Docker-compose mount volume nfs

macjames · December 6, 2022, 11:58am

Hi All,
unfortunally i have another question for you.
I’m trying to mount volume that is an NFS. I have this docker-compose file:

version: "3.8"

volumes:
  neonfs:
    driver: local
    driver_opts:
      type: nfs
      o: addr=172.26.209.22
      device: :/space/home/cverond/varwwwhtml

services:
  web:
    build:
      dockerfile: ./Dockerfile
    ports:
      - "80:80"
    environment:
      - FlexDebug=on
    volumes:
      - neonfs:/var/data/
      - type: bind
        source: ./formazionephp7
        target: /var/www/html/

when build and turn up the image, i receive this error:

Network formazionephp7_default Created 0.7s

Volume “formazionephp7_neonfs” Created 0.0s

Container formazionephp7-web-1 Created 0.2s
Attaching to formazionephp7-web-1
Error response from daemon: error while mounting volume ‘/var/lib/docker/volumes/formazionephp7_neonfs/_data’: failed to mount local volume: mount :/space/home/cverond/varwwwhtml:/var/lib/docker/volumes/formazionephp7_neonfs/_data, data: addr=172.26.209.22: permission denied

For test i have try to run docker container and try to mount manually the nfs shared disk but the error is the same:

# mount -v -t nfs -o ro 172.26.209.22:/space/home/cverond/varwwwhtml /var/data
mount.nfs: timeout set for Tue Dec  6 11:53:49 2022
mount.nfs: trying text-based options 'vers=4.2,addr=172.26.209.22,clientaddr=172.28.0.2'
mount.nfs: mount(2): Operation not permitted
mount.nfs: trying text-based options 'addr=172.26.209.22'
mount.nfs: prog 100003, trying vers=3, prot=6
mount.nfs: trying 172.26.209.22 prog 100003 vers 3 prot TCP port 2049
mount.nfs: prog 100005, trying vers=3, prot=17
mount.nfs: trying 172.26.209.22 prog 100005 vers 3 prot UDP port 892
mount.nfs: Protocol not supported
#

does anyone have any ideas?

Thanks a lot.

rimelek · December 7, 2022, 12:30am

The NFS volume is not a volume that is mounted inside the container directly. It will be mounted on the host and from the host it will be mounted into the container. The container has no mount capability (CAP_SYS_ADMIN if I am right) so you get “Operation not permitted”. When you get “permission denied” using the NFS volume, it means the server does not allow the client to mount the shared folder. For example if you have 172.26.209.22 as the server and your client is 172.26.202.23, you need an export file on the server like this

/etc/export

/space/home/cverond/varwwwhtml 172.26.209.23/32(rw,sync,no_subtree_check)

Of course, if you want more client to be able to use the NFS server, you need more lines or define an IP range

/space/home/cverond/varwwwhtml 172.26.209.0/24(rw,sync,no_subtree_check)

Is 172.26.209.22 a Docker container or host machine?

Instead of trying to find the right settings with containers, I recommend you to try to mount an NFS share to the host without Docker. If that works and you know how to configure the NFS server, then try it with Docker.

macjames · December 7, 2022, 8:51am

Hi @rimelek e thank you for your support.

Confirm that 172.26.209.22 is host machine.

macjames · December 16, 2022, 3:04pm

Hi @rimelek,
i have try with your suggest and, if i try to mount NFS volume in windows it’s working.
In powershell console i have lanch this command:

> mount.exe -o nolock 172.26.209.22:/space/home/xyz/varwwwhtml/foldername o:

the problem are with docker that have an error. Do you have any suggestion?

rimelek · December 16, 2022, 6:26pm

Unfortunately I don’t have

macjames · December 16, 2022, 6:43pm

Aniway, doesn’t import. You was very kind.
If i will find a solution, i will update this post for other users.

Regards.

meyay · December 16, 2022, 6:57pm

Like @rimelek already pointed out: the docker engine mounts the nfs share on the docker host, as such the docker host must be allowed in the client list of the nfs export.

Though, it is unclear what os the docker engine is running on and which version is running.

macjames · December 19, 2022, 10:13am

Hi @meyay,
thank you for your response.

I have a ubuntu server in home that share nfs disk (this is my /etc/export):

> /srv/samba/share/www/html 192.168.1.0/24(rw,sync,no_subtree_check,all_squash,anonuid=1001,anongid=0)

In docker-compose file i have this configuration:

version: "3.8"

volumes:
  neonfs:
    driver: local
    driver_opts:
      type: nfs
      o: addr=192.168.1.17,nolock,soft,rw
      device: :/srv/samba/share/www/html
services:
  web:
    build:
      dockerfile: ./Dockerfile
    ports:
      - "80:80"
    environment:
      - FlexDebug=on
    volumes:
      - neonfs:/var/nfs

But i receive “access denied” error when docker start.

Also, i have create, in docker-image, a user


RUN useradd -rm -d /home/appuser -s /bin/bash -g root -G sudo -u 1001 appuser

USER appuser

with hope that work but, unfurtunaly i receive “access denied”.

Any idea?

meyay · December 19, 2022, 5:36pm

You might want to start with the least amount of options.
My nfs options are addr=192.168.x.x,nfsver4 and it just works fine.

This is how my export options look like: (rw,sync,no_wdelay,crossmnt,no_root_squash,insecure_locks,sec=sys,anonuid=1025,anongid=100)

I remember another user had problems with nfs mounts a couple of days ago, and the forum search yielded following post:

rimelek · December 20, 2022, 12:25am

Only after you tried @meyay’s suggestion, I would also try to run a simple HTTP server on the NFS server and send a request from a docker container to see what IP address the NFS server can see as sender. Or maybe the NFS server log contains some information about failed requests. I remember one case when the routing was wrong and the request was sent on an other network.

macjames · January 17, 2023, 3:28pm

Hi all,
sorry for the absence but I had personal problems. I managed to figure out, perhaps, the problem of missing mount for the NFS partition.

This is the docker-compose:

version: "3.8"
volumes:
  neonfs:
    driver: local
    driver_opts:
      type: nfs
      o: "addr=172.26.209.22,rw"
      device: ":/space/home/user/varwwwhtml"
services:
  web:
    build:
      dockerfile: ./Dockerfile
    ports:
      - "80:80"
    environment:
      - FlexDebug=on
    volumes:
      - neonfs:/var/nfs
      - type: bind
        source: ./examplephp7
        target: /var/www/html/

and i receive “permission denied”. I’ve watched the NFS logs and found this:

refused mount request from 172.26.208.50 for /space/home/user/varwwwhtml (/space/home/user/varwwwhtml): illegal port 60139

My DevOPS says that all port greater than 1024 are blocked for security reason. I can change port for NFS?

Thanks a lot.

macjames · January 17, 2023, 4:03pm

If i try with nfs version 4, error change:

data: addr=172.26.209.22,vers=4.0: operation not permitted

macjames · January 17, 2023, 5:08pm

I have also try to run container and mount partition inside with

mount -o nolock -o vers=4 -rw 172.26.209.22:/space/home/project/varwwwhtml /var/www/dir

but i receive this error:

mount.nfs: Protocol not supported

i’ts like that kernel not support nfs

Is possible is so hard to mount a nfs partition?

i’m really disheartened

macjames · January 24, 2023, 3:58pm

Finally, after a long time, I figured it out.
The fault was not the container or docker but the NFS server which, for some reason, had the rpcbind daemon not running.

it was enough to launch this command, and everything started, as if by magic:

chkconfig rpcbind on && service rpcbind start

I hope this thread is also useful for posterity.

A greeting