linux - Mount SMB/CIFS share within a Docker container - Stack Overflow
Accessing a networked samba share.
How to see a local SMB share within containers.
Samba server - docker or native?
Videos
Yes, Docker is preventing you from mounting a remote volume inside the container as a security measure. If you trust your images and the people who run them, then you can use the --privileged flag with docker run to disable these security measures.
Further, you can combine --cap-add and --cap-drop to give the container only the capabilities that it actually needs. (See documentation) The SYS_ADMIN capability is the one that grants mount privileges.
- yes
- There is a closed issue mount.cifs within a container
https://github.com/docker/docker/issues/22197
according to which adding
--cap-add SYS_ADMIN --cap-add DAC_READ_SEARCH
to the run options will make mount -t cifs operational.
I tried it out and:
mount -t cifs //<host>/<path> /<localpath> -o user=<user>,password=<user>
within the container then works
It turnes out, that the problem in fact originates from SELinux policies. Specifically, the podman container process (labeled as container_t) could not access the samba share directory (labeled as samba_share_t).
After some research, I found this post:
- https://unix.stackexchange.com/questions/728801/host-wide-consequences-of-setting-selinux-z-z-option-on-container-bind-mounts
As described there, we can use ausearch to inspect SELinux denial decisions and create an exception rule for a denial with audit2allow. However, after some back and forth testing, I came up with this SELinux module specification:
module docker-samba 1.0;
require {
type container_t;
type samba_share_t;
type mnt_t;
class dir { read write setattr getattr create rename open add_name rmdir remove_name lock watch};
class file { read write setattr getattr create rename open lock unlink append};
}
#============= container_t ==============
allow container_t samba_share_t:dir { read write setattr getattr create rename open add_name rmdir remove_name lock watch};
allow container_t samba_share_t:file { read write setattr getattr create rename open lock unlink append};
allow container_t mnt_t:dir { setattr };
It is based on the official SELinux specification PolicyStatements and ObjectClassesPerms
The module can then be installed as following:
sudo checkmodule -M -m -o docker-samba.mod docker-samba.te
sudo semodule_package -m docker-samba.mod -o docker-samba.pp
sudo semodule -i docker-samba.pp
To check if your module specification was indeed correct, you can again inspect the SELinux denial messages using ausearch as described before.
It looks like you using a Linux based docker container, then Z: is not recognized because that's windows/Microsoft
So in your volumes you need to specify a linux path for example /data
volumes:
- /mnt/basis/software/docker/syncthing:/var/syncthing
Also make sure the 1006 has enough permissions to the files/directory/share
There is an example docker-compose on their github https://github.com/syncthing/syncthing/blob/main/README-Docker.md
---
version: "3"
services:
syncthing:
image: syncthing/syncthing
container_name: syncthing
hostname: my-syncthing
environment:
- PUID=1000
- PGID=1000
volumes:
- /wherever/st-sync:/var/syncthing
ports:
- 8384:8384 # Web UI
- 22000:22000/tcp # TCP file transfers
- 22000:22000/udp # QUIC file transfers
- 21027:21027/udp # Receive local discovery broadcasts
restart: unless-stopped