a different directory.
2025-12-04T17:51:52.203868Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Bind-address: '::' port: 33060, socket: /var/run/mysqld/mysqlx.sock
2025-12-04T17:51:52.203916Z 0 [System] [MY-010931] [Server] /usr/sbin/mysqld: ready for connections. Version: '9.5.0'  socket: '/var/run/mysqld/mysqld.sock'  port: 3306  MySQL Community Server - GPL.

mysql listing

% container exec -it mysqldb ls -ld /var/lib/mysql
drwxr-xr-x 9 mysql root 4096 Dec  4 17:51 /var/lib/mysql

% container exec -it mysqldb ls -l /var/lib/mysql 
total 108465
-rw-r----- 1 mysql mysql  4194304 Dec  4 17:53 '#ib_16384_0.dblwr'
-rw-r----- 1 mysql mysql 12582912 Dec  4 17:51 '#ib_16384_1.dblwr'
drwxr-x--- 2 mysql mysql     4096 Dec  4 17:51 '#innodb_redo'
drwxr-x--- 2 mysql mysql     4096 Dec  4 17:51 '#innodb_temp'
-rw-r----- 1 mysql mysql       56 Dec  4 17:51  auto.cnf
-rw-r----- 1 mysql mysql  2984791 Dec  4 17:51  binlog.000001
-rw-r----- 1 mysql mysql      198 Dec  4 17:51  binlog.000002
-rw-r----- 1 mysql mysql       32 Dec  4 17:51  binlog.index
-rw------- 1 mysql mysql     1705 Dec  4 17:51  ca-key.pem
-rw-r--r-- 1 mysql mysql     1108 Dec  4 17:51  ca.pem
-rw-r--r-- 1 mysql mysql     1108 Dec  4 17:51  client-cert.pem
-rw------- 1 mysql mysql     1705 Dec  4 17:51  client-key.pem
-rw-r----- 1 mysql mysql     5710 Dec  4 17:51  ib_buffer_pool
-rw-r----- 1 mysql mysql 12582912 Dec  4 17:51  ibdata1
-rw-r----- 1 mysql mysql 12582912 Dec  4 17:51  ibtmp1
drwx------ 2 mysql root      4096 Dec  4 17:51  lost+found
drwxr-x--- 2 mysql mysql     4096 Dec  4 17:51  mysql
-rw-r----- 1 mysql mysql 32505856 Dec  4 17:51  mysql.ibd
lrwxrwxrwx 1 mysql mysql       27 Dec  4 17:51  mysql.sock -> /var/run/mysqld/mysqld.sock
-rw-r----- 1 mysql mysql      131 Dec  4 17:51  mysql_upgrade_history
drwxr-x--- 2 mysql mysql       60 Dec  4 17:51  mysqldb
-rw-r----- 1 mysql mysql     1768 Dec  4 17:51  mysqldb.err
drwxr-x--- 2 mysql mysql     4096 Dec  4 17:51  performance_schema
-rw------- 1 mysql mysql     1709 Dec  4 17:51  private_key.pem
-rw-r--r-- 1 mysql mysql      452 Dec  4 17:51  public_key.pem
-rw-r--r-- 1 mysql mysql     1108 Dec  4 17:51  server-cert.pem
-rw------- 1 mysql mysql     1709 Dec  4 17:51  server-key.pem
drwxr-x--- 2 mysql mysql       60 Dec  4 17:51  sys
-rw-r----- 1 mysql mysql 16777216 Dec  4 17:53  undo_001
-rw-r----- 1 mysql mysql 16777216 Dec  4 17:53  undo_002

[jglogan]

MySQL has this bit of code in its entrypoint: https://github.com/docker-library/mysql/blob/master/docker-entrypoint.sh#L210

PostgreSQL uses the same pattern: https://github.com/docker-library/postgres/blob/master/docker-entrypoint.sh#L59

MariaDB: https://github.com/MariaDB/mariadb-docker/blob/master/docker-entrypoint.sh#L210

The Percona entrypoint script for MySQL doesn't do this: https://github.com/percona/percona-docker/blob/main/percona-server-8.0/ps-entry.sh