Skip to content

[BUG] watch tries to read ignored folders leading to permission denied #13750

Open
#13756
Open
[BUG] watch tries to read ignored folders leading to permission denied#13750
#13756
Labels
kind/bugstatus/0-triage
@lumbric

Description

@lumbric
lumbric
opened on Apr 20, 2026

Description

docker compose raises a permission denied error, if there is a folder in the watch path with insufficient permissions even if it is in the ignore list.

Steps To Reproduce

minimal docker-compose.yml:

services:
  app:
    image: alpine:latest
    command: ["sleep", "infinity"]

    volumes:
      - ./root-owned-dir:/data

    develop:
      watch:
        - action: sync
          path: ./
          target: /tmp
          ignore:
            - ./root-owned-dir/

Created root owned folder:

$ sudo mkdir -p root-owned-dir
$ sudo chmod 700 root-owned-dir

This works as expected:

$ docker compose up

But watch prints a permission denied error:

 $ docker compose up --watch    
[+] up 2/2
 ✔ Network watch-repro_default Created                                                                                                                                                                                                                   0.0s
 ✔ Container watch-repro-app-1 Created                                                                                                                                                                                                                   0.0s
notify.Add("/home/<SNIP>/watch-repro"): watcher.Add("/home/<SNIP>/watch-repro/root-owned-dir"): permission denied

root-owned-dir is in the ignore list, so I expect that it does not care about its permissions.

Compose Version

Docker Compose version v5.1.3

Docker Environment

Client: Docker Engine - Community
 Version:    29.4.0
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.33.0
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v5.1.3
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 1
  Running: 0
  Paused: 0
  Stopped: 1
 Images: 21
 Server Version: 29.4.0
 Storage Driver: overlayfs
  driver-type: io.containerd.snapshotter.v1
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 CDI spec directories:
  /etc/cdi
  /var/run/cdi
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 77c84241c7cbdd9b4eca2591793e3d4f4317c590
 runc version: v1.3.5-0-g488fc13e
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.1.0-44-amd64
 Operating System: Neptune 8.2
 OSType: linux
 Architecture: x86_64
 CPUs: 12
 Total Memory: 46.35GiB
 Name: longy0201
 ID: 2b992073-edb2-48f1-b2c1-81e969c69a58
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  ::1/128
  127.0.0.0/8
 Live Restore Enabled: false
 Firewall Backend: iptables

Anything else?

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugstatus/0-triage

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions