在 Docker 容器中挂载 SMB/CIFS 共享 [英] Mount SMB/CIFS share within a Docker container
问题描述
我有一个在 Docker 容器中运行的 Web 应用程序.此应用程序需要访问我们公司文件服务器(带有 Active Directory 域控制器的 Windows Server)上的一些文件.我尝试访问的文件是为我们的客户创建的图像文件,Web 应用程序将它们显示为客户投资组合的一部分.
I have a web application running in a Docker container. This application needs to access some files on our corporate file server (Windows Server with an Active Directory domain controller). The files I'm trying to access are image files created for our clients and the web application displays them as part of the client's portfolio.
在我的开发机器上,我通过 /etc/fstab 中的条目安装了适当的文件夹,并且主机安装点通过 --volume 安装在 Docker 容器中争论.这非常有效.
On my development machine I have the appropriate folders mounted via entries in /etc/fstab and the host mount points are mounted in the Docker container via the --volume argument. This works perfectly.
现在我正在尝试组合一个生产容器,该容器将在不同的服务器上运行,并且不依赖于安装在主机上的 CIFS 共享.所以我尝试将适当的条目添加到容器中的 /etc/fstab 文件中 &使用 mount -a 挂载它们.我收到挂载错误(13):权限被拒绝.
Now I'm trying to put together a production container which will be run on a different server and which doesn't rely on the CIFS share being mounted on the host. So I tried to add the appropriate entries to the /etc/fstab file in the container & mounting them with mount -a. I get mount error(13): Permission denied.
在网上的一些研究让我看到了这篇关于 Docker 安全性的文章.如果我没看错的话,Docker 似乎明确拒绝了在容器内挂载文件系统的能力.我尝试以只读方式安装共享,但这(不出所料)也失败了.
A little research online led me to this article about Docker security. If I'm reading this correctly, it appears that Docker explicitly denies the ability to mount filesystems within a container. I tried mounting the shares read-only, but this (unsurprisingly) also failed.
所以,我有两个问题:
我对 Docker 阻止在容器内使用
mount的理解是否正确?
谁能想出另一种方法来实现这一点而无需在主机上安装 CIFS 共享,然后在 Docker 容器中安装主机文件夹?
Can anyone think of another way to accomplish this without mounting a CIFS share on the host and then mounting the host folder in the Docker container?
推荐答案
是的,作为安全措施,Docker 正在阻止您在容器内安装远程卷.如果您信任您的图像和运行它们的人,那么您可以使用 --privileged 标志和 docker run 来禁用这些安全措施.
Yes, Docker is preventing you from mounting a remote volume inside the container as a security measure. If you trust your images and the people who run them, then you can use the --privileged flag with docker run to disable these security measures.
此外,您可以将 --cap-add 和 --cap-drop 结合起来,只为容器提供它实际需要的功能.(参见文档) SYS_ADMIN 能力是授予挂载权限的能力.
Further, you can combine --cap-add and --cap-drop to give the container only the capabilities that it actually needs. (See documentation) The SYS_ADMIN capability is the one that grants mount privileges.
这篇关于在 Docker 容器中挂载 SMB/CIFS 共享的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
