Protecting access to NFS shares in DockerHow to properly export and import NFS shares that have subdirectories as mount points also?Is NFS very secure? Secure alternativesWhy does Docker need root privileges?NFS shares not being exported on rebootAccess home directory on Linux from macOS over NFSRunning Docker in Docker: Access volumes from the parent DockerNFS Shares on an unmounted file systemNFS shares on a laptopchown a folder on host with a user that only exists inside a docker containerAcecssing NFS share without root privileges
A function which translates a sentence to title-case
Shell script can be run only with sh command
How can I fix this gap between bookcases I made?
How do we improve the relationship with a client software team that performs poorly and is becoming less collaborative?
Schwarzchild Radius of the Universe
Are tax years 2016 & 2017 back taxes deductible for tax year 2018?
Why doesn't Newton's third law mean a person bounces back to where they started when they hit the ground?
How old can references or sources in a thesis be?
When blogging recipes, how can I support both readers who want the narrative/journey and ones who want the printer-friendly recipe?
Email Account under attack (really) - anything I can do?
How is the claim "I am in New York only if I am in America" the same as "If I am in New York, then I am in America?
Infinite past with a beginning?
Why has Russell's definition of numbers using equivalence classes been finally abandoned? ( If it has actually been abandoned).
What makes Graph invariants so useful/important?
whey we use polarized capacitor?
Patience, young "Padovan"
Why Is Death Allowed In the Matrix?
A Journey Through Space and Time
How long does it take to type this?
What is the offset in a seaplane's hull?
What defenses are there against being summoned by the Gate spell?
What would the Romans have called "sorcery"?
What typically incentivizes a professor to change jobs to a lower ranking university?
Simulate Bitwise Cyclic Tag
Protecting access to NFS shares in Docker
How to properly export and import NFS shares that have subdirectories as mount points also?Is NFS very secure? Secure alternativesWhy does Docker need root privileges?NFS shares not being exported on rebootAccess home directory on Linux from macOS over NFSRunning Docker in Docker: Access volumes from the parent DockerNFS Shares on an unmounted file systemNFS shares on a laptopchown a folder on host with a user that only exists inside a docker containerAcecssing NFS share without root privileges
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I would like people to access NFS shares from within Docker. Problem is inside of Docker they can become root, and then they can have write access to anyone's files by becoming that user. Is there a solution for this?
files filesystems security nfs docker
asked Mar 13 at 18:19
Paul AtreidesPaul Atreides
261
add a comment |
I would like people to access NFS shares from within Docker. Problem is inside of Docker they can become root, and then they can have write access to anyone's files by becoming that user. Is there a solution for this?
files filesystems security nfs docker
asked Mar 13 at 18:19
Paul AtreidesPaul Atreides
261
2
Great question! I am also working with securing Docker. I don't have a thorough answer for you. Have you looked at the nosuid, root_squash & nodev mounting options in your docker container?
– Scottie H
Mar 13 at 21:23
Are you allowing your users to run any arbitrary container-image, with any options. Or you you in control of this?
– ctrl-alt-delor
Mar 31 at 10:47
add a comment |
I would like people to access NFS shares from within Docker. Problem is inside of Docker they can become root, and then they can have write access to anyone's files by becoming that user. Is there a solution for this?
files filesystems security nfs docker
asked Mar 13 at 18:19
Paul AtreidesPaul Atreides
261
I would like people to access NFS shares from within Docker. Problem is inside of Docker they can become root, and then they can have write access to anyone's files by becoming that user. Is there a solution for this?
files filesystems security nfs docker
files filesystems security nfs docker
asked Mar 13 at 18:19
Paul AtreidesPaul Atreides
261
asked Mar 13 at 18:19
Paul AtreidesPaul Atreides
261
asked Mar 13 at 18:19
Paul AtreidesPaul Atreides
261
asked Mar 13 at 18:19
Paul AtreidesPaul Atreides
261
asked Mar 13 at 18:19
Paul AtreidesPaul Atreides
261
261
2
Great question! I am also working with securing Docker. I don't have a thorough answer for you. Have you looked at the nosuid, root_squash & nodev mounting options in your docker container?
– Scottie H
Mar 13 at 21:23
Are you allowing your users to run any arbitrary container-image, with any options. Or you you in control of this?
– ctrl-alt-delor
Mar 31 at 10:47
add a comment |
2
Great question! I am also working with securing Docker. I don't have a thorough answer for you. Have you looked at the nosuid, root_squash & nodev mounting options in your docker container?
– Scottie H
Mar 13 at 21:23
Are you allowing your users to run any arbitrary container-image, with any options. Or you you in control of this?
– ctrl-alt-delor
Mar 31 at 10:47
2
2
Great question! I am also working with securing Docker. I don't have a thorough answer for you. Have you looked at the nosuid, root_squash & nodev mounting options in your docker container?
– Scottie H
Mar 13 at 21:23
Great question! I am also working with securing Docker. I don't have a thorough answer for you. Have you looked at the nosuid, root_squash & nodev mounting options in your docker container?
– Scottie H
Mar 13 at 21:23
Are you allowing your users to run any arbitrary container-image, with any options. Or you you in control of this?
– ctrl-alt-delor
Mar 31 at 10:47
Are you allowing your users to run any arbitrary container-image, with any options. Or you you in control of this?
– ctrl-alt-delor
Mar 31 at 10:47
add a comment |
4 Answers
4
active
oldest
votes
One possible solution would be to mount the NFS shares on the docker nodes instead of inside the containers. In this way, a container would only get access to a volume inside the share that you specify in your compose file, not the entire share itself. This is the approach im taking at my company, and it seems to work decently well for our small scale deployment. Another benefit to us is that it was easier to secure via stunnel since the number of servers mounting the share was substantially reduced.
answered Mar 27 at 14:05
JasonJason
1412
add a comment |
If the user can get root in the container and can see the other users' files, there really isn't anything you can do to prevent them altering those files.
So you must prevent that happening: either limit what the container can "see" to the files it may be allowed to write, or prevent the container obtaining root.
Jason's suggestion is nice - limiting the containers "view" into the share so it can only access files it should be allowed to write.
However, if you want the container to be able to read other people's files, well you're going to have to prevent root.
Or get really familiar with SELinux, CGroups, and maybe other such granular controls.
I don't expect this is the answer you're hoping for. If someone gives you a way to do this, I would love to hear it.
answered Apr 2 at 0:32
Mike DiehnMike Diehn
81356
add a comment |
You’d like an answer “drawing from credible and official source”, but the thing is that there can be several solutions, and the “best” one depends on the overall configuration in place and the amount of complexity that you’re willing to undergo to obtain the desired result.
Therefore you should describe at least an overview of your current setup, upon which we can try to provide a comprehensive answer.
Insofar, the most I can say, as a general idea, is that the first step is to mount the NFS shares from the Docker machine, not from the containers, and then distribute portions of that share to the respective containers via the usual methods available in Docker. This already may be not a simple task to do if you have a cluster of Docker machines hosting your containers.
Anyway, that is also not enough to avoid free access to the files in that portion by the root user of that container, and to achieve such finer control you need to configure ACLs (Access Control Lists), whether at the NFS level or at the server’s file-system level. For either of these two options you need to be the sysadmin of the NFS server, which has to have the notion (at least some notion) of the user-ids assigned to each user of each container. If not all user-ids, at least groups of them and then set up ACLs per group of users.
Look for NFS-acls (NFSv4 would be better) to learn what can be done at the NFS level (quite a lot), and POSIX-acls to learn about the file-system level. You may easily experiment this latter by using the setfacl and getfacl commands at the command prompt. To have these commands available you may need to install the relevant package of your operating system.
answered Apr 2 at 10:16
LL3LL3
1,0767
add a comment |
Have you looked at fuse mounting the NFS, in the host. When I use fuse to mount over ssh (sshfs). It is mounted as me, root does not get any special permissions on these files. (sudo is ineffective).
answered Mar 31 at 10:51
ctrl-alt-delorctrl-alt-delor
12.4k52661
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f506139%2fprotecting-access-to-nfs-shares-in-docker%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
One possible solution would be to mount the NFS shares on the docker nodes instead of inside the containers. In this way, a container would only get access to a volume inside the share that you specify in your compose file, not the entire share itself. This is the approach im taking at my company, and it seems to work decently well for our small scale deployment. Another benefit to us is that it was easier to secure via stunnel since the number of servers mounting the share was substantially reduced.
answered Mar 27 at 14:05
JasonJason
1412
add a comment |
One possible solution would be to mount the NFS shares on the docker nodes instead of inside the containers. In this way, a container would only get access to a volume inside the share that you specify in your compose file, not the entire share itself. This is the approach im taking at my company, and it seems to work decently well for our small scale deployment. Another benefit to us is that it was easier to secure via stunnel since the number of servers mounting the share was substantially reduced.
answered Mar 27 at 14:05
JasonJason
1412
add a comment |
One possible solution would be to mount the NFS shares on the docker nodes instead of inside the containers. In this way, a container would only get access to a volume inside the share that you specify in your compose file, not the entire share itself. This is the approach im taking at my company, and it seems to work decently well for our small scale deployment. Another benefit to us is that it was easier to secure via stunnel since the number of servers mounting the share was substantially reduced.
answered Mar 27 at 14:05
JasonJason
1412
One possible solution would be to mount the NFS shares on the docker nodes instead of inside the containers. In this way, a container would only get access to a volume inside the share that you specify in your compose file, not the entire share itself. This is the approach im taking at my company, and it seems to work decently well for our small scale deployment. Another benefit to us is that it was easier to secure via stunnel since the number of servers mounting the share was substantially reduced.
answered Mar 27 at 14:05
JasonJason
1412
answered Mar 27 at 14:05
JasonJason
1412
answered Mar 27 at 14:05
JasonJason
1412
answered Mar 27 at 14:05
JasonJason
1412
1412
add a comment |
add a comment |
If the user can get root in the container and can see the other users' files, there really isn't anything you can do to prevent them altering those files.
So you must prevent that happening: either limit what the container can "see" to the files it may be allowed to write, or prevent the container obtaining root.
Jason's suggestion is nice - limiting the containers "view" into the share so it can only access files it should be allowed to write.
However, if you want the container to be able to read other people's files, well you're going to have to prevent root.
Or get really familiar with SELinux, CGroups, and maybe other such granular controls.
I don't expect this is the answer you're hoping for. If someone gives you a way to do this, I would love to hear it.
answered Apr 2 at 0:32
Mike DiehnMike Diehn
81356
add a comment |
If the user can get root in the container and can see the other users' files, there really isn't anything you can do to prevent them altering those files.
So you must prevent that happening: either limit what the container can "see" to the files it may be allowed to write, or prevent the container obtaining root.
Jason's suggestion is nice - limiting the containers "view" into the share so it can only access files it should be allowed to write.
However, if you want the container to be able to read other people's files, well you're going to have to prevent root.
Or get really familiar with SELinux, CGroups, and maybe other such granular controls.
I don't expect this is the answer you're hoping for. If someone gives you a way to do this, I would love to hear it.
answered Apr 2 at 0:32
Mike DiehnMike Diehn
81356
add a comment |
If the user can get root in the container and can see the other users' files, there really isn't anything you can do to prevent them altering those files.
So you must prevent that happening: either limit what the container can "see" to the files it may be allowed to write, or prevent the container obtaining root.
Jason's suggestion is nice - limiting the containers "view" into the share so it can only access files it should be allowed to write.
However, if you want the container to be able to read other people's files, well you're going to have to prevent root.
Or get really familiar with SELinux, CGroups, and maybe other such granular controls.
I don't expect this is the answer you're hoping for. If someone gives you a way to do this, I would love to hear it.
answered Apr 2 at 0:32
Mike DiehnMike Diehn
81356
If the user can get root in the container and can see the other users' files, there really isn't anything you can do to prevent them altering those files.
So you must prevent that happening: either limit what the container can "see" to the files it may be allowed to write, or prevent the container obtaining root.
Jason's suggestion is nice - limiting the containers "view" into the share so it can only access files it should be allowed to write.
However, if you want the container to be able to read other people's files, well you're going to have to prevent root.
Or get really familiar with SELinux, CGroups, and maybe other such granular controls.
I don't expect this is the answer you're hoping for. If someone gives you a way to do this, I would love to hear it.
answered Apr 2 at 0:32
Mike DiehnMike Diehn
81356
answered Apr 2 at 0:32
Mike DiehnMike Diehn
81356
answered Apr 2 at 0:32
Mike DiehnMike Diehn
81356
answered Apr 2 at 0:32
Mike DiehnMike Diehn
81356
81356
add a comment |
add a comment |
You’d like an answer “drawing from credible and official source”, but the thing is that there can be several solutions, and the “best” one depends on the overall configuration in place and the amount of complexity that you’re willing to undergo to obtain the desired result.
Therefore you should describe at least an overview of your current setup, upon which we can try to provide a comprehensive answer.
Insofar, the most I can say, as a general idea, is that the first step is to mount the NFS shares from the Docker machine, not from the containers, and then distribute portions of that share to the respective containers via the usual methods available in Docker. This already may be not a simple task to do if you have a cluster of Docker machines hosting your containers.
Anyway, that is also not enough to avoid free access to the files in that portion by the root user of that container, and to achieve such finer control you need to configure ACLs (Access Control Lists), whether at the NFS level or at the server’s file-system level. For either of these two options you need to be the sysadmin of the NFS server, which has to have the notion (at least some notion) of the user-ids assigned to each user of each container. If not all user-ids, at least groups of them and then set up ACLs per group of users.
Look for NFS-acls (NFSv4 would be better) to learn what can be done at the NFS level (quite a lot), and POSIX-acls to learn about the file-system level. You may easily experiment this latter by using the setfacl and getfacl commands at the command prompt. To have these commands available you may need to install the relevant package of your operating system.
answered Apr 2 at 10:16
LL3LL3
1,0767
add a comment |
You’d like an answer “drawing from credible and official source”, but the thing is that there can be several solutions, and the “best” one depends on the overall configuration in place and the amount of complexity that you’re willing to undergo to obtain the desired result.
Therefore you should describe at least an overview of your current setup, upon which we can try to provide a comprehensive answer.
Insofar, the most I can say, as a general idea, is that the first step is to mount the NFS shares from the Docker machine, not from the containers, and then distribute portions of that share to the respective containers via the usual methods available in Docker. This already may be not a simple task to do if you have a cluster of Docker machines hosting your containers.
Anyway, that is also not enough to avoid free access to the files in that portion by the root user of that container, and to achieve such finer control you need to configure ACLs (Access Control Lists), whether at the NFS level or at the server’s file-system level. For either of these two options you need to be the sysadmin of the NFS server, which has to have the notion (at least some notion) of the user-ids assigned to each user of each container. If not all user-ids, at least groups of them and then set up ACLs per group of users.
Look for NFS-acls (NFSv4 would be better) to learn what can be done at the NFS level (quite a lot), and POSIX-acls to learn about the file-system level. You may easily experiment this latter by using the setfacl and getfacl commands at the command prompt. To have these commands available you may need to install the relevant package of your operating system.
answered Apr 2 at 10:16
LL3LL3
1,0767
add a comment |
You’d like an answer “drawing from credible and official source”, but the thing is that there can be several solutions, and the “best” one depends on the overall configuration in place and the amount of complexity that you’re willing to undergo to obtain the desired result.
Therefore you should describe at least an overview of your current setup, upon which we can try to provide a comprehensive answer.
Insofar, the most I can say, as a general idea, is that the first step is to mount the NFS shares from the Docker machine, not from the containers, and then distribute portions of that share to the respective containers via the usual methods available in Docker. This already may be not a simple task to do if you have a cluster of Docker machines hosting your containers.
Anyway, that is also not enough to avoid free access to the files in that portion by the root user of that container, and to achieve such finer control you need to configure ACLs (Access Control Lists), whether at the NFS level or at the server’s file-system level. For either of these two options you need to be the sysadmin of the NFS server, which has to have the notion (at least some notion) of the user-ids assigned to each user of each container. If not all user-ids, at least groups of them and then set up ACLs per group of users.
Look for NFS-acls (NFSv4 would be better) to learn what can be done at the NFS level (quite a lot), and POSIX-acls to learn about the file-system level. You may easily experiment this latter by using the setfacl and getfacl commands at the command prompt. To have these commands available you may need to install the relevant package of your operating system.
answered Apr 2 at 10:16
LL3LL3
1,0767
You’d like an answer “drawing from credible and official source”, but the thing is that there can be several solutions, and the “best” one depends on the overall configuration in place and the amount of complexity that you’re willing to undergo to obtain the desired result.
Therefore you should describe at least an overview of your current setup, upon which we can try to provide a comprehensive answer.
Insofar, the most I can say, as a general idea, is that the first step is to mount the NFS shares from the Docker machine, not from the containers, and then distribute portions of that share to the respective containers via the usual methods available in Docker. This already may be not a simple task to do if you have a cluster of Docker machines hosting your containers.
Anyway, that is also not enough to avoid free access to the files in that portion by the root user of that container, and to achieve such finer control you need to configure ACLs (Access Control Lists), whether at the NFS level or at the server’s file-system level. For either of these two options you need to be the sysadmin of the NFS server, which has to have the notion (at least some notion) of the user-ids assigned to each user of each container. If not all user-ids, at least groups of them and then set up ACLs per group of users.
Look for NFS-acls (NFSv4 would be better) to learn what can be done at the NFS level (quite a lot), and POSIX-acls to learn about the file-system level. You may easily experiment this latter by using the setfacl and getfacl commands at the command prompt. To have these commands available you may need to install the relevant package of your operating system.
answered Apr 2 at 10:16
LL3LL3
1,0767
answered Apr 2 at 10:16
LL3LL3
1,0767
answered Apr 2 at 10:16
LL3LL3
1,0767
answered Apr 2 at 10:16
LL3LL3
1,0767
1,0767
add a comment |
add a comment |
Have you looked at fuse mounting the NFS, in the host. When I use fuse to mount over ssh (sshfs). It is mounted as me, root does not get any special permissions on these files. (sudo is ineffective).
answered Mar 31 at 10:51
ctrl-alt-delorctrl-alt-delor
12.4k52661
add a comment |
Have you looked at fuse mounting the NFS, in the host. When I use fuse to mount over ssh (sshfs). It is mounted as me, root does not get any special permissions on these files. (sudo is ineffective).
answered Mar 31 at 10:51
ctrl-alt-delorctrl-alt-delor
12.4k52661
add a comment |
Have you looked at fuse mounting the NFS, in the host. When I use fuse to mount over ssh (sshfs). It is mounted as me, root does not get any special permissions on these files. (sudo is ineffective).
answered Mar 31 at 10:51
ctrl-alt-delorctrl-alt-delor
12.4k52661
Have you looked at fuse mounting the NFS, in the host. When I use fuse to mount over ssh (sshfs). It is mounted as me, root does not get any special permissions on these files. (sudo is ineffective).
answered Mar 31 at 10:51
ctrl-alt-delorctrl-alt-delor
12.4k52661
answered Mar 31 at 10:51
ctrl-alt-delorctrl-alt-delor
12.4k52661
answered Mar 31 at 10:51
ctrl-alt-delorctrl-alt-delor
12.4k52661
answered Mar 31 at 10:51
ctrl-alt-delorctrl-alt-delor
12.4k52661
12.4k52661
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f506139%2fprotecting-access-to-nfs-shares-in-docker%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
-docker, files, filesystems, nfs, security
2
Great question! I am also working with securing Docker. I don't have a thorough answer for you. Have you looked at the nosuid, root_squash & nodev mounting options in your docker container?
– Scottie H
Mar 13 at 21:23
Are you allowing your users to run any arbitrary container-image, with any options. Or you you in control of this?
– ctrl-alt-delor
Mar 31 at 10:47