My use case is a transcode farm that reads inputs from a Samba share and writes it to another.
mount.cifs in Docker requires both
DAC_READ_SEARCH capabilities. I am able to use two hosts and run
smbd on one host, and mount its share on another host. (Both
mount are ran inside containers, just in different host.)
However, I cannot, using the same
mount command, mount the Samba share on the host with the container that’s running
EDIT: It works on Docker Desktop but fails in a Linux host. (With the same docker engine server version)
TL;DR the following Docker Compose fails UNLESS I give it privileged access.
Environments: Working on Docker for Mac, Not working on bare-metal Linux (Ubuntu 18.04.4 4.15.0-91-generic Docker 19.03.8 containerd 1.2.13), Not working on Hyper-V-virtualized Linux (Ubuntu 19.04 5.0.0-38-generic Docker 19.03.6 containerd 1.2.13)
version: '3.4' services: samba: image: dperson/samba environment: TZ: 'EST5EDT' networks: - default ports: - "137/udp" - "138/udp" - "139/tcp" - "445/tcp" tmpfs: - /tmp restart: unless-stopped stdin_open: true tty: true volumes: - /samba-data command: '/bin/bash -c "touch /samba-data/file.txt && samba.sh -s "data;/samba-data" -u "bob;bob" -p"' mounter: image: ubuntu command: '/bin/bash -c "apt update && apt install -y cifs-utils && mkdir /samba-data && mount -v -o username=bob,password=bob,vers=3.0,ro,port=445 //samba/data /samba-data"' tty: true # privileged: true cap_add: - SYS_ADMIN - DAC_READ_SEARCH networks: default:
- Why is privileged required when running on the same Docker host?
- Can I make it more restrictive (by giving it only what it needs)?