docker-for-mac-nfs icon indicating copy to clipboard operation
docker-for-mac-nfs copied to clipboard

Published 20 hours ago verified publisher icon stephank

Magic. But problems with file permissions.

Open derpoho opened this issue 8 years ago • 11 comments

Hey,

this thing works like magic, just dropped my response times 4 times. But, in one image i am writing a file to a directory via php, it works with the default docker setup, but using yours the write fails with "Permission denied".

Maybe there are some issues while you sync the folders?

Greets Marcus

derpoho avatar Jan 03 '17 21:01 derpoho

Just ssh'd into the container. The folder permissions seem to be correct, but the owner is dialout, i guess that the problem.

Edit: Checked the original setup again. Docker mounts with root:root, not with dialout.

derpoho avatar Jan 03 '17 21:01 derpoho

Also the official Maria DB/Mysql docker container mounts fail, so the container exits on start:

db_1                   | chown: changing ownership of '/var/lib/mysql/aria_log.00000001': Operation not permitted
db_1                   | chown: changing ownership of '/var/lib/mysql/aria_log_control': Operation not permitted
db_1                   | chown: changing ownership of '/var/lib/mysql/ib_logfile0': Operation not permitted
db_1                   | chown: changing ownership of '/var/lib/mysql/ib_logfile1': Operation not permitted
db_1                   | chown: changing ownership of '/var/lib/mysql/ibdata1': Operation not permitted
db_1                   | chown: changing ownership of '/var/lib/mysql/multi-master.info': Operation not permitted
db_1                   | chown: cannot read directory '/var/lib/mysql/mysql': Permission denied

derpoho avatar Jan 03 '17 21:01 derpoho

Woah, I was testing this, and just now noticed there's some sort of protection built-in:

# docker run --rm -it -v $HOME/foo:/foo debian:jessie /bin/bash
docker: Error response from daemon: Mounts denied:
The path /Users/me/foo
is not shared from OS X and is not known to Docker.
You can configure shared paths from Docker -> Preferences... -> File Sharing.
See https://docs.docker.com/docker-for-mac/osxfs/#namespaces for more info.
..

But strangely, docker-compose ignores this, and that's what I've always used while testing.

I'm not sure if there's a way to change ownership of what the VM sees. I believe the -mapall 501:20 in the host /etc/exports tells nfsd to ignore whatever UID the client sends and use 501:20 instead. But there's apparently no mount option to, say, make everything on the client appear as root:root.

I couldn't quickly test mariab, not sure if the permission errors are happening because mariadb and PHP workers run as non-root in the container, thus the access is denied in the VM before the request even reaches the NFS filesystem module.

stephank avatar Jan 05 '17 14:01 stephank

Isn't it just the permissions inside the machine? What if you change the mount parameters here https://github.com/stephank/docker-for-mac-nfs/blob/master/extra/etc/init.d/usermount#L14 ? There are some params where you can define the user and the group the mounts should have, aren't there?

I am just poking around here, i am absolutely no expert in these things, i just saw that when i start with your tool the user/group of the mounted files/folders is dialout:dialout and without your tool it's root:root. So i thought maybe this is just an mount option.

As for maria db, try this:

  db:
    image: mariadb:10.1.14
    volumes:
     - ./tmp:/var/lib/mysql
    ports:
     - "8010:3306"
    networks:
     - default

The host tmp folder maps to the mysql data dir for persistence of the mysql data. When you watch the start logs it gets permission denied.

Edit: in docker-compose obviously ;)

derpoho avatar Jan 05 '17 14:01 derpoho

Unfortunately, there are no such options. I think I read somewhere the OSXFS behaviour is to store VM permissions inside extended attributes on the host, and where the attributes is missing maps it to root:root. But NFS just gives the client the exact ownership IDs from the host, and expects the client to have matching users.

There is bindfs, which'd mean an extra mount layer to setup.

Funny thing, that docker-compose.yml doesn't work either! It's only when the target is . that it seems to allow the mount:

    volumes:
     - .:/var/lib/mysql

This may actually be a bug in their mount check. ;)

But I did get the permissions errors eventually, just not sure how to fix them. The only permissions related option I can find is -maproot/-mapall in /etc/exports. Removing it would allow the client to perform operations as other users on the host, but removing it also doesn't seem to help with the issue.

stephank avatar Jan 05 '17 15:01 stephank

So this wouldn't work i guess: http://superuser.com/questions/320415/linux-mount-device-with-specific-user-rights/320640#320640

derpoho avatar Jan 05 '17 15:01 derpoho

Yeah, the uid/gid mount options don't seem to work for nfs:

# mount -t nfs -o noacl,noatime,nolock,async,uid=501,gid=20 192.168.65.1:/Users /Users
mount.nfs: an incorrect mount option was specified
mount: mounting 192.168.65.1:/Users on /Users failed: Invalid argument

stephank avatar Jan 05 '17 15:01 stephank

What about this? Just helping to research ;) http://serverfault.com/questions/240897/how-to-properly-set-permissions-for-nfs-folder-permission-denied-on-mounting-en/241272#241272

derpoho avatar Jan 05 '17 16:01 derpoho

@stephank on d4m-nfs to get around some perm problems, I had to make change the /etc/exports to map to root:wheel, so your example would be:

/Users -mapall=0:0 localhost

Obviously you only want to do this if you trust everything running in your containers.

if-kenn avatar Jan 05 '17 16:01 if-kenn

Can confirm, at least the mysql permissions issue is gone with @if-kenn 's fix. Testing all the other stuff now.

derpoho avatar Jan 05 '17 16:01 derpoho

The other (normal) compose container still have the 502:dialout user:group. But still, it only affects the mounted folders.

derpoho avatar Jan 05 '17 16:01 derpoho