1

My use case is a transcode farm that reads inputs from a Samba share and writes it to another.

Using mount.cifs in Docker requires both SYS_ADMIN and DAC_READ_SEARCH capabilities. I am able to use two hosts and run smbd on one host, and mount its share on another host. (Both smbd and mount are ran inside containers, just in different host.)

However, I cannot, using the same mount command, mount the Samba share on the host with the container that's running smbd.

EDIT: It works on Docker Desktop but fails in a Linux host. (With the same docker engine server version)

TL;DR the following Docker Compose fails UNLESS I give it privileged access.

Environments: Working on Docker for Mac, Not working on bare-metal Linux (Ubuntu 18.04.4 4.15.0-91-generic Docker 19.03.8 containerd 1.2.13), Not working on Hyper-V-virtualized Linux (Ubuntu 19.04 5.0.0-38-generic Docker 19.03.6 containerd 1.2.13)

version: '3.4'

services:
  samba:
    image: dperson/samba
    environment:
      TZ: 'EST5EDT'
    networks:
      - default
    ports:
      - "137/udp"
      - "138/udp"
      - "139/tcp"
      - "445/tcp"
    tmpfs:
      - /tmp
    restart: unless-stopped
    stdin_open: true
    tty: true
    volumes:
      - /samba-data
    command: '/bin/bash -c "touch /samba-data/file.txt && samba.sh -s \"data;/samba-data\" -u \"bob;bob\" -p"'
  mounter:
    image: ubuntu
    command: '/bin/bash -c "apt update && apt install -y cifs-utils && mkdir /samba-data && mount -v -o username=bob,password=bob,vers=3.0,ro,port=445 //samba/data /samba-data"'
    tty: true
#   privileged: true
    cap_add:
      - SYS_ADMIN
      - DAC_READ_SEARCH
networks:
  default:

My questions,

  1. Why is privileged required when running on the same Docker host?
  2. Can I make it more restrictive (by giving it only what it needs)?
Shane Hsu
  • 7,937
  • 6
  • 39
  • 63
  • just realized that the downvoter might be thinking that this belongs to ServerFault. hmm.. should it? ā€“ Shane Hsu Mar 21 '20 at 16:08

1 Answers1

2

Is there anything in your use case, requiring the mount to be done inside the container ? How about letting docker handle the mount ?

In your example, you are starting a container to expose a samba share, and another one to read from it. How about simply binding both containers to the same docker volume (i.e. define a named volume at the top level of your docker-compose, and use it in both services) ? That's the usual way to share a mount between container, and this doesn't require privileges or open ports. See this SO answer for example.

If this "shared folder" must be CIFS (because in real life it's not a samba container, but a Windows server ?), you can define the volume with a volume-driver parameter pointing to a docker volume plugin which supports CIFS, such as this one or this other one. Your "mounter" container would start with the CIFS share already mounted. No need to mount from inside the container, hence no need for a privileged container or extended caps.

lbndev
  • 781
  • 6
  • 14
  • Iā€™m hoping to orchestrate this through container orchestration software. But I am open to using a volume driver as Microsoft have SMB plugin for K8s. It works in Docker for Mac and Windows but not bare-metal Ubuntu server, I guess I just want to know why. Thanks for the suggestion though :) ā€“ Shane Hsu Mar 27 '20 at 04:30