Docker with a NFS volume - user permission problems

grey_cat · December 11, 2020, 2:47pm

Hello there,

I run duplicati docker with a --volume that is a NFS mounted folder from my NAS, it has the 1000 gid and 1000 uid owner. I’ve mounted it in /test inside the docker using:
docker run --volume /media/NAS/localTest:/test --network host duplicati/duplicati

My problem is that the root, which is the user that Duplicati is launched with, can’t access this test folder.

When I exec -ti /bin/bash into this container, as root, I can see the test folder, but can’t read what it contains.

# ls -l
drwxrwx---   1 1000 1000   60 Dec  6 22:07 test

# cd test/
bash: cd: test/: Permission denied

I’ve tried to create a group test with gid 1000, make root part of the group. But somehow that doens’t let me in still:

# groupadd -g 1000 test
# usermod -a -G test root
# groups root
root : root test
# ls /test
ls: cannot open directory /test: Permission denied

Also I’ve tried to launch the docker with --user 1000:1000 but the duplicati server app fails:

docker run --volume /media/NAS/localTest:/test --user 1000:1000 --network host duplicati/duplicati
A serious error occurred in Duplicati: System.Exception: Failed to create, open or upgrade the database.
Error message: Access to the path "/data/Duplicati" is denied.
  at Duplicati.Server.Program.GetDatabaseConnection (System.Collections.Generic.Dictionary`2[TKey,TValue] commandlineOptions) [0x00229] in <c5f097a49c0a4f1fb0f93cf3f5f218b1>:0 
  at Duplicati.Server.Program.RealMain (System.String[] _args) [0x001a7] in <c5f097a49c0a4f1fb0f93cf3f5f218b1>:0

Do you know any way to let me launch the docker, and let root access this folder?

ts678 · December 13, 2020, 6:08pm

NFS servers can map root to something less dangerous, like nobody:nogroup. See Root squash.
You could test by creating a folder with completely open permissions, then make a file, and ls -l it.
If you’re getting root squash, then you need to figure out how to turn it off or open perms up further…

grey_cat · December 13, 2020, 6:39pm

Thanks a lot for your answer. I ended up figuring out that NFS permssions are far from simple and whatever the linux permissions are, the server can actually override them.

Also I’ve been able to setup ACL so that my local MyUser (UID 1000) as well as the duplicati docker (root) can access it. Here is how the ACL look like. There is a root squash setup as well.

# getfacl /NAS/Some_Folder/
getfacl: Removing leading '/' from absolute path names
# file: NAS/Some_Folder/
# owner: root
# group: root
user::rwx
user:MyUser:rwx
group::rwx
group:MyUser:rwx
mask::rwx
other::---
default:user::rwx
default:user:MyUser:rwx
default:group::rwx
default:group:MyUser:rwx
default:mask::rwx
default:other::---

Although the linux permissions state the following, MyUser is not part of the root group:

$ ls -l /media/MyDir
total 0
drwxrwx--- 1 root root  42 Oct  7 20:42 Desktop
drwxrwx--- 1 root root 416 Nov 22 21:44 Downloads

I can actually read/write inside this folder with MyUser, and the docker root too when mounted as a volume.

This is what I wanted to achieve… I’m not 100% confident it’s the best approach though, any feedback would be greatly appreciated.

ts678 · December 13, 2020, 7:32pm

I use neither NFS nor Linux ACLs (which are not the same as NFS ACLs, but must be translated).
Maybe somebody else can comment, or you’ll need to consult the wider Internet (or try searching).