在Docker容器中挂载SMB / CIFS共享 [英] Mount SMB/CIFS share within a Docker container

问题描述

我有一个在Docker容器中运行的Web应用程序。此应用程序需要访问我们的公司文件服务器（具有Active Directory域控制器的Windows Server）上的一些文件。我正在尝试访问的文件是为我们的客户创建的图像文件，Web应用程序将它们显示为客户端的组合。

在我的开发机器上，我有通过 / etc / fstab 中的条目安装的适当的文件夹和主机挂载点通过 - 卷参数。这样做完美。

现在我试图将一个生产容器放在一个不同的服务器上运行，而不依赖于正在安装的CIFS共享在主机上。所以我试图将相应的条目添加到容器&中的 / etc / fstab 文件中。用 mount -a 装载它们。我得到挂载错误（13）：权限被拒绝。

在线的一点研究让我来到关于Docker安全性的这篇文章。如果我正确阅读，Docker显然会拒绝在容器中装载文件系统的能力。我尝试以只读方式挂载股票，但这个（不出意料的）也失败了。

所以，我有两个问题：

1. 我正确的理解，Docker防止在容器内使用 mount




2. 任何人都可以想到另一种方式来实现这个而不是在主机上安装CIFS共享，然后将主机文件夹安装在Docker容器中？

   / li>
   

解决方案

是的，Docker正在阻止您将容器内的远程卷作为安全措施。如果您信任您的图像和运行它们的人员，则可以使用 - 特权标志与 docker run 禁用这些安全措施。

此外，您可以将 - cap-add 和 - cap-drop 给容器只有它实际需要的功能。 （见文档） SYS_ADMIN 功能是授予安装权限的功能。

I have a web application running in a Docker container. This application needs to access some files on our corporate file server (Windows Server with an Active Directory domain controller). The files I'm trying to access are image files created for our clients and the web application displays them as part of the client's portfolio.

On my development machine I have the appropriate folders mounted via entries in /etc/fstab and the host mount points are mounted in the Docker container via the --volume argument. This works perfectly.

Now I'm trying to put together a production container which will be run on a different server and which doesn't rely on the CIFS share being mounted on the host. So I tried to add the appropriate entries to the /etc/fstab file in the container & mounting them with mount -a. I get mount error(13): Permission denied.

A little research online led me to this article about Docker security. If I'm reading this correctly, it appears that Docker explicitly denies the ability to mount filesystems within a container. I tried mounting the shares read-only, but this (unsurprisingly) also failed.

So, I have two questions:

1. Am I correct in understanding that Docker prevents any use of mount inside containers?

2. Can anyone think of another way to accomplish this without mounting a CIFS share on the host and then mounting the host folder in the Docker container?

解决方案

Yes, Docker is preventing you from mounting a remote volume inside the container as a security measure. If you trust your images and the people who run them, then you can use the --privileged flag with docker run to disable these security measures.

Further, you can combine --cap-add and --cap-drop to give the container only the capabilities that it actually needs. (See documentation) The SYS_ADMIN capability is the one that grants mount privileges.

这篇关于在Docker容器中挂载SMB / CIFS共享的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！