Docker Rclone permission denied mounting

STOP and READ USE THIS TEMPLATE NO EXCEPTIONS - By not using this, you waste your time, our time and really hate puppies. Please remove these two lines and that will confirm you have read them.

What is the problem you are having with rclone?

Unable to use docker rclone to mount anything. I always get permission denied even as root with privileged containers. I tried with root and user. I confirmed FUSE is on my system. I have gnome with ubuntu so I believe it's fuse3, I think, not sure.

I confirmed the credentials for GCP are correct as I am able to ls the bucket contents just fine. I just can't mount.
Here is my docker compose

services:

  rclone:
    image: rclone/rclone:latest 
    container_name: rclone
    restart: no
    tty: true
    stdin_open: true
    privileged: true # this didn't do anything for me
    user: 1000:1000 # also tried without this as root 
    environment:
      RCLONE_GCS_SERVICE_ACCOUNT_CREDENTIALS: $RCLONE_GCS_SERVICE_ACCOUNT_CREDENTIALS
    entrypoint:
    - /bin/sh
    - -c
    command:
    - tail -f /dev/null
    volumes:
    - ./config:/config/rclone:Z
    - ./data:/data:shared
    - /etc/fuse.conf:/etc/fuse.conf:ro
    - /etc/passwd:/etc/passwd:ro
    - /etc/group:/etc/group:ro
    devices:
    - /dev/fuse:/dev/fuse:rwm
    security_opt:
    - apparmor:unconfined
    cap_add:
    - SYS_ADMIN

Here is my fuse conf

# The file /etc/fuse.conf allows for the following parameters:
#
# user_allow_other - Using the allow_other mount option works fine as root, in
# order to have it work as user you need user_allow_other in /etc/fuse.conf as
# well. (This option allows users to use the allow_other option.) You need
# allow_other if you want users other than the owner to access a mounted fuse.
# This option must appear on a line by itself. There is no value, just the
# presence of the option.

user_allow_other


# mount_max = n - this option sets the maximum number of mounts.
# Currently (2014) it must be typed exactly as shown
# (with a single space before and after the equals sign).

#mount_max = 1000

What can I possibly be missing? I followed the docs exactly.

Run the command 'rclone version' and share the full output of the command.

- os/version: alpine 3.22.0 (64 bit)
- os/kernel: 6.14.0-24-generic (x86_64)
- os/type: linux
- os/arch: amd64
- go/version: go1.24.5
- go/linking: static
- go/tags: none

Host OS: Ubuntu 25

Which cloud storage system are you using? (eg Google Drive)

GCS

The command you were trying to run (eg rclone copy /tmp remote:tmp)

rclone mount gcs:my-cool-bucket ./backups --allow-other --vfs-cache-mode full --cache-dir=/data/cache1

Please run 'rclone config redacted' and share the full output. If you get command not found, please make sure to update rclone.

[gcs]
type = google cloud storage
project_number = XXX
location = us-west3
storage_class = NEARLINE
env_auth = true

A log from the command that you were trying to run with the -vv flag

2025/07/31 14:51:03 DEBUG : Setting --gcs-service-account-credentials "...my gcp sa key file content..."
2025/07/31 14:51:03 DEBUG : rclone: Version "v1.70.3" starting with parameters ["rclone" "mount" "gcs:my-cool-bucket" "./backups" "--allow-other" "--vfs-cache-mode" "full" "--cache-dir=/data/cache1" "-vv"]
2025/07/31 14:51:03 DEBUG : Creating backend with remote "gcs:my-cool-bucket"
2025/07/31 14:51:03 DEBUG : Using config file from "/config/rclone/rclone.conf"
2025/07/31 14:51:03 DEBUG : gcs: detected overridden config - adding "{Ja9Yn}" suffix to name
2025/07/31 14:51:03 DEBUG : fs cache: renaming cache item "gcs:my-cool-bucket" to be canonical "gcs{Ja9Yn}:my-cool-bucket"
2025/07/31 14:51:03 INFO  : GCS bucket my-cool-bucket: poll-interval is not supported by this remote
2025/07/31 14:51:03 DEBUG : GCS bucket my-cool-bucket: vfs cache: root is "/data/cache1"
2025/07/31 14:51:03 DEBUG : GCS bucket my-cool-bucket: vfs cache: data root is "/data/cache1/vfs/gcs{Ja9Yn}/my-cool-bucket"
2025/07/31 14:51:03 DEBUG : GCS bucket my-cool-bucket: vfs cache: metadata root is "/data/cache1/vfsMeta/gcs{Ja9Yn}/my-cool-bucket"
2025/07/31 14:51:03 DEBUG : Creating backend with remote ":local,encoding='Slash,Dot',links=false:/data/cache1/vfs/gcs{Ja9Yn}/my-cool-bucket"
2025/07/31 14:51:03 DEBUG : :local: detected overridden config - adding "{8un-i}" suffix to name
2025/07/31 14:51:03 DEBUG : fs cache: renaming cache item ":local,encoding='Slash,Dot',links=false:/data/cache1/vfs/gcs{Ja9Yn}/my-cool-bucket" to be canonical ":local{8un-i}:/data/cache1/vfs/gcs{Ja9Yn}/my-cool-bucket"
2025/07/31 14:51:03 DEBUG : Creating backend with remote ":local,encoding='Slash,Dot',links=false:/data/cache1/vfsMeta/gcs{Ja9Yn}/my-cool-bucket"
2025/07/31 14:51:03 DEBUG : :local: detected overridden config - adding "{8un-i}" suffix to name
2025/07/31 14:51:03 DEBUG : fs cache: renaming cache item ":local,encoding='Slash,Dot',links=false:/data/cache1/vfsMeta/gcs{Ja9Yn}/my-cool-bucket" to be canonical ":local{8un-i}:/data/cache1/vfsMeta/gcs{Ja9Yn}/my-cool-bucket"
2025/07/31 14:51:03 INFO  : GCS bucket my-cool-bucket: vfs cache: cleaned: objects 0 (was 0) in use 0, to upload 0, uploading 0, total size 0 (was 0)
2025/07/31 14:51:03 DEBUG : GCS bucket my-cool-bucket: Mounting on "./backups"
2025/07/31 14:51:03 NOTICE: mount helper error: fusermount3: mount failed: Permission denied
2025/07/31 14:51:03 CRITICAL: Fatal error: failed to mount FUSE fs: fusermount: exit status 1

weclome to the forum,

from inside the docker container or direct on the command line?

make sure rclone mount works on the command line, without using docker.

I do not have rclone installed locally. My goal with the docker container was to not have to have it installed locally.

Yes the ls command is working was from within the container. I can confirm rclone is all working within the container just fine except for mounting.

I have fought with that mount command many times before. Sigh, it's always the mount. and every time I'm on a different machine. Last time was for windows, before that mac, once in kubernetes. This time it's docker + Ubuntu.

Any idea how I can further debug this?

What's the path there for ./backup? Seems like the user trying to mount it doesn't have permissions to that directory.

The path in the container is /data/backups. I ran mkdir from within the container as user 1000:1000 and as root. So in one test the backups was owned by root and another it was owned by 1000. I get permission denied either way. I also tried mounting within the container to /data/backups when /data was not mounted to the host as 1000 and root as well.

I am curious about who rclone is running as. When I ran the container with no settings at all the /etc/passwd had an rclone user with an id like 1009. Then the docs tell me to mount my own /etc/passwd from the host, ie /etc/passwd:/etc/passwd:ro in the volumes. I do not have this user on the host machine. Is this potentially the issue?

Kind of sounds like others who got this working also had rclone installed on the host.

How would I go about making that user? Any docs on the requirements there? It is 1009 for the id right?

Can you use the full path and get some output?

mkdir /data/backups
in the mount use /data/backups

stat /data/backup and see what permissions are set on it.

I ran with full path and still permission denied.

Here is the stat output:

$ stat /data/backups
  File: /data/backups
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 10302h/66306d   Inode: 32783476    Links: 2
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2025-07-31 14:36:01.882647897 +0000
Modify: 2025-07-31 14:36:00.762613637 +0000
Change: 2025-07-31 14:36:00.762613637 +0000

And whoami says I'm root and the container is run with privileged.

And for sure I have permission to read

$ rclone ls gcs:backups.mydomain.com
    37490 2993667_ubuntu_icon.png

I am still very suspicious of this user I see in /etc/passwd from the base image of rclone. Does rclone ever require this user?

rclone:x:1009:1009::/home/rclone:/bin/sh

I'd surmise another user is mounting it if I had to guess. I'm not sure as I am not very familiar with how the docker was built.

Since go is missing write, you could try to chmod 777 /data/backup and then mount to 'force' it. Once it's mounted, you can see what user is running rclone.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.