Unable to mount cifs filesystem in Docker container

Question

I'm on Docker 17.06.0-ce and I'm attempting to mount a CIFS share in a container and only having some luck. If I use --privileged, it works, but that's not desirable for me. I've tried using --cap-add as well as suggested in this answer (even trying with --cap-add ALL with no success.

The same mount command works fine on the host system as well.

Here's a simple docker file I've tried playing with

FROM alpine:latest
RUN apk add --no-cache cifs-utils

Run with many different permutations, all with the same result below:

Works: docker run --rm -it --privileged cifs-test /bin/sh

Doesn't Work: docker run --rm -it --cap-add SYS_ADMIN --cap-add DAC_READ_SEARCH cifs-test /bin/sh

Doesn't Work: docker run --rm -it --cap-add SYS_ADMIN --cap-add DAC_READ_SEARCH --cap-add NET_ADMIN cifs-test /bin/sh

Doesn't Work: docker run --rm -it --cap-add ALL cifs-test /bin/sh

And the command:

mkdir /test && mount.cifs //myserver/testpath /test -o user=auser,password=somepass,domain=mydomain

And the result from each run command above except the first:

mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

Has something changed in Docker that requires --privileged all the time for these types of mounts now? Or is there something else I'm missing?

Answer 1

I started using docker-volume-netshare so far with good success. There are some minor problems, like volumes created with docker volume create not being persistent, but nevertheless it looks like this volume driver is quite usable. One advantage is that special caps/privileged mode are not necessary. Here are some hints on how to use it.

Install (Ubuntu/Debian)

$ curl -L -o /tmp/docker-volume-netshare_0.34_amd64.deb https://github.com/ContainX/docker-volume-netshare/releases/download/v0.34/docker-volume-netshare_0.34_amd64.deb
$ sudo dpkg -i /tmp/docker-volume-netshare_0.34_amd64.deb
$ rm /tmp/docker-volume-netshare_0.34_amd64.deb

Configure

$ sudo vi /etc/default/docker-volume-netshare

enter as single setting

DKV_NETSHARE_OPTS="cifs --netrc=/root/"

then

$ sudo vi /root/.netrc

enter the following settings per host:

machine <host>
  username <user>
  password <password>
  domain <domain>

Note that <host> must be a host name or an IP address followed by a colon (e.g. 10.20.30.4:)

Enable the volume driver as a systemd service

Note: if your OS does not support systemd, another method to install it as a service is necessary.

$ sudo systemctl enable docker-volume-netshare

Use a volume in docker run and docker service create

$ sudo docker run -it --rm --mount type=volume,volume-driver=cifs,source=<myvol>,destination=<absolute-path-in-container>,volume-opt=share=<ip>:/<share> ubuntu:zesty bash
$ sudo docker service create --name <name> --mount type=volume,volume-driver=cifs,source=<myvol>,destination=<absolute-path-in-container>,volume-opt=share=<host>/<share> <image>

Obviously it is not necessary to use the identical volume in multiple containers, because the volumes only map to a cifs share which in turn is shared among containers mounting it. As mentioned above, don't use docker volume create with this volume driver, as volumes are lost as soon as docker-volume-netshare is stopped and/or restarted (and hence on reboot).

Get help

$ docker-volume-netshare --help
$ docker-volume-netshare cifs --help

Logs

Hint: for debugging use DKV_NETSHARE_OPTS="cifs --netrc=/root/ --verbose" in /etc/default/docker-volume-netshare or stop the service and start docker-volume-netshare cifs --netrc=/root/ --verbose in a shell)

$ dmesg | tail
$ tail -50 /var/log/docker-volume-netshare.log

Resources

• github
• project