| 1 |
On Sunday, 19 May 2019 00:49:03 BST Rich Freeman wrote: |
| 2 |
|
| 3 |
> In general you can mount stuff in containers without issue. There are |
| 4 |
> two ways to go about it. One is to mount something on the host and |
| 5 |
> bind-mount it into the container, typically at launch time. The other |
| 6 |
> is to give the container the necessary capabilities so that it can do |
| 7 |
> its own mounting (typically containers are not given the necessary |
| 8 |
> capabilities, so mounting will fail even as root inside the |
| 9 |
> container). |
| 10 |
|
| 11 |
That's a useful wrinkle; thanks. |
| 12 |
|
| 13 |
> I believe the reason the wiki says to be careful with mounts has more |
| 14 |
> to do with UID/GID mapping. As you are using nfs this is already an |
| 15 |
> issue you're probably dealing with. You're probably aware that |
| 16 |
> running nfs with multiple hosts with unsynchronized passwd/group files |
| 17 |
> can be tricky, because linux (and unix in general) works with |
| 18 |
> UIDs/GIDs, and not really directly with names, so if you're doing |
| 19 |
> something with one UID on one host and with a different UID on another |
| 20 |
> host you might get unexpected permissions behavior. |
| 21 |
|
| 22 |
Nope. I'm alone here and have the same UID and GID everywhere. |
| 23 |
|
| 24 |
> In a nutshell the same thing can happen with containers, or for that |
| 25 |
> matter with chroots. If you have identical passwd/group files it |
| 26 |
> should be a non-issue. However, if you want to do mapping with |
| 27 |
> unprivileged containers you have to be careful with mounts as they |
| 28 |
> might not get translated properly. Using completely different UIDs in |
| 29 |
> a container is their suggested solution, which is fine as long as the |
| 30 |
> actual container filesystem isn't shared with anything else. That |
| 31 |
> tends to be the case anyway when you're using container |
| 32 |
> implementations that do a lot of fancy image management. If you're |
| 33 |
> doing something very minimal and just using a path/chroot on the host |
| 34 |
> as your container then you need to be mindful of your UIDs/GIDs if you |
| 35 |
> go accessing anything from the host directly. |
| 36 |
|
| 37 |
Minimal. Build binaries for another box, that's all. |
| 38 |
|
| 39 |
> The other thing I'd be careful with is mounting physical devices in |
| 40 |
> more than one place. Since you're actually sharing a kernel I suspect |
| 41 |
> linux will "do the right thing" if you mount an ext4 on /dev/sda2 on |
| 42 |
> two different containers, but I've never tried it (and again doing |
| 43 |
> that requires giving containers access to even see sda2 because they |
| 44 |
> probably won't see physical devices by default). In a VM environment |
| 45 |
> you definitely can't do this, because the VMs are completely isolated |
| 46 |
> at the kernel level and having two different kernels having dirty |
| 47 |
> buffers on the same physical device is going to kill any filesystem |
| 48 |
> that isn't designed to be clustered. In a container environment the |
| 49 |
> two containers aren't really isolated at the actual physical |
| 50 |
> filesystem level since they share the kernel, so I think you'd be fine |
| 51 |
> but I'd really want to test or do some research before relying on it. |
| 52 |
|
| 53 |
Good point. I'll bear it in mind. |
| 54 |
|
| 55 |
> In any case, the more typical solution is to just mount everything on |
| 56 |
> the host and then bind-mount it into the container. So, you could |
| 57 |
> mount the nfs in /mnt and then bind-mount that into your container. |
| 58 |
> There is really no performance hit and it should work fine without |
| 59 |
> giving the container a bunch of capabilities. |
| 60 |
|
| 61 |
Thanks Rich. You've given me the confidence to give containers a whirl. |
| 62 |
|
| 63 |
-- |
| 64 |
Regards, |
| 65 |
Peter. |
Archives