1

I've a docker host and a NFS server sharing a path like /storage to the docker host. I can mount the NFS share directly on the docker host or use a NFS volume to access the data on the share. Of course there are several subfolders per docker container, like

  • container1
    • vol1 a on NFS:/storage/container1/vol1
  • container2
    • vol1 a on NFS:/storage/container2/vol1
    • vol2 a on NFS:/storage/container2/vol2
  • container3
    • vol1 a on NFS:/storage/container3/vol1
    • vol2 a on NFS:/storage/container3/vol2
  • ...

In case of using NFS volumes directly via docker-compose.yml:

... volumes: file-vol: driver: local driver_opts: type: "nfs" device: ":/storage/container1/vol1" o: addr=nfshost,rw,nosuid,noatime,nfsvers=4 ...

then I can see inside the running container with mount

:/storage/container1/vol1 on /var/www/html type nfs4 (rw,nosuid,noatime,vers=4.0,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=<dockerhost>,local_lock=none,addr=<nfshost>)

When I replace this volume by:

... volumes: file-vol: driver_opts: type: none device: "/srv/storage/container1/vol1" o: bind ...

Where /srv/storage is a linux NFS shared folder mounted via mount -t nfs nfshost:/storage /srv/storage, then I get the mount output inside the container:

<nfshost>:/storage/container1/vol1 on /var/www/html type nfs4 (rw,nosuid,noatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=<dockerhost>,local_lock=none,addr=<nfshost>)

In both cases inside the docker container I can see the NFS host and the mount point. A "bad process" could think about that and try to mount a different location of the NFS (like /storage/container2/vol1) and would have full access to the location, because Kerberos cannot be used here (I think). Also I cannot deny access to that location via NFS server because it comes from the same IP. Also all container are started from root user (the container are often enough not rootless).

Is there a way to either deny access to container1 to mount container2 volumes on the NFS server or a way to hide the fact that the folder /var/www/html is a NFS mountpoint?

Improve this question
1
  • I'm not sure if this is really a problem. When I "bash" into the container and run mkdir /tmp/x && mount -t nfs nfshost:/storage/container2/vol2 /tmp/x/- I'm geting always a permission denied even as root inside the container.. but I don't know why. Commented Sep 2, 2022 at 15:20

1 Answer 1

Reset to default
0

Mount NFS:/storage under /storage on your Docker host.

Mount the volumes from /storage instead of NFS:/storage/.

Improve this answer
1
  • sorry - I've added an example in the question showing that I already tried to use a volume mount point that is mounted on the dockerhost itself. Inside the container the I can see the NFS mount options too (even when the volume itself directs to a location on the docker host...) Commented Sep 2, 2022 at 15:12

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.