在Docker容器中挂载SMB / CIFS共享 [英] Mount SMB/CIFS share within a Docker container
问题描述
在我的开发机器上,我有通过 / etc / fstab
中的条目安装的适当的文件夹和主机挂载点通过 - 卷$ c $安装在Docker容器中c>参数。这样做完美。
现在我试图将一个生产容器放在一个不同的服务器上运行,而不依赖于正在安装的CIFS共享在主机上。所以我试图将相应的条目添加到容器&中的 / etc / fstab
文件中。用 mount -a
装载它们。我得到挂载错误(13):权限被拒绝
。
在线的一点研究让我来到关于Docker安全性的这篇文章。如果我正确阅读,Docker显然会拒绝在容器中装载文件系统的能力。我尝试以只读方式挂载股票,但这个(不出意料的)也失败了。
所以,我有两个问题:
-
我正确的理解,Docker防止在容器内使用
mount
-
任何人都可以想到另一种方式来实现这个而不是在主机上安装CIFS共享,然后将主机文件夹安装在Docker容器中?
/ li>
是的,Docker正在阻止您将容器内的远程卷作为安全措施。如果您信任您的图像和运行它们的人员,则可以使用 - 特权
标志与 docker run
禁用这些安全措施。
此外,您可以将 - cap-add
和 - cap-drop
给容器只有它实际需要的功能。 (见文档) SYS_ADMIN
功能是授予安装权限的功能。
I have a web application running in a Docker container. This application needs to access some files on our corporate file server (Windows Server with an Active Directory domain controller). The files I'm trying to access are image files created for our clients and the web application displays them as part of the client's portfolio.
On my development machine I have the appropriate folders mounted via entries in /etc/fstab
and the host mount points are mounted in the Docker container via the --volume
argument. This works perfectly.
Now I'm trying to put together a production container which will be run on a different server and which doesn't rely on the CIFS share being mounted on the host. So I tried to add the appropriate entries to the /etc/fstab
file in the container & mounting them with mount -a
. I get mount error(13): Permission denied
.
A little research online led me to this article about Docker security. If I'm reading this correctly, it appears that Docker explicitly denies the ability to mount filesystems within a container. I tried mounting the shares read-only, but this (unsurprisingly) also failed.
So, I have two questions:
Am I correct in understanding that Docker prevents any use of
mount
inside containers?Can anyone think of another way to accomplish this without mounting a CIFS share on the host and then mounting the host folder in the Docker container?
Yes, Docker is preventing you from mounting a remote volume inside the container as a security measure. If you trust your images and the people who run them, then you can use the --privileged
flag with docker run
to disable these security measures.
Further, you can combine --cap-add
and --cap-drop
to give the container only the capabilities that it actually needs. (See documentation) The SYS_ADMIN
capability is the one that grants mount privileges.
这篇关于在Docker容器中挂载SMB / CIFS共享的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!