mount.cifs within a container

[psi-4ward]

Trying to mount.cifs results in Unable to apply new capability set

Tested docker run --cap-add SYS_ADMIN --cap-add MKNOD --device /dev/fuse
but with --privileged its working.

Can anyone tell my how to track down which CAPs i need?

[cpuguy83]

@psi-4ward This is likely being filtered by seccomp.
You'd need to either turn off seccomp for the container or provide a new seccomp profile (which blocks mount, among other things, by default).

FYI, I believe MKNOD is available by default.

[psi-4ward]

I tried that: --cap-add SYS_ADMIN --security-opt seccomp=unconfined --device /dev/fuse but i still get the error.

Can i log the blocked calls?

[cpuguy83]

It's really difficult to tell what mount.cifs needs. It might be CAP_DAC_READ_SEARCH

[psi-4ward]

Works ! THANKS! 👍

docker run ... \
  --cap-add SYS_ADMIN \
  --cap-add DAC_READ_SEARCH \
 shoifele/bareos-sd

Edit:
event without --security-opt seccomp=unconfined

[samuela]

I'm trying the --cap-add SYS_ADMIN --cap-add DAC_READ_SEARCH config which got rid of the capability errors, but I'm still stuck with

mount error(11): Resource temporarily unavailable
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

even though the exact same mount command works fine in a VM.

[gekmcfh]

I'm trying the --cap-add SYS_ADMIN --cap-add DAC_READ_SEARCH config which got rid of the capability errors, but I'm still stuck with

mount error(11): Resource temporarily unavailable
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

even though the exact same mount command works fine in a VM.

Originally it's was

mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

I trying to achieve same with docker-compose.yml:

services:
  app:
    build: .
    container_name: app
    networks:
      net:
        ipv4_address: 10.0.10.10
    volumes:
      - .:/code
    ports:
      - 80:80
    depends_on:
      - db
    cap_add:
      - SYS_ADMIN
      - DAC_READ_SEARCH

when i inspect container after docker-compose up for the capabilities - here they are:

docker inspect a8afc275544a | grep -i cap -B 3
            "CapAdd": [
                "SYS_ADMIN",
                "DAC_READ_SEARCH"
            ],
            "CapDrop": null,
            "Capabilities": null,

but when trying to mount via mount -t or fstab, still getting

mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

upd.
--privileged did the trick.

[pustekuchen91]

hey,

same error "no permission" like @gekmcfh.

--privileged seems to add any capability. So it seems that one is missing? I tried some, but didnt found out which could be missing.

dmesg shows this error CIFS: VFS: \\xyz.mydomain\IPC$ ioctl error in smb2_get_dfs_refer rc=-112. Could this be an hint?