Cifs mount in docker container with docker-compose

Question

I want to cif mount a directory into a docker-container. As there are solutions to this, I tried the --privileged flag and setting the capabilities needed:

docker-compose.yaml:

version: '2.0'
services:
  mounttest:
    image: test

    privileged: true
    cap_add:
      - SYS_ADMIN
      - DAC_READ_SEARCH
    
    restart: unless-stopped
    container_name: test
    mem_limit: 500m
    build:
      context: .
      dockerfile: Dockerfile
    volumes:
      - .:/apps/docker-test/

Dockerfile:

FROM ubuntu:18.04

ADD . /apps/docker-test/

# APT-GET
RUN apt-get update && apt-get install -y \
    sudo \
    cifs-utils

# CHMOD SHELL SCRIPTS
RUN chmod 0755 /apps/docker-test/run.sh
RUN chmod 0755 /apps/docker-test/build.sh

RUN /apps/docker-test/build.sh
CMD bash /apps/docker-test/run.sh

build.sh:

mkdir -p /test_folder
echo "Mount"
sudo mount -t cifs -o username=XXX,password=XXX,workgroup=XX //server/adress$ /test_folder

run.sh starts a python script

This does not work, instead:

docker-compose build

gives me the error:

Unable to apply new capability set

All the solutions I found only mention the privileged flag or capabilities, which are set. Can anyone help?

Answer 1

This error happens because you're trying to mount a device inside the build step. At this point, these capabilities aren't available for the build container to use and it seems to be rolling out asa flag for disabling security at buildkit rather than enabling custom capabilities at build time.

The usual way to do that is to have your CIFS mount ready when you start your build process, as it'd not expose any authentication, device or mount point, as well as it's easier for docker to handle changes and react to them (since the build process works hard to cache everything before building it).

If you still want to do that, you'll need a few extra steps to enable the insecure flags from both the buildkitd and the docker buildx :

Mind that, as of today (2020-09-09), the support is still experimental and unforeseen consequences can happen.

1. Ensure that you're using docker version 19.03 or later.
2. Enable the experimental features, by adding the key "experimental":"enabled" to your ~/.docker/config.json
3. Create and use a builder that has the security.insecure entitlement enabled:

docker buildx create --driver docker-container --name local \
      --buildkitd-flags '--allow-insecure-entitlement security.insecure' \
      --use

4. Change your Dockerfile to use experimental syntax by adding before your first line:

# syntax = docker/dockerfile:experimental

5. Change the Dockerfile instruction so it runs the code without security constraints:

RUN --security=insecure /apps/docker-test/build.sh

6. Build your docker image using the BuildKit and the --allow security.insecure flag:

docker buildx build --allow security.insecure .

That way your build will be able to break free the security constraints. I must reiterate that that's not a recommended practice for a few reasons:

• It'll expose the building step for other images to escalate that permission hole.
• The builder cannot properly cache that layer, since it's using insecure features.

Keep that in mind and happy mounting :)

Answer 2

The answer I found, is to put the mount command into the run.sh file. As the command (or CMD) in the Dockerfile is only executed when running

docker-compose up

the mount will only be executed after the build, done beforehand, is already finished.

Therefore, before starting the python script, the mount command is executed. In my case, that only worked with the privileged flag set to true.