I have the following prerequisites. The docker.service and containerd.service do not specify User= or Group=, so both must be running as root.

My docker-compose file doesn't specify user, and I am logged in as root. I have this docker service definition:

  mongo:
    image: mongodb/mongodb-community-server:5.0.7-ubuntu2004
    ports:
      - 27017:27017
    restart: 'unless-stopped'
    volumes:
      - type: bind
        source: ./mongo_volume
        target: /data/db

And the docker container exits with this error:

mongo Attempted to create a lock file on  a read-only directory: /data/db

Now, user mongo does not exist on the host, although it is the user that runs tasks inside the container. If I chmod go+w ./mongo_volume, then it works.

My question is: do I have to make the volume folder writeable by all on the host? I would prefer to restrict permissions as much as possible, ie give only one user access to the folder. How do I do that?

Found the solution. The user owning the process is messagebus, not root. So, chown'ing the volume folder to messagebus allowed me to run the service without making the volume writeable by all.