-
Notifications
You must be signed in to change notification settings - Fork 140
Best Method to Mount a Windows Share within a Container #1252
Comments
I believe this is SELinux blocking the access. Could you check for AVC messages. You could either disable SELinux within docker (Although I would prefer you to play with podman) Or mount your cifs share with --context="system_u:object_r:container_file_t:s0" |
Really appreciate the reply - thanks! I've got a few questions, please... Host Rebuild Disable SELinux podman CIFS Parameters
Thanks again as I really appreciate your reply! |
I cringe when i see the Docker word so often. I think you want to say on your container host...
I would recommend you look at Fedora CoreOS (Replacement for Atomic) or at SilverBlue if this is work station you want to login to.
SElinux is the only protection your file system has against container breakout, so disabling it makes you system a lot more at risk. If you have existing containers running with volume mounts, you might need to do some relabeling. Adding :Z or :z on your volume mounts should fix most of the issues you see, although be careful when mounting in large shared directories like your homedir. In those cases it is best to run with SELinux separation disabled. I would look at replacing docker commands with podman where ever possible, ALso suggest running some of your containers as non root using podman.
I would put it in the fstab with something like this: /myserver/files$ /filestest cifs iocharset=utf8,credentials=/.smbcredentials,file_mode=0777,dir_mode=0777,context="system_u:object_r:container_file_t:s0" 0 0 See if it works. |
Ha - apologies and actually glad you brought it up as I although somewhat new to "container technology" :), I don't want to sound like an idiot. Thanks I do most of my work over SSH so will try out COreOS. I haven't heard of SilverBlue, but will check it out first. As for disabling SELinux, most of my containers do have volume mounts, but all were initially made with ":z" as I found early on that I had to use it in order for many of them to have read/write access to the mounted paths. Also, the host is in my home lab where I am the only local user. The only outside access would be via the web where my reverse proxy redirecting a WebUI hosted in a container. Even then, I apply a 3rd party SSL cert to it plus dual authentication. I'll give podman a shot assuming it is supported on the container host OS I choose plus add all containers as non-root unless I cannot get it to work otherwise. Finally, as you know; my main concern was the ability for a few containers to have full access to Windows shares. I'll try the CIFS string you suggested shortly and relay the results. The container I plan to initially test this on was already added with the parameter "--cap-add SYS_ADMIN --cap-add DAC_READ_SEARCH ". Is that or any other needed for the string to work? Thanks again for your assistance and suggestions. I've posted everywhere about this and you are the only one who's helped at all. |
Update
I got the above error again. GOing to try adding "--privileged" Thanks |
Update 2 Only one issue remaining if you don't mind. I obviously used apt-get to install cifs-utils into the container I was testing with. The issue is that I have a couple of other containers which I want to mount Windows shares, but they do not have apt-get or yum and seemingly rely on pip for installations which to my knowledge cannot install cifs-utils. Any suggestions for how to overcome that? If I can get it working, I'll be golden. Thanks again! |
So you are actually executing the mount from within the container? That is an unusual practice, the standard is to mount the shares on the host, and then volume mount them into the container. That is why I as suggesting that you mount the share with the label I suggested, Then you could just run containers off of the volume. podman run -v /PATHTOSHARE:/PATHTOSHARE ... Running your containers --privileged to allow them to mount content feels wrong. |
Just found this thread and have a few not-so-quick questions that are related to getting a conan-exiles server docker container to run properly and show up in game/steam; which never works. As an aside I'd also like to be able to easy copy server folders to and from the container for backup purposes: which is the purpose of this question. Rhatdan stated that to mount from within the container is an unusual practice and to mount the shares on the host and then volume mount them into the container. Being very new to docker how would you go about this? On my CentOS7 cli only server with docker and docker compose installed I'd like all docker containers to access my samba share [from my QNAP NAS]:
Also, I can ping the container IP address from within my linux server and can ping my linux server from my PC but both devices are on different networks (server is local network is 192.168.2.201 and the other is 172.18.0.something). When I start the container with docker-compose up from within the correct folder on the linux server the container appears to run referencing file paths and it seems to log events as a normal dedicated server should. It also seems to be able to update the game from within the container indicating that it has internet access through some invisible medium; I just don't know how to directly interact with the files inside this container or if even I should. The setup I used was this one. https://hub.docker.com/r/alinmear/docker-conanexiles/ but obviously I've done something wrong. The part about volumes is what I am not too sure of. Where it says:
does that mean I have to create the /conanexiles folder somewhere? Or will the container do that automatically? All I need to do is coy some Conan Exiles config files into the correct directory - which I think is actually working as per
Also, how does this https://hub.docker.com/r/alinmear/docker-conanexiles/dockerfile relate to the container? If all i want to do is change a few server details, either through environmental variables or files within the container, and then simply docker-compose up the docker-compose.yml file do I need to do anything with the dockerfile? Or is that file how to create the docker container (beyond my skills at the moment). This all being said, since the last update of Conan Exiles I haven't had much luck with a server I know to have been working prior to the update so I am a little unsure if it's funcom needing to fix something or my lack of skill and understanding of all things docker. Any help will be met with beer! Cheers, Mick. |
Good Afternoon, Guys -
I run Docker via Atomic (Fedora 29) on a dedicated system which I've used for a few months now and absolutely love it. There are many additional things that I want to do with it, however continue to hit a single roadblock. I've done a ton of research and testing without finding a solution so far so wanted to make an all-inclusive post.
My Question / Issue
What is the suggested method for mounting a Windows Share to a container so that the container has full Read/Write access to the files/folders within?
What I've Tried
So far, I've tried the below methods without success. A section for each is below with detail and results...
Attempt 1: Mounting Share to Host using CIFS then Attaching Mounted Folder as Volume to Container
Basically, I use CIFS to mount the Windows share with 0777 to an empty path on the host like /shares/files. When creating the container I wish to access it, I add a volume by including the below string:
This fails as when I try to create the container including tyhe above string, I get the error:
Attempt 2: Same as Attempt 1, but Excluding SysLinux Parameter
This is the same as the above test, but I remove ":z" from the end of the string resulting in:
I am able to create the container successfully, however; cannot access the files. If I connect to the container, I can cd into /files, however simply trying to execute "ls" fails with the error:
Note: I tested mounting to a folder which pre-exists in the container as well as defining a new one when creating the container. When connecting to the container after creation, I found that it did create /filestest yet I got the same error when trying to list files within it.
Attempt 3: Using the NetShare Docker Plugin
I ran across containx/docker-volume-netshare which is a Docker plugin that supposedly allows easier mounting of shares with containers so thought i'd try it out.
Unfortunately, I cannot get it working with Atomic for the life of me. I've tried installing it's DEB which I seemingly cannot do with Atomic, installing it using rpm-tree (Atomic doesn't have yum/apt-get), trying to install it using "docker plugin install containx/docker-volume-netshare", building it from source, and finally just copying and running it's binary.
The closest I got was by downloading and testing the binary as after setting its permissions, I could execute "docker-volume-netshare -h" and see the help and other notes. When attempting to use it by executing "docker volume create -d cifs --name myserver/files$" (which is a valid shared path), I got the error:
I posted an issue in their GitHub repo and tried a variety of other things, but didn't get a response after weeks and had no further luck.
Attempt 4: Mounting Share Inside of Container Using CIFS
I found a couple of posts suggesting this could work, so gave it a shot. I first added the string below when building a typical container as the posts said it was required:
Once the container was up, I connected to it and did the following:
Updated apt-get then installed nano & cifs-utils
Created the file /.smbcredentials with credentials inside of it then ran chmod against it
Created a new folder in the root named /filestest and set it to 0777 with chmod (Also tried using an existing empty folder in root which I set to 0777 as well)
Edited /etc/fstab and added the below string (since I want it to be persistent)
//myserver/files$ /filestest cifs iocharset=utf8,credentials=/.smbcredentials,file_mode=0777,dir_mode=0777 0 0
Note: When first opening /etc/fstab, there was a single comment stating "# UNCONFIGURED FSTAB FOR BASE SYSTEM"
Once done, I executed "mount -a" which returns the below error:
##How to Proceed / Suggestion?
So that's where I'm at. As you can see, I'm not asking out of the blue and have invested tons of time researching and testing. Any suggestions you have would be greatly appreciated.
Thank You & Happy Holidays!
The text was updated successfully, but these errors were encountered: