Skip to content
This repository has been archived by the owner on Oct 10, 2020. It is now read-only.

Best Method to Mount a Windows Share within a Container #1252

Open
BzowK opened this issue Dec 19, 2018 · 8 comments
Open

Best Method to Mount a Windows Share within a Container #1252

BzowK opened this issue Dec 19, 2018 · 8 comments

Comments

@BzowK
Copy link

BzowK commented Dec 19, 2018

Good Afternoon, Guys -

I run Docker via Atomic (Fedora 29) on a dedicated system which I've used for a few months now and absolutely love it. There are many additional things that I want to do with it, however continue to hit a single roadblock. I've done a ton of research and testing without finding a solution so far so wanted to make an all-inclusive post.

My Question / Issue

What is the suggested method for mounting a Windows Share to a container so that the container has full Read/Write access to the files/folders within?

What I've Tried

So far, I've tried the below methods without success. A section for each is below with detail and results...

  • Attempt 1: Mounting Share to Host using CIFS then Attaching Mounted Folder as Volume to Container
  • Attempt 2: Mounting Share to Host using CIFS then Attaching Mounted Folder as Volume to Container Excluding SysLinux Parameters
  • Attempt 3: Using the NetShare Docker Plugin
  • Attempt 4: Mounting Share Inside of Container Using CIFS

Attempt 1: Mounting Share to Host using CIFS then Attaching Mounted Folder as Volume to Container

Basically, I use CIFS to mount the Windows share with 0777 to an empty path on the host like /shares/files. When creating the container I wish to access it, I add a volume by including the below string:

-v /share/files:/files:z \ (Added :z since use Atomic with SysLinux)

This fails as when I try to create the container including tyhe above string, I get the error:

/usr/bin/docker-current: Error response from daemon: error setting label on mount source '/share/files': SELinux relabeling of /share/files is not allowed: "operation not supported".

Attempt 2: Same as Attempt 1, but Excluding SysLinux Parameter

This is the same as the above test, but I remove ":z" from the end of the string resulting in:

 -v /share/files:/files \

I am able to create the container successfully, however; cannot access the files. If I connect to the container, I can cd into /files, however simply trying to execute "ls" fails with the error:

ls: cannot open directory '.': Permission denied

Note: I tested mounting to a folder which pre-exists in the container as well as defining a new one when creating the container. When connecting to the container after creation, I found that it did create /filestest yet I got the same error when trying to list files within it.

Attempt 3: Using the NetShare Docker Plugin

I ran across containx/docker-volume-netshare which is a Docker plugin that supposedly allows easier mounting of shares with containers so thought i'd try it out.

Unfortunately, I cannot get it working with Atomic for the life of me. I've tried installing it's DEB which I seemingly cannot do with Atomic, installing it using rpm-tree (Atomic doesn't have yum/apt-get), trying to install it using "docker plugin install containx/docker-volume-netshare", building it from source, and finally just copying and running it's binary.

The closest I got was by downloading and testing the binary as after setting its permissions, I could execute "docker-volume-netshare -h" and see the help and other notes. When attempting to use it by executing "docker volume create -d cifs --name myserver/files$" (which is a valid shared path), I got the error:

Error response from daemon: create myserver/files$: create myserver/files$: Error looking up volume plugin cifs: legacy plugin: plugin not found

I posted an issue in their GitHub repo and tried a variety of other things, but didn't get a response after weeks and had no further luck.

Attempt 4: Mounting Share Inside of Container Using CIFS

I found a couple of posts suggesting this could work, so gave it a shot. I first added the string below when building a typical container as the posts said it was required:

 --cap-add SYS_ADMIN --cap-add DAC_READ_SEARCH \

Once the container was up, I connected to it and did the following:

  1. Updated apt-get then installed nano & cifs-utils

  2. Created the file /.smbcredentials with credentials inside of it then ran chmod against it

  3. Created a new folder in the root named /filestest and set it to 0777 with chmod (Also tried using an existing empty folder in root which I set to 0777 as well)

  4. Edited /etc/fstab and added the below string (since I want it to be persistent)

    //myserver/files$ /filestest cifs iocharset=utf8,credentials=/.smbcredentials,file_mode=0777,dir_mode=0777 0 0

Note: When first opening /etc/fstab, there was a single comment stating "# UNCONFIGURED FSTAB FOR BASE SYSTEM"

Once done, I executed "mount -a" which returns the below error:

mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

##How to Proceed / Suggestion?
So that's where I'm at. As you can see, I'm not asking out of the blue and have invested tons of time researching and testing. Any suggestions you have would be greatly appreciated.

Thank You & Happy Holidays!

@rhatdan
Copy link
Member

rhatdan commented Dec 20, 2018

I believe this is SELinux blocking the access.

Could you check for AVC messages.

You could either disable SELinux within docker (Although I would prefer you to play with podman)

Or mount your cifs share with --context="system_u:object_r:container_file_t:s0"

@BzowK
Copy link
Author

BzowK commented Dec 21, 2018

Really appreciate the reply - thanks! I've got a few questions, please...

Host Rebuild
My Docker host is a dedicated system for Docker containers for my home lab's use. I initially used Atomic (Fedora 29) for my Docker host as I thought it would provide the best experience with least overhead. I'm looking to rebuild my host, however; due to wanting to try something new plus hopefully make these current issues more easily manageable. Given my post, would it make more sense / be easier to manage something other than Atomic Fedora? Do you think Atomic CentOS make any different regarding the above issue or perhaps something like CoreOS, UNRAID, RancherOS, or even a full Linux OS?

Disable SELinux
What potential ramifications may this have on my other containers?

podman
I'm reviewing the documentation for podman, but honestly don't know what you are proposing with it. Would you mind elaborating a bit?

CIFS Parameters
So for the "--context="system_u:object_r:container_file_t:s0"" parameter you mentioned above, where would you propose it be tested? When mounting the share to the host (1st options above) or at the end of the string within /etc/fstab (last option above) thus yielding something like the below:

//myserver/files$ /filestest cifs iocharset=utf8,credentials=/.smbcredentials,file_mode=0777,dir_mode=0777 0 0 --context="system_u:object_r:container_file_t:s0"

Thanks again as I really appreciate your reply!

@rhatdan
Copy link
Member

rhatdan commented Dec 21, 2018

I cringe when i see the Docker word so often. I think you want to say on your container host...

Host Rebuild

"My container host is a dedicated system for linux containers for my home lab's use. I initially used ? Atomic (Fedora 29) for my container host as I thought it would provide the best experience with least overhead. I'm looking to rebuild my host, however; due to wanting to try something new plus hopefully make these current issues more easily manageable. Given my post, would it make more sense / be easier to manage something other than Atomic Fedora? Do you think Atomic CentOS make any different regarding the above issue or perhaps something like CoreOS, UNRAID, RancherOS, or even a full Linux OS?"

I would recommend you look at Fedora CoreOS (Replacement for Atomic) or at SilverBlue if this is work station you want to login to.

Disable SELinux

What potential ramifications may this have on my other containers?

SElinux is the only protection your file system has against container breakout, so disabling it makes you system a lot more at risk.

If you have existing containers running with volume mounts, you might need to do some relabeling. Adding :Z or :z on your volume mounts should fix most of the issues you see, although be careful when mounting in large shared directories like your homedir. In those cases it is best to run with SELinux separation disabled.
--security-opt label=disabled

I would look at replacing docker commands with podman where ever possible, ALso suggest running some of your containers as non root using podman.

CIFS Parameters

I would put it in the fstab with something like this:

/myserver/files$ /filestest cifs iocharset=utf8,credentials=/.smbcredentials,file_mode=0777,dir_mode=0777,context="system_u:object_r:container_file_t:s0" 0 0

See if it works.

@BzowK
Copy link
Author

BzowK commented Dec 21, 2018

Ha - apologies and actually glad you brought it up as I although somewhat new to "container technology" :), I don't want to sound like an idiot. Thanks

I do most of my work over SSH so will try out COreOS. I haven't heard of SilverBlue, but will check it out first.

As for disabling SELinux, most of my containers do have volume mounts, but all were initially made with ":z" as I found early on that I had to use it in order for many of them to have read/write access to the mounted paths. Also, the host is in my home lab where I am the only local user. The only outside access would be via the web where my reverse proxy redirecting a WebUI hosted in a container. Even then, I apply a 3rd party SSL cert to it plus dual authentication.

I'll give podman a shot assuming it is supported on the container host OS I choose plus add all containers as non-root unless I cannot get it to work otherwise.

Finally, as you know; my main concern was the ability for a few containers to have full access to Windows shares. I'll try the CIFS string you suggested shortly and relay the results. The container I plan to initially test this on was already added with the parameter "--cap-add SYS_ADMIN --cap-add DAC_READ_SEARCH ". Is that or any other needed for the string to work?

Thanks again for your assistance and suggestions. I've posted everywhere about this and you are the only one who's helped at all.

@BzowK
Copy link
Author

BzowK commented Dec 21, 2018

Update
I tried using the string you suggested above in /etc/fstab but after saving and executing "mount -a", still got the below error:

mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

  1. To be sure I started from scratch by...
  2. Deleting the container & its volumes then adding new
  3. Updating apt-get then installing cifs-utils
  4. Creating /.smbcredentials with credentials (obviously)
  5. Editing /etc/fstab
  6. Removed the pre-existing commented line of "# UNCONFIGURED FSTAB FOR BASE SYSTEM"
  7. Added the string "//myserver/files$ /filestest cifs iocharset=utf8,credentials=/.smbcredentials,file_mode=0777,dir_mode=0777,context="system_u:object_r:container_file_t:s0" 0 0"
  8. Saved, then executed "mount -a"
  9. Also tried "chmod 0777 /files" then "mount -a" again

I got the above error again. GOing to try adding "--privileged" Thanks

@BzowK
Copy link
Author

BzowK commented Dec 21, 2018

Update 2
I think that did it. I rebuilt the container (again) and included " --privileged " in the string. Once done, I followed the same steps above and the share mounted successfully as I was able to create a new file in the share using vi.

Only one issue remaining if you don't mind. I obviously used apt-get to install cifs-utils into the container I was testing with. The issue is that I have a couple of other containers which I want to mount Windows shares, but they do not have apt-get or yum and seemingly rely on pip for installations which to my knowledge cannot install cifs-utils.

Any suggestions for how to overcome that? If I can get it working, I'll be golden.

Thanks again!

@rhatdan
Copy link
Member

rhatdan commented Dec 21, 2018

So you are actually executing the mount from within the container? That is an unusual practice, the standard is to mount the shares on the host, and then volume mount them into the container.

That is why I as suggesting that you mount the share with the label I suggested, Then you could just run containers off of the volume.

podman run -v /PATHTOSHARE:/PATHTOSHARE ...

Running your containers --privileged to allow them to mount content feels wrong.

@Thoughtscape2014
Copy link

Thoughtscape2014 commented Jun 24, 2020

Just found this thread and have a few not-so-quick questions that are related to getting a conan-exiles server docker container to run properly and show up in game/steam; which never works. As an aside I'd also like to be able to easy copy server folders to and from the container for backup purposes: which is the purpose of this question.

Rhatdan stated that to mount from within the container is an unusual practice and to mount the shares on the host and then volume mount them into the container. Being very new to docker how would you go about this?

On my CentOS7 cli only server with docker and docker compose installed I'd like all docker containers to access my samba share [from my QNAP NAS]:

//<NAS-IP-OR-NAME-OF-NAS/Servers

Also, I can ping the container IP address from within my linux server and can ping my linux server from my PC but both devices are on different networks (server is local network is 192.168.2.201 and the other is 172.18.0.something). When I start the container with docker-compose up from within the correct folder on the linux server the container appears to run referencing file paths and it seems to log events as a normal dedicated server should. It also seems to be able to update the game from within the container indicating that it has internet access through some invisible medium; I just don't know how to directly interact with the files inside this container or if even I should.

The setup I used was this one. https://hub.docker.com/r/alinmear/docker-conanexiles/ but obviously I've done something wrong.

The part about volumes is what I am not too sure of. Where it says:

volumes:
    - data:/conanexiles

does that mean I have to create the /conanexiles folder somewhere? Or will the container do that automatically? All I need to do is coy some Conan Exiles config files into the correct directory - which I think is actually working as per

Provide a Config
If there is a folder with configurations found at /tmp/docker-conanexiles this folder will be copied to the config folder of the server. This will only happen if there is no configuration already existing (the case of a clean container initialization).

Also, how does this https://hub.docker.com/r/alinmear/docker-conanexiles/dockerfile relate to the container? If all i want to do is change a few server details, either through environmental variables or files within the container, and then simply docker-compose up the docker-compose.yml file do I need to do anything with the dockerfile? Or is that file how to create the docker container (beyond my skills at the moment).

This all being said, since the last update of Conan Exiles I haven't had much luck with a server I know to have been working prior to the update so I am a little unsure if it's funcom needing to fix something or my lack of skill and understanding of all things docker.

Any help will be met with beer!

Cheers,

Mick.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants