1 |
On Sunday, 19 May 2019 00:49:03 BST Rich Freeman wrote: |
2 |
|
3 |
> In general you can mount stuff in containers without issue. There are |
4 |
> two ways to go about it. One is to mount something on the host and |
5 |
> bind-mount it into the container, typically at launch time. The other |
6 |
> is to give the container the necessary capabilities so that it can do |
7 |
> its own mounting (typically containers are not given the necessary |
8 |
> capabilities, so mounting will fail even as root inside the |
9 |
> container). |
10 |
|
11 |
That's a useful wrinkle; thanks. |
12 |
|
13 |
> I believe the reason the wiki says to be careful with mounts has more |
14 |
> to do with UID/GID mapping. As you are using nfs this is already an |
15 |
> issue you're probably dealing with. You're probably aware that |
16 |
> running nfs with multiple hosts with unsynchronized passwd/group files |
17 |
> can be tricky, because linux (and unix in general) works with |
18 |
> UIDs/GIDs, and not really directly with names, so if you're doing |
19 |
> something with one UID on one host and with a different UID on another |
20 |
> host you might get unexpected permissions behavior. |
21 |
|
22 |
Nope. I'm alone here and have the same UID and GID everywhere. |
23 |
|
24 |
> In a nutshell the same thing can happen with containers, or for that |
25 |
> matter with chroots. If you have identical passwd/group files it |
26 |
> should be a non-issue. However, if you want to do mapping with |
27 |
> unprivileged containers you have to be careful with mounts as they |
28 |
> might not get translated properly. Using completely different UIDs in |
29 |
> a container is their suggested solution, which is fine as long as the |
30 |
> actual container filesystem isn't shared with anything else. That |
31 |
> tends to be the case anyway when you're using container |
32 |
> implementations that do a lot of fancy image management. If you're |
33 |
> doing something very minimal and just using a path/chroot on the host |
34 |
> as your container then you need to be mindful of your UIDs/GIDs if you |
35 |
> go accessing anything from the host directly. |
36 |
|
37 |
Minimal. Build binaries for another box, that's all. |
38 |
|
39 |
> The other thing I'd be careful with is mounting physical devices in |
40 |
> more than one place. Since you're actually sharing a kernel I suspect |
41 |
> linux will "do the right thing" if you mount an ext4 on /dev/sda2 on |
42 |
> two different containers, but I've never tried it (and again doing |
43 |
> that requires giving containers access to even see sda2 because they |
44 |
> probably won't see physical devices by default). In a VM environment |
45 |
> you definitely can't do this, because the VMs are completely isolated |
46 |
> at the kernel level and having two different kernels having dirty |
47 |
> buffers on the same physical device is going to kill any filesystem |
48 |
> that isn't designed to be clustered. In a container environment the |
49 |
> two containers aren't really isolated at the actual physical |
50 |
> filesystem level since they share the kernel, so I think you'd be fine |
51 |
> but I'd really want to test or do some research before relying on it. |
52 |
|
53 |
Good point. I'll bear it in mind. |
54 |
|
55 |
> In any case, the more typical solution is to just mount everything on |
56 |
> the host and then bind-mount it into the container. So, you could |
57 |
> mount the nfs in /mnt and then bind-mount that into your container. |
58 |
> There is really no performance hit and it should work fine without |
59 |
> giving the container a bunch of capabilities. |
60 |
|
61 |
Thanks Rich. You've given me the confidence to give containers a whirl. |
62 |
|
63 |
-- |
64 |
Regards, |
65 |
Peter. |