-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mounting in running container #9448
Comments
Mount requires CAP_SYS_ADMIN, which is not allowed in the default container. |
this comes up often enough that we should add an example to the docs. |
Thank you for your answers! Inside container started with --cap-add SYS_ADMIN:
With --privileged it works. |
Are you on a system like ubuntu that has apparmor? This could be apparmor blocking the mount, you can look in |
My host has Ubuntu 12.04.
But still when I start container with --cap-add SYS_ADMIN I cannot use sshfs:
In dmesg I see lots of messages like this:
When docker-default was in enforce mode, I didn't see docker-related messages in dmesg. In container started with --privileged I can mount host folders with sshfs. |
You should try adding |
Thank you, Tianon!
By the way, without --cap-add SYS_ADMIN the error message is different (was "fuse: failed to open /dev/fuse: Operation not permitted" before):
Thank you all for your help! The final answer: |
Going to close this then, glad everything is working :) |
reopening as it really needs docs. |
Assigning to @SvenDowideit so hopefully this does not sit open for a long long time. |
I am using fuse with s3fs. I used to able to mount with
I think the doc should be updated. (I like to be proved otherwise.) |
@thomasyip This looks like an issue with some changes made in the apparmor profile. |
Thank you @cpuguy83 for the info. Indeed, it looks like the issue from docker. Might still worthy to add a note to the doc. Look like it affects docker since 1.5 and has not been fixed. |
Many thanks, @thomasyip (+ others) - I think you saved me a fair amount of legwork with your docker args! `--privileged --cap-add=MKNOD --cap-add=SYS_ADMIN --device=/dev/fuse` Those worked great for me. |
There is no need for to |
@hairyhenderson Correct, no apparmor, but now we have a default seccomp profile which blocks mount. |
@cpuguy83 ahh... So is |
@hairyhenderson No, but do need to supply a seccomp profile which enables mount. |
@cpuguy83 - ok, thanks! I'm reading https://github.com/docker/docker/blob/master/docs/security/seccomp.md now. One thing that strikes me as odd is that |
well and you need --cap-add SYS_ADMIN On Wed, Feb 3, 2016 at 10:44 AM, Brian Goff notifications@github.com
Jessie Frazelle |
and to not be running apparmor, then you are golden On Wed, Feb 3, 2016 at 10:49 AM, Jessica Frazelle me@jessfraz.com wrote:
Jessie Frazelle |
we like to have layers of protection :) On Wed, Feb 3, 2016 at 10:50 AM, Dave Henderson notifications@github.com
Jessie Frazelle |
multiple things like ptrace, are blocked by three layers, its nice to have On Wed, Feb 3, 2016 at 10:51 AM, Jessica Frazelle me@jessfraz.com wrote:
Jessie Frazelle |
@jfrazelle - yeah, multiple layers are good I suppose... 😉 I'm having trouble providing a profile: $ docker run -it --rm --cap-add=mknod --cap-add=sys_admin --device /dev/fuse --security-opt sec comp:`pwd`/my_seccomp_profile.json myimage
Error response from daemon: Cannot start container 45a9c0f53f383f2f42ec345a740a6062aff0c731c9016c5c8546b2fb48533f10: Decoding seccomp profile failed: invalid character '/' looking for beginning of value |
My bad - my client was v1.9.1. When I flipped back to v1.10 it works just fine. Thank you! 😁 |
Do you happen to know how I can start an already existing container with those flags? |
@Rick7C2 you can't, you need to start a new container with those options. Depending on your use case, you can start a privileged session in an existing container through |
The comments about seccomp:unconfined above might be out of date. As mentioned in #16429 you need
|
Was able to get it working with:
and
ubuntu-fuse is based off phusion/baseimage-docker I'm new to Docker so it's possible some of the args are redundant, except |
Sorry to open this again, is it not possible to add these to Dockerfile so that we can prevent writing each time we are running it? |
@sarpk no; a container / image itself should not be able to gain privileges by itself; that would really be dangerous because simply running that image would give it root access to your host; and basically remove all the isolation / security that containers bring. Giving privileges needs to be an explicit action, that you set at runtime (on |
|
|
Necessary for an Ubuntu 16.04, Docker 17.09.0-ce host See moby/moby#9448 (comment)
Any idea how to do this without the dangerous CAP_SYS_ADMIN? |
Being able to use fuse without SYS_ADMIN would be very helpful, this is needed for running AppImages inside docker. |
use kernel module mount cephfs
with fuse mount also is very good |
Hi!
After capabilities have been introduced, I thought it is now possible to mount external folders (from the host or remote machine with SSHFS) inside running containers without use of --privileged. Am I wrong?
I run Docker 1.3.1 and I cannot mount without --privileged.
Here is a similar issue: #6535
Kind regards,
Peter
The text was updated successfully, but these errors were encountered: