Can't expose a fuse based volume to a Docker container

linux docker fuse
Oren picture Oren · Mar 4, 2015 · Viewed 8k times · Source

I'm trying to provide my docker container a volume of encrypted file system for internal use. The idea is that the container will write to the volume as usual, but in fact the host will be encrypting the data before writing it to the filesystem.

I'm trying to use EncFS - it works well on the host, e.g:

encfs /encrypted /visible

I can write files to /visible, and those get encrypted. However, when trying to run a container with /visible as the volume, e.g.:

docker run -i -t --privileged -v /visible:/myvolume imagename bash

I do get a volume in the container, but it's on the original /encrypted folder, not going through the EncFS. If I unmount the EncFS from /visible, I can see the files written by the container. Needless to say /encrypted is empty.

Is there a way to have docker mount the volume through EncFS, and not write directly to the folder? In contrast, docker works fine when I use an NFS mount as a volume. It writes to the network device, and not to the local folder on which I mounted the device.

Thanks

Answer

larsks picture larsks · Mar 8, 2015

I am unable to duplicate your problem locally. If I try to expose an encfs filesystem as a Docker volume, I get an error trying to start the container:

FATA[0003] Error response from daemon: Cannot start container <cid>:
setup mount namespace stat /visible: permission denied

So it's possible you have something different going on. In any case, this is what solved my problem:

By default, FUSE only permits the user who mounted a filesystem to have access to that filesystem. When you are running a Docker container, that container is initially running as root.

You can use the allow_root or allow_other mount options when you mount the FUSE filesystem. For example:

$ encfs -o allow_root /encrypted /other

Here, allow_root will permit the root user to have acces to the mountpoint, while allow_other will permit anyone to have access to the mountpoint (provided that the Unix permissions on the directory allow them access).

If I mounted by encfs filesytem using allow_root, I can then expose that filesystem as a Docker volume and the contents of that filesystem are correctly visible from inside the container.

Related questions

Docker can't connect to docker daemon

After I update my Docker version to 0.8.0, I get an error message while entering sudo docker version: Client version: 0.8.0 Go version (client): go1.2 Git commit (client): cc3a8c8 2014/02/19 12:54:16 Can't connect to docker daemon. Is 'docker -d' running on this …

Read More
Exploring Docker container's file system

I've noticed with docker that I need to understand what's happening inside a container or what files exist in there. One example is downloading images from the docker index - you don't have a clue what the image contains so …

Read More
Cannot connect to the Docker daemon at unix:/var/run/docker.sock. Is the docker daemon running?

I have applied every solution available on internet but still I cannot run Docker. I want to use Scrapy Splash on my server. Here is history of commands I ran. docker run -p 8050:8050 scrapinghub/splash sudo docker run -p 8050:8050 scrapinghub/…

Read More