Comments (3)
I know this is a bit old, and you've probably already found an answer but I figured I'd at least comment on it. From what I understand, SYS_ADMIN is the only capability required to perform mounts within containers. In newer kernels (specifically Ubuntu or variants with AppArmor) SYS_ADMIN is no longer sufficient to perform mounts and you either need --privileged
or --security-opt apparmor:unconfined
. Neither of those are great options as they basically open you up to privilege escalation exploits but there's no other way to allow this aside from doing the same configuration in AppArmor itself.
In your case, consider the container as either running or not running. There is no in-between state. So if you do not want to grant the appropriate permissions within the container to perform the mounting(i.e. when the container is running), then what you're thinking of is performing the mount on the container's host(i.e. when the container is not running yet) and then doing a simple mapping of "a local directory"(i.e. the one you mounted locally on the container host that is being shared by an NFS) into your container's directory.
from docker-nfs-server.
Hello Ryan, It is old issue, but I've not been able to prioritize and find a solution yet, so thank you for your help.
I have a rough understanding, see if i'm following correctly;
- What are all the mount points that require escalated permissions?
I'm trying to identify all of them.
I commented out the boot_main_mounts to prevent mount at entrypoint.sh, and since it looks like they should mount in fstab on boot. But still will not run without --priv.
I also commented out init_runtime_assertions to prevent the --priv checks.
The Script detects
rpc.nfsd: Unable to access /proc/fs/nfsd errno 2 (No such file or directory).
Please try, as root, 'mount -t nfsd nfsd /proc/fs/nfsd' and then restart rpc.nfsd to correct the problem
So it appears the fstab commands are not working as intended.
Does fstab (on start) also need privs to do own filesystem? or am i missing some other mount or action that requires priv?
Dockerfile:
echo "rpc_pipefs /var/lib/nfs/rpc_pipefs rpc_pipefs defaults 0 0" >> /etc/fstab && \
echo "nfsd /proc/fs/nfsd nfsd defaults 0 0" >> /etc/fstab
entrypoint.sh
boot_main_mounts() {
# http://wiki.linux-nfs.org/wiki/index.php/Nfsv4_configuration
boot_helper_mount "$MOUNT_PATH_RPC_PIPEFS"
boot_helper_mount "$MOUNT_PATH_NFSD"
}
Translates to;
mount -t rpc_pipefs /var/lib/nfs/rpc_pipefs -vvv
mount -t nfsd /proc/fs/nfsd -vvv
-
How to mount those while the container is not running?
Considering
Dockerfile (volume?) - offline power down (move mount and fstab to methods prior to booting)
fstab - on boot powering up
entrypoint.sh mount - post boot powered up -
Modify the run command to map the paths mounted.
from docker-nfs-server.
Hey, sorry for the delay, I've given up using this as it did not accomplish what I was originally intending. I was attempting to containerize my NFS and use it as a sort of CSI driver replacement. The issue I had was the references to the nfs-server container that was hosting the NFS shares seemed to be unknown to the host (because Docker knows Docker DNS but the host itself doesn't) so all of the services/containers would fail to start citing a bad mount path. I have rolled the NFS back to the host level and just cut out all the permissions for the directories and opened them wide (nobody:nogroup and 777) and then set mounted the shares on my swarm nodes and changed the Docker compose config to point to the shares (which are mounted identically on all hosts). This works well enough for me, and originally I was not wanting to do this because it seems like a giant security issue setting permissions in this way...but I was ignoring the fact that I would otherwise have a container running as user 0 with high privileges, so there was really not much of a trade-off.
To your questions though, I am not sure how to get around this limitation. It seems the problem is with the permissions required to use the nfs-kernel-server module. Something with permissions limitations imposed by Docker as a security measure that is unique to the way NFS and fstab mount stuff. I really didn't troubleshoot this any more after I ran into this issue and started looking at alternatives but my search kept turning up ones that required K8s and I don't run K8s so most of those were out of the question and by the time I got back to this I just decided to retry NFS (for a 3rd time) straight on the hosts.
from docker-nfs-server.
Related Issues (20)
- example of docker-compose.yml HOT 3
- directory does not support NFS HOT 5
- the showmount get stucked and outputs nothing
- Creating own Image from Dockerfile wont work HOT 3
- Error while mounting nfs in a pod
- Reduce RAM/Memory resources HOT 2
- Vulnerabilities in Docker image erichough/nfs-server:2.2.1
- Kubernetes example? HOT 1
- rpcbind.target need to be disabled and stopped before start nfs-server container
- Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: process_linux.go:545: container init caused: apply apparmor profile: apparmor failed to apply profile: write /proc/self/attr/exec: no such file or directory: unknown HOT 2
- Accessing the share from an external device
- 2: Unsupported version HOT 1
- aarch64 Support
- Is there anyway update /etc/exports outside without restart nfs container HOT 1
- ERROR: missing CAP_SYS_ADMIN via docker-compose HOT 7
- kernel module nfs is missing HOT 1
- Documentation update needed for describing binding export folders through environment variables
- PUTROOTFH Status: NFS4ERR_NOENT
- Update dependencies in Docker image
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docker-nfs-server.