Understanding and Resolving Docker for Mac File Mount Path Issues

Keywords: Docker for Mac | File Mounting | macOS Path Resolution

Abstract: This article provides an in-depth analysis of the 'Mounts denied' error encountered when using Docker on macOS systems. It explains Docker for Mac's file system sharing mechanism, including default shared paths, symbolic link handling, and path mapping between the Linux VM and macOS host. Through concrete examples, it demonstrates how to properly configure file sharing paths and offers cross-platform compatibility recommendations to help developers effectively resolve container mounting problems.

Problem Background and Error Analysis

When executing the docker run -v /var/folders/zz/... command on macOS systems, the following error message frequently appears:

docker: Error response from daemon: Mounts denied: 
The paths /var/folders/zz/... and /var/folders/zz/...
are not shared from OS X and are not known to Docker.
You can configure shared paths from Docker -> Preferences... -> File Sharing.

This error indicates that Docker cannot recognize or access the specified mount path. Even though /private is already listed in Docker's file sharing settings, attempting to add /var/folders is rejected because the system resolves it as a subdirectory of /private/var/folders.

Docker for Mac File System Architecture

Docker for Mac exhibits significant differences in volume mount behavior compared to standard Docker systems, primarily to comply with Apple's file system sandbox guidelines. Docker for Mac runs within a Moby Linux-based virtual machine, where all containers execute, necessitating specific path mapping mechanisms for file mounting.

By default, macOS only exports the following paths for Docker use:

/Users
/Volumes
/tmp
/private

These paths are explicitly listed in Docker Desktop's File Sharing preferences panel, where users can add or remove shared directories through the interface.

macOS File System Symbolic Link Resolution

In macOS, /var and /tmp are actually symbolic links pointing to corresponding locations under the /private directory:

$ ls -ld /tmp /var
lrwxr-xr-x@ 1 root  wheel  11 Jan 26 16:18 /tmp -> private/tmp
lrwxr-xr-x@ 1 root  wheel  11 Jan 26 16:18 /var -> private/var

This explains why /tmp is separately listed in the file sharing panel while /var is not—despite both being part of /private. Docker's design choices reflect special handling of commonly used paths.

Path Resolution and Mount Failure Mechanism

According to Docker for Mac's official documentation on filesystem namespaces, when executing -v bind mounts, the system checks path availability in the following order:

First checks macOS filesystem export paths
If no match found, checks paths in the Linux VM running Docker
If neither contains the path, the mount operation fails

In the specific case encountered by users:

/var is not exported by macOS
The Linux VM contains /var but lacks the /var/folders subdirectory
Therefore, the path is unavailable, causing mount failure

Solutions and Best Practices

To resolve this issue, change the mount path to /private/var, since macOS exports the entire /private filesystem tree for mounting. For example:

docker run -v /private/var/folders/zz/...:/container/path image_name

To ensure cross-platform compatibility, it's recommended to add platform detection logic in scripts. Here's a Python example demonstrating how to automatically adjust mount paths based on the operating system:

import platform
import subprocess

def get_mount_path(path):
    """Return correct mount path based on operating system"""
    if platform.system() == 'Darwin':  # macOS
        # Convert /var to /private/var
        if path.startswith('/var/'):
            return '/private' + path
    return path

# Example usage
original_path = '/var/folders/zz/zyxv8yvx5wq...'
mount_path = get_mount_path(original_path)
cmd = ['docker', 'run', '-v', f'{mount_path}:/container/path', 'your_image']
subprocess.run(cmd)

This approach ensures consistent behavior across macOS and other Linux systems, avoiding compatibility issues caused by hardcoded paths.

Deep Understanding of Docker Desktop Virtualization Architecture

Docker Desktop operates within a dedicated virtual machine, an architecture that dictates the特殊性 of file sharing. When binding mount host folders, the path must first be shared with the virtual machine. This explains why explicit configuration of file sharing paths in Docker Desktop settings is necessary.

It's important to note that this mechanism fundamentally differs from remote Docker deployments. In cloud-hosted environments, Docker containers run on remote servers and cannot directly mount files from local workstations. In such cases, file transfer must be accomplished through alternative means (such as scp, rsync, or cloud storage).

Practical Application Scenarios and Considerations

When developing machine learning projects (like the referenced TensorFlow CleverHans example), proper handling of file mounts is crucial. These projects often require access to specific system directories for storing temporary files or cache data.

Key considerations include:

Always verify path availability in the target environment
Account for path differences across operating systems in CI/CD pipelines
Avoid assuming specific host path structures in Dockerfiles
Use environment variables or configuration files to manage path dependencies

By following these best practices, developers can build more robust and portable containerized applications, reducing runtime errors caused by filesystem differences.

Copyright Notice: All rights in this article are reserved by the operators of DevGex. Reasonable sharing and citation are welcome; any reproduction, excerpting, or re-publication without prior permission is prohibited.