D4win FAQs, troublehshooting for permissions on shared volumes (#3307)

* added detail re: permissions defaults on shared volumes

Signed-off-by: Victoria Bialas <victoria.bialas@docker.com>

* fixed note format

Signed-off-by: Victoria Bialas <victoria.bialas@docker.com>

* added more x-refs between faqs, troubleshooting, shared drives topic

Signed-off-by: Victoria Bialas <victoria.bialas@docker.com>

docker-for-windows/faqs.md

@@ -123,6 +123,20 @@ See also [Docker Engine API](/engine/api.md) and the Docker for Windows forums
 topic
 [How to find the remote API](https://forums.docker.com/t/how-to-find-the-remote-api/20988).
 
+### Can I change permissions on shared volumes for container-specific deployment requirements?
+
+No, at this point, Docker for Windows does not enable you to control (`chmod`)
+the Unix-style permissions on [shared
+volumes](/docker-for-windows/index.md#shared-drives) for deployed containers,
+but rather sets permissions to a default value of
+[0770](http://permissions-calculator.org/decode/0770/) (`read`, `write`,
+`execute` permissions for `user` and `group`, none for other) which is not
+configurable.
+
+For workarounds and to learn more, please see [Permissions errors on data
+directories for shared
+volumes](troubleshoot.md#permissions-errors-on-data-directories-for-shared-volumes).
+
 ### Why doesn't `nodemon` pick up file changes in a container mounted on a shared drive?
 
 Currently, `inotify` does not work on Docker for Windows. This is a known issue.

docker-for-windows/index.md

@@ -364,23 +364,33 @@ here. If you run `docker` commands and tasks under a different username than the
 one used here to set up sharing, your containers will not have permissions to
 access the mounted volumes.
 
-> **Tip**: Shared drives are only required for volume mounting
+> Tips on shared drives and permissions
+>
+> * Shared drives are only required for volume mounting
 > [Linux containers](#switch-between-windows-and-linux-containers), and not for
 > Windows containers. For Linux containers, you need to share the drive where
 > your project is located (i.e., where the Dockerfile and volume are located).
 > Runtime errors such as file not found or cannot start service may indicate
 > shared drives are needed. (See also
 > [Volume mounting requires shared drives for Linux containers](troubleshoot.md#volume-mounting-requires-shared-drives-for-linux-containers).)
+>
+> * You cannot control (`chmod`) permissions on shared volumes for deployed containers. Docker for Windows sets permissions to a default value of
+[0770](http://permissions-calculator.org/decode/0770/) (read, write, execute permissions for
+`user` and `group`, none for other). This is not configurable. See the
+troubleshooting topic [Permissions errors on data directories for shared
+volumes](troubleshoot.md#permissions-errors-on-data-directories-for-shared-volumes)
+for workarounds and more detail.
+>
+> * You can share local drives with your _containers_ but not with
+> Docker Machine nodes. See
+> [Can I share local drives and filesystem with my Docker Machine VMs?](faqs.md#can-i-share-local-drives-and-filesystem-with-my-docker-machine-vms)
+> in the FAQs.
+{: .note-vanilla}
 
 See also
 [Verify domain user has permissions for shared drives](troubleshoot.md#verify-domain-user-has-permissions-for-shared-drives-volumes)
 in Troubleshooting.
 
-> **Note**: You can share local drives with your _containers_ but not with
-> Docker Machine nodes. See
-> [Can I share local drives and filesystem with my Docker Machine VMs?](faqs.md#can-i-share-local-drives-and-filesystem-with-my-docker-machine-vms)
-> in the FAQs.
-
 #### Firewall rules for shared drives
 
 Shared drives require port 445 to be open between the host machine and the virtual

docker-for-windows/troubleshoot.md

@@ -46,6 +46,36 @@ can use in email or the forum to reference the upload.
 
 ## Troubleshooting
 
+### Permissions errors on data directories for shared volumes
+
+Docker for Windows sets permissions on [shared volumes](/docker-for-windows/index.md#shared-drives) to a default value of
+[0770](http://permissions-calculator.org/decode/0770/) (`read`, `write`,
+`execute` permissions for `user` and `group`, none for other). If you are
+working with applications that require permissions different than this default,
+you will likely get errors similar to the following.
+
+```
+Data directory (/var/www/html/data) is readable by other users. Please change the permissions to 0770 so that the directory cannot be listed by other users.
+```
+
+The default permissions on shared volumes are not configurable. If you are
+working with applications that require permissions different from the shared
+volume defaults at container runtime, you need to either use non-host-mounted
+volumes or find a way to make the applications work with the default file
+permissions.
+
+Docker for Windows currrently implements host-mounted volumes based on the
+[Microsoft SMB
+protocol](https://msdn.microsoft.com/en-us/library/windows/desktop/aa365233(v=vs.85).aspx),
+which does not support fine-grained, `chmod` control over these permissions.
+
+See also, [Can I change permissions on shared volumes for container-specific
+deployment
+requirements?](/docker-for-windows/faqs.md#can-i-change-permissions-on-shared-volumes-for-container-specific-deployment-requirements)
+in the FAQs, and for more of an explanation, the GitHub issue, [Controlling
+Unix-style perms on directories passed through from shared Windows
+drives](https://github.com/docker/docker.github.io/issues/3298).
+
 ### inotify on shared drives does not work
 
 Currently, `inotify` does not work on Docker for Windows. This will become