在没有--privileged的情况下在Docker内部使用ecryptfs。 --device的适当值? [英] Using ecryptfs inside Docker without --privileged. Appropriate value for --device?
问题描述
我需要设置一个Docker容器,在其中对文件系统的一部分进行加密。请让我们不去解释为什么,答案是丑陋的,而不是技术性的,更具政治性。
I'm required to set up a Docker container inside which part of the filesystem is encrypted. Please let's not dwell on the why, the answer is ugly and more political than technical.
如果很重要,要加密的特定部分将是从主机进行的卷装载,尽管我最初只是在容器的 / tmp 。由于我们的部署方式有效,因此直接在容器外部的卷上执行ecryptfs的操作很不方便;我想作为 CMD 运行的Shell脚本的一部分进行内部装载。
In case it matters, the particular part to be encrypted will be a volume mount from the host, although I'm initially trying this out just in the container's /tmp. Because of the way our deployment works it would be inconvenient to do the ecryptfs stuff directly on the volume, outside the container; I want to do the mount inside as part of a shell script run as the CMD.
我可以做到这一点好的,前提是我使用-特权运行容器(感谢此无用评论)-但我不想授予它附带的所有内容。通过反复试验,我发现添加-cap-add IPC_LOCK 可以克服第一个难以理解的错误( Exiting。无法获取密码信息),但此过程随后因以下原因而失败:
I can do this ok provided I run the container with --privileged (thanks to this throwaway comment) - but I don't want to grant everything that comes with that. By trial and error I've discovered that adding --cap-add IPC_LOCK gets over the first inscrutable error (Exiting. Unable to obtain passwd info) but the process later fails with this:
mount: block device /tmp/enc is write-protected, mounting read-only
mount: cannot mount block device /tmp/enc read-only
Error mounting eCryptfs: [-1] Operation not permitted
Check your system logs; visit <http://ecryptfs.org/support.html>
在此处添加所有功能均无济于事-问题出在其他地方。
Adding all the capabilities doesn't help here - the problem lies elsewhere.
由docker运行的文档说,-特权也消除了与<$ c $相关的障碍c>-device 参数,以 fuse 为例,说明需要设置-device 的内容,以及在之前示例中显示了相当相似的外观错误。 ecryptfs和fuse似乎有一定的共同点,所以这似乎是一个很好的线索。
The docker-run docs say that --privileged also takes down the barriers relating to the --device parameter, gives fuse as an example of something that would need --device set, and shows rather similar looking errors in the "before" example. ecryptfs and fuse seem like they'd have a certain amount in common, so this feels like a good clue.
我尝试添加-device / tmp / enc 到我的 docker run 命令,无济于事(主机不知道该路径,这很有意义)。我还注意到有一个 / dev / ecryptfs (尽管我不知道它的作用),然后尝试了一下。容器已运行,但无法进行ecryptfs挂载。
I tried adding --device /tmp/enc to my docker run command, to no avail (host doesn't know about about this path, which makes sense). I also noticed that there's a /dev/ecryptfs (though I don't know what it does) and tried that. Container ran, but ecryptfs mount wouldn't work.
开始令人担忧的是,似乎无法做到这一点……有什么想法吗?
It's starting to seem worryingly as if this can't be done... Any ideas?
推荐答案
似乎docker使用的实际存储驱动程序在eCryptFS上不起作用。
It seems that the actual storage-drivers used by docker do not work on eCryptFS.
这篇关于在没有--privileged的情况下在Docker内部使用ecryptfs。 --device的适当值?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
