When performed the ES upgrade from a Linux jumpbox docker container, interestingly on one of the regions’ jumpbox I cannot read the mounted folder and got permission denied error. This is related to Selinux setting on docker daemon.

For example, on that jumpbox:

# test is a folder in host user home I want to mount
sudo docker run \
--rm \
-v ~/test:/test \
busybox sh \
-c "ls /test"

# got access denied
ls: can't open '/test': Permission denied

First, verify the Selinux mode is enforcing, you can check by

1 2	getenforce # enforcing

Then I see the docker daemon Selinux is enabled, this is why I get permission denied:

sudo docker info | grep Security -A5

Security Options:
 seccomp
  Profile: /etc/docker/seccomp.json
 # below keyword means Selinux is enabled
 selinux
Kernel Version: 3.10.0-1062.12.1.el7.x86_64

On other regions’ jumpbox, although the Selinux is enforcing mode but the docker daemon does not enable it specifically, so I can still read/write mounted foler.

Solutions:

set Selinux to permissive mode and mount as usual

1	sudo setenforce 0

mount with label Z, see this question

From docker official, Configure the selinux label

# test is a folder in host user home I want to mount
# append Z and ro(read-only) labels
# Z: the mount is private and unshared
sudo docker run \
--rm \
-v ~/test:/test:Z,ro \
busybox sh \
-c "ls /test"

Reference

Secure your containers with SELinux