来自另一个容器的 Docker 中的 mount.cifs 需要特权

Question

My use case is a transcode farm that reads inputs from a Samba share and writes it to another.

Using mount.cifs in Docker requires both SYS_ADMIN and DAC_READ_SEARCH capabilities. I am able to use two hosts and run smbd on one host, and mount its share on another host. (Both smbd and mount are ran inside containers, just in different host.)

However, I cannot, using the same mount command, mount the Samba share on the host with the container that's running smbd .

EDIT: It works on Docker Desktop but fails in a Linux host. (With the same docker engine server version)

TL;DR the following Docker Compose fails UNLESS I give it privileged access.

Environments: Working on Docker for Mac, Not working on bare-metal Linux (Ubuntu 18.04.4 4.15.0-91-generic Docker 19.03.8 containerd 1.2.13), Not working on Hyper-V-virtualized Linux (Ubuntu 19.04 5.0.0-38-generic Docker 19.03.6 containerd 1.2.13)

version: '3.4'

services:
  samba:
    image: dperson/samba
    environment:
      TZ: 'EST5EDT'
    networks:
      - default
    ports:
      - "137/udp"
      - "138/udp"
      - "139/tcp"
      - "445/tcp"
    tmpfs:
      - /tmp
    restart: unless-stopped
    stdin_open: true
    tty: true
    volumes:
      - /samba-data
    command: '/bin/bash -c "touch /samba-data/file.txt && samba.sh -s \"data;/samba-data\" -u \"bob;bob\" -p"'
  mounter:
    image: ubuntu
    command: '/bin/bash -c "apt update && apt install -y cifs-utils && mkdir /samba-data && mount -v -o username=bob,password=bob,vers=3.0,ro,port=445 //samba/data /samba-data"'
    tty: true
#   privileged: true
    cap_add:
      - SYS_ADMIN
      - DAC_READ_SEARCH
networks:
  default:

My questions,

1. Why is privileged required when running on the same Docker host?
2. Can I make it more restrictive (by giving it only what it needs)?

Answer 1

Is there anything in your use case, requiring the mount to be done inside the container ? How about letting docker handle the mount ?

In your example, you are starting a container to expose a samba share, and another one to read from it. How about simply binding both containers to the same docker volume (ie define a named volume at the top level of your docker-compose, and use it in both services) ? That's the usual way to share a mount between container, and this doesn't require privileges or open ports. See this SO answer for example.

If this "shared folder" must be CIFS (because in real life it's not a samba container, but a Windows server ?), you can define the volume with a volume-driver parameter pointing to a docker volume plugin which supports CIFS, such as this one or this other one . Your "mounter" container would start with the CIFS share already mounted. No need to mount from inside the container, hence no need for a privileged container or extended caps.