不能将基于保险丝的卷暴露给Docker容器 [英] Can't expose a fuse based volume to a Docker container
问题描述
我正在尝试为Docker容器提供一系列内部使用的加密文件系统。
想法是容器将像往常一样写入卷,但实际上主机将在将数据写入文件系统之前对其进行加密。
我正在尝试使用EncFS - 它在主机上运行良好,例如:
encfs / encrypted / visible
我可以将文件写入/可见,那些被加密。
但是,当尝试运行具有/可见作为卷的容器时,例如:
docker run -i -t - -privileged -v / visible:/ myvolume imagename bash
我在容器中收到一个卷,但它是在原始/加密文件夹,不通过EncFS。如果我从/ visible卸载了EncFS,我可以看到容器写的文件。不用说/加密是空的。
有没有办法让Docker通过EncFS安装卷,而不是直接写入文件夹?
相比之下,当我使用NFS挂载作为卷时,docker工作正常。它写入网络设备,而不是我装载设备的本地文件夹。
谢谢
我无法在本地复制您的问题。如果我尝试将一个encfs文件系统公开为一个Docker卷,我收到一个尝试启动该容器的错误:
FATA [0003 ]来自守护进程的错误响应:无法启动容器< cid> ;:
setup mount namespace stat / visible:permission denied
所以有可能你有不同的事情。在任何情况下,这都解决了我的问题:
默认情况下,FUSE只允许装载文件系统的用户访问该文件系统。当您运行Docker容器时,该容器最初以 root 运行。
您可以使用 allow_root 或 allow_other 安装选项当您安装FUSE文件系统。例如:
$ encfs -o allow_root / encrypted / other
这里, allow_root 将允许root用户访问挂载点,而 allow_other 将允许任何人访问安装点(只要目录中的Unix权限允许他们访问)。
如果我装载encfs filesytem使用 allow_root ,然后我可以将该文件系统公开为Docker卷和,该文件系统的内容从容器内部正确显示。 / p>
I'm trying to provide my docker container a volume of encrypted file system for internal use. The idea is that the container will write to the volume as usual, but in fact the host will be encrypting the data before writing it to the filesystem.
I'm trying to use EncFS - it works well on the host, e.g:
encfs /encrypted /visible
I can write files to /visible, and those get encrypted. However, when trying to run a container with /visible as the volume, e.g.:
docker run -i -t --privileged -v /visible:/myvolume imagename bash
I do get a volume in the container, but it's on the original /encrypted folder, not going through the EncFS. If I unmount the EncFS from /visible, I can see the files written by the container. Needless to say /encrypted is empty.
Is there a way to have docker mount the volume through EncFS, and not write directly to the folder? In contrast, docker works fine when I use an NFS mount as a volume. It writes to the network device, and not to the local folder on which I mounted the device.
Thanks
I am unable to duplicate your problem locally. If I try to expose an encfs filesystem as a Docker volume, I get an error trying to start the container:
FATA[0003] Error response from daemon: Cannot start container <cid>:
setup mount namespace stat /visible: permission denied
So it's possible you have something different going on. In any case, this is what solved my problem:
By default, FUSE only permits the user who mounted a filesystem to have access to that filesystem. When you are running a Docker container, that container is initially running as root.
You can use the allow_root or allow_other mount options when you mount the FUSE filesystem. For example:
$ encfs -o allow_root /encrypted /other
Here, allow_root will permit the root user to have acces to the mountpoint, while allow_other will permit anyone to have access to the mountpoint (provided that the Unix permissions on the directory allow them access).
If I mounted by encfs filesytem using allow_root, I can then expose that filesystem as a Docker volume and the contents of that filesystem are correctly visible from inside the container.
这篇关于不能将基于保险丝的卷暴露给Docker容器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
