Docker Community Forums

Share and learn in the Docker community.

Cannout mount NFS volume from container

When in my basic CentOS 7 container, I can see the shares of the server I wish to mount:

[root@sandbox /]# showmount -e 192.168.0.111
Export list for 192.168.0.111:
/RAIDPOOL02/vers     *
/RAIDPOOL02/prod     *
/RAIDPOOL02/pipeline *

When I attempt to mount, I get this:

[root@sandbox /]# mkdir -p /192.168.0.111/pipeline
[root@sandbox /]# mount --verbose --options=nolock,exec,soft,intr,uid=500,rsize=65536,wsize=65536 192.168.0.111:/pipeline /192.168.0.111/pipeline

mount.nfs: timeout set for Wed May  4 08:16:49 2016
mount.nfs: trying text-based options 'nolock,soft,intr,uid=500,rsize=65536,wsize=65536,vers=4,addr=192.168.0.111,clientaddr=172.20.0.3'
mount.nfs: mount(2): Operation not permitted
mount.nfs: trying text-based options 'nolock,soft,intr,uid=500,rsize=65536,wsize=65536,addr=192.168.0.111'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying 192.168.0.111 prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=17
mount.nfs: trying 192.168.0.111 prog 100005 vers 3 prot UDP port 20048
mount.nfs: mount(2): Operation not permitted
mount.nfs: Operation not permitted

I’m exposing these ports in my Dockerfile:

EXPOSE 2049
EXPOSE 20048

And I can successfully nmap port 2049 of the server:

[root@sandbox /]# nmap -p 2049 192.168.0.111

Starting Nmap 6.40 ( http://nmap.org ) at 2016-05-04 08:21 UTC
Nmap scan report for 192.168.0.111
Host is up (0.00061s latency).
PORT     STATE SERVICE
2049/tcp open  nfs

Why am I getting “Operation not permitted”?

I’m getting the same results on Docker for Windows (beta) and on Docker 1.11.1 running on Linux.

Have you tried running the container with --privileged?

See - https://github.com/docker/docker/issues/9448

1 Like

I was able to make it work on docker 17.06!

docker run --mount 'type=volume,src=src_name,volume-driver=local,dst=/mnt,volume-opt=type=nfs,volume-opt=device=:/nfs-share,"volume-opt=o=nfs-server,vers=4,hard,timeo=600,rsize=1048576,wsize=1048576,retrans=2"' -d -it --name mycontainer ubuntu

Got the hint from

thanks james, i have the same issue and after adding --priveleged option it’s worked :wink:

For using mount, you’ll need the CAP_SYS_ADMIN capability, which is dropped by Docker when creating the container.

There are several solutions for this:

Start the container with the --cap-add sys_admin flag. This causes Docker to retain the CAP_SYS_ADMIN capability, which should allow you to mount a NFS share from within the container. This might be a security issue; do not do this in untrusted containers. [A previous version of this answer suggested using the --privileged=true to retain all capabilities, thanks to @earcam for the suggestion to use --cap-add instead].
Mount the NFS share on the host and pass it into the container as a host volume:

you@host > mount server:/dir /path/to/mount/point
you@host > docker run -v /path/to/mount/point:/path/to/mount/point
Use a Docker volume plugin (like the Netshare plugin) to directly mount the NFS share as a container volume:

you@host > docker run
–volume-driver=nfs
-v server/dir:/path/to/mount/point
centos