I want to cif mount a directory into a docker-container. As there are solutions to this, I tried the --privileged flag and setting the capabilities needed:
docker-compose.yaml:
version: '2.0'
services:
mounttest:
image: test
privileged: true
cap_add:
- SYS_ADMIN
- DAC_READ_SEARCH
restart: unless-stopped
container_name: test
mem_limit: 500m
build:
context: .
dockerfile: Dockerfile
volumes:
- .:/apps/docker-test/
Dockerfile:
FROM ubuntu:18.04
ADD . /apps/docker-test/
# APT-GET
RUN apt-get update && apt-get install -y \
sudo \
cifs-utils
# CHMOD SHELL SCRIPTS
RUN chmod 0755 /apps/docker-test/run.sh
RUN chmod 0755 /apps/docker-test/build.sh
RUN /apps/docker-test/build.sh
CMD bash /apps/docker-test/run.sh
build.sh:
mkdir -p /test_folder
echo "Mount"
sudo mount -t cifs -o username=XXX,password=XXX,workgroup=XX //server/adress$ /test_folder
run.sh starts a python script
This does not work, instead:
docker-compose build
gives me the error:
Unable to apply new capability set
All the solutions I found only mention the privileged flag or capabilities, which are set. Can anyone help?
This error happens because you're trying to mount a device inside the build
step. At this point, these capabilities aren't available for the build container to use and it seems to be rolling out asa flag for disabling security at buildkit rather than enabling custom capabilities at build time.
The usual way to do that is to have your CIFS mount ready when you start your build process, as it'd not expose any authentication, device or mount point, as well as it's easier for docker to handle changes and react to them (since the build process works hard to cache everything before building it).
If you still want to do that, you'll need a few extra steps to enable the insecure flags from both the buildkitd
and the docker buildx
:
Mind that, as of today (2020-09-09), the support is still experimental and unforeseen consequences can happen.
"experimental":"enabled"
to your ~/.docker/config.json
security.insecure
entitlement enabled:docker buildx create --driver docker-container --name local \
--buildkitd-flags '--allow-insecure-entitlement security.insecure' \
--use
Dockerfile
to use experimental syntax by adding before your first line:# syntax = docker/dockerfile:experimental
RUN --security=insecure /apps/docker-test/build.sh
--allow security.insecure
flag:docker buildx build --allow security.insecure .
That way your build will be able to break free the security constraints. I must reiterate that that's not a recommended practice for a few reasons:
Keep that in mind and happy mounting :)
The answer I found, is to put the mount command into the run.sh file. As the command (or CMD) in the Dockerfile is only executed when running
docker-compose up
the mount will only be executed after the build, done beforehand, is already finished.
Therefore, before starting the python script, the mount command is executed. In my case, that only worked with the privileged flag set to true.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.