Mounting in running container

[pyotr777]

Hi!
After capabilities have been introduced, I thought it is now possible to mount external folders (from the host or remote machine with SSHFS) inside running containers without use of --privileged. Am I wrong?

I run Docker 1.3.1 and I cannot mount without --privileged.
Here is a similar issue: #6535

Kind regards,
Peter

[cpuguy83]

Mount requires CAP_SYS_ADMIN, which is not allowed in the default container.
You should be able to do this with "docker run --cap-add SYS_ADMIN

[SvenDowideit]

this comes up often enough that we should add an example to the docs.

[pyotr777]

Thank you for your answers!
I still get error when trying to mount host folder with sshfs.

Inside container started with --cap-add SYS_ADMIN:

root@cf3107829835:/# sshfs user@172.17.42.1:/home/user /mnt
fuse: failed to open /dev/fuse: Operation not permitted

With --privileged it works.

[crosbymichael]

Are you on a system like ubuntu that has apparmor? This could be apparmor blocking the mount, you can look in dmesg and you should see the apparmor blocking this call.

[pyotr777]

My host has Ubuntu 12.04.
I put apparmor docker-default profile into complain mode:

peter@poweredge320:~$ sudo apparmor_status
apparmor module is loaded.
9 profiles are loaded.
8 profiles are in enforce mode.
   /sbin/dhclient
   /usr/bin/lxc-start
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/sbin/named
   /usr/sbin/ntpd
   /usr/sbin/tcpdump
   lxc-container-default
1 profiles are in complain mode.
   docker-default
3 processes have profiles defined.
2 processes are in enforce mode.
   /usr/sbin/named (1359)
   /usr/sbin/ntpd (1155)
1 processes are in complain mode.
   docker-default (16864)
0 processes are unconfined but have a profile defined.

But still when I start container with --cap-add SYS_ADMIN I cannot use sshfs:

root@e76cafc2dc34:/# sshfs peter@172.17.42.1:/home/peter/ /mnt
fuse: failed to open /dev/fuse: Operation not permitted

In dmesg I see lots of messages like this:

[1950461.070715] type=1400 audit(1417657285.832:282): apparmor="ALLOWED" operation="file_mmap" info="Failed name lookup" error=-13 parent=11128 profile="docker-default" name="var/lib/docker/aufs/diff/5bc37dc2dfba434d7551fa17ee9d3ebba6adab648cebc2f962e612855c4c580c/lib/x86_64-linux-gnu/libdl-2.19.so" pid=17038 comm="bash" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0

When docker-default was in enforce mode, I didn't see docker-related messages in dmesg.

In container started with --privileged I can mount host folders with sshfs.

[tianon]

You should try adding --device /dev/fuse, too.

[pyotr777]

Thank you, Tianon!
Added --device /dev/fuse and voilà:

peter@poweredge320:~$ docker run -ti --cap-add SYS_ADMIN --device /dev/fuse peter/dev:sshfs /bin/bash
root@26cf4dc0a491:/# sshfs peter@172.17.42.1:/home/peter /mnt
peter@172.17.42.1's password:
...

By the way, without --cap-add SYS_ADMIN the error message is different (was "fuse: failed to open /dev/fuse: Operation not permitted" before):

11:36:26peter@poweredge320:~$ docker run -ti --name dev --device /dev/fuse peter/dev:sshfs /bin/bash
root@1d49112eaf95:/# sshfs peter@172.17.42.1:/home/peter/ /mnt
fusermount: mount failed: Permission denied

Thank you all for your help!

The final answer:
Use --cap-add SYS_ADMIN --device /dev/fuse to mount folders with sshfs in container.

[jessfraz]

Going to close this then, glad everything is working :)

[SvenDowideit]

reopening as it really needs docs.

[crosbymichael]

Assigning to @SvenDowideit so hopefully this does not sit open for a long long time.