#StackBounty: #docker #samba mount.cifs in Docker from another container requires privilege

Bounty: 100

My use case is a transcode farm that reads inputs from a Samba share and writes it to another.

Using mount.cifs in Docker requires both SYS_ADMIN and DAC_READ_SEARCH capabilities. I am able to use two hosts and run smbd on one host, and mount its share on another host. (Both smbd and mount are ran inside containers, just in different host.)

However, I cannot, using the same mount command, mount the Samba share on the host with the container that’s running smbd.

EDIT: It works on Docker Desktop but fails in a Linux host. (With the same docker engine server version)

TL;DR the following Docker Compose fails UNLESS I give it privileged access.

Environments: Working on Docker for Mac, Not working on bare-metal Linux (Ubuntu 18.04.4 4.15.0-91-generic Docker 19.03.8 containerd 1.2.13), Not working on Hyper-V-virtualized Linux (Ubuntu 19.04 5.0.0-38-generic Docker 19.03.6 containerd 1.2.13)

version: '3.4'

services:
  samba:
    image: dperson/samba
    environment:
      TZ: 'EST5EDT'
    networks:
      - default
    ports:
      - "137/udp"
      - "138/udp"
      - "139/tcp"
      - "445/tcp"
    tmpfs:
      - /tmp
    restart: unless-stopped
    stdin_open: true
    tty: true
    volumes:
      - /samba-data
    command: '/bin/bash -c "touch /samba-data/file.txt && samba.sh -s "data;/samba-data" -u "bob;bob" -p"'
  mounter:
    image: ubuntu
    command: '/bin/bash -c "apt update && apt install -y cifs-utils && mkdir /samba-data && mount -v -o username=bob,password=bob,vers=3.0,ro,port=445 //samba/data /samba-data"'
    tty: true
#   privileged: true
    cap_add:
      - SYS_ADMIN
      - DAC_READ_SEARCH
networks:
  default:

My questions,

  1. Why is privileged required when running on the same Docker host?
  2. Can I make it more restrictive (by giving it only what it needs)?


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.