Docker cp fails when the container is running with volume mount and read only root filesystem

[orzlc]

Docker version 20.10.10 API 1.41

Docker cp command fails when container runs with --read-only flag, parent folder is a symlink and the inner folder is mapped from a volume.

Reproduce steps:

1. Create a dockerfile with a symlink in parent path, for example:

FROM ubuntu:latest
RUN ln -s /tmp /dir1

2. Run a container of the image with the following flags:

docker run -it --read-only -v /dir1/dir2 IMAGE

3. Copy a file to the volume:

docker cp FILE CONTAINER:/dir1/dir2
Error response from daemon: container rootfs is marked read-only

Should be able to copy the files using docker cp command.
There are no issues with creating files in this directory when running from within the container, only copying from host fails.

[kyrofa]

Just ran into this myself, still an issue.

[thaJeztah]

Discussing in the maintainers meeting; there was some discussion wether or not the symlink should be followed or not (as it should also be possible to copy a symlink into the container and vice-versa). In this case, it's not the last path element that is the symlink, so following the symlink makes sense (and should not be ambiguous).

Let me link to the related code path, in case someone is interested in working on this issue;

moby/daemon/archive.go

Lines 353 to 363 in 7b9275c

	// @ TODO: gupta-ak: Technically, this works since it no-ops
	// on Windows and the file system is local anyway on linux.
	// But eventually, it should be made driver aware.
	toVolume, err := checkIfPathIsInAVolume(container, absPath)
	if err != nil {
	return err
	}
	if !toVolume && container.HostConfig.ReadonlyRootfs {
	return ErrRootFSReadOnly
	}