Comments (2)
All good questions! I'll do my best to answer.
At which levels do I need the users to exist? Just inside the container, just inside the docker-host, or both?
You don't really need to create users anywhere; the container will happily serve files that are owned by a non-existent (from the container's perspective) user. The NFS server doesn't care if there's a matching user in /etc/password
or otherwise. Whatever numeric IDs that the container sees for the files (ls -n
) is what will be served up via NFS, and it's up to the NFS client to try to match the user ID to a local user.
Does that make sense?
do I need to run the container as a particular user?
I haven't tested running the container as a user other than root
. It very well may be possible and I think I will experiment. But since you are required to run the container with CAP_SYS_ADMIN
, running as a non-root user won't give you much added security. i.e. a non-root user granted CAP_SYS_ADMIN
has lots of power compared to a "regular" user.
Normally on NFS, the nfs-server directory/file permissions would map 1-1 with the nfs-client permissions, so if uid=1000 has write access on the server then uid=1000 on the client would also have write access.
Just to be pedantic, what you described here is 100% accurate for NFSv3; the numeric IDs on the client and server are assumed to be of the same namespace. NFSv4 introduces the ability to use user ID mapping, which is a lot more flexible but also significantly harder to configure.
Hope that answers your questions for now? I'm going to close the issue but please feel free to continue the discussion or ask follow-ups.
from docker-nfs-server.
Yes, that all makes sense. Thank you very much. I guess I was more concerned about writing back to the server, if (since the container is running as root) that would affect the permissions on files created by the nfs-client. If it 'just works' as a pass-through and the files are made with the permissions from the client side then that's great. It may be a lack of understanding on my part of the finer details of NFS in general.
from docker-nfs-server.
Related Issues (20)
- mount.nfs: access denied by server while mounting 172.17.0.2:/mnt/nfstest/ HOT 1
- example of docker-compose.yml HOT 3
- directory does not support NFS HOT 5
- the showmount get stucked and outputs nothing
- Creating own Image from Dockerfile wont work HOT 3
- Error while mounting nfs in a pod
- Reduce RAM/Memory resources HOT 2
- No privs to container, how to mount before starting? HOT 3
- Vulnerabilities in Docker image erichough/nfs-server:2.2.1
- Kubernetes example? HOT 1
- rpcbind.target need to be disabled and stopped before start nfs-server container
- Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: process_linux.go:545: container init caused: apply apparmor profile: apparmor failed to apply profile: write /proc/self/attr/exec: no such file or directory: unknown HOT 2
- Accessing the share from an external device
- 2: Unsupported version HOT 1
- aarch64 Support
- Is there anyway update /etc/exports outside without restart nfs container HOT 1
- ERROR: missing CAP_SYS_ADMIN via docker-compose HOT 7
- kernel module nfs is missing HOT 1
- Documentation update needed for describing binding export folders through environment variables
- PUTROOTFH Status: NFS4ERR_NOENT
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docker-nfs-server.