Docker Community Forums

Share and learn in the Docker community.

Permissions for CIFS Mount in Ubuntu from Synology - need chown/chmod

docker

(1activegeek) #1

So there are multiple difficult layers to explain here of permission mappings and I believe I have most of them correct, but I’m still having some issues inside some containers with permission denied from apps inside and more specifically scripting where chmod/chown are used.

Overarching question - where did I go wrong with my permissions, or how can I alleviate the problem of not being able to use chown/chmod on these mounted volumes?

High level here is the layout:

  • VMware vSphere 6, w/ vCenter running on a single ESXi host
  • Synology NAS software running in an XPEnology VM (just think of it like a a regular Synology DSM box) - using AFP/CIFS services (AFP mainly just for TimeMachine)
  • Single Ubuntu VM running in the vSphere system used for Docker containers
  • Multiple Docker containers running that need access to 2-3 specific DATA directories hosted on the Synology NAS

Current Setup:

  • Synology has 3 mount points created (MountA-C), and in each I’ve setup a specific user (shareuser) to have permission for full R/W permissions to ALL (current, subfolder, child objects)
  • Ubuntu VM is set with fstab to mount all 3 mount points at startup, and are successfully mounted to the VM and accessible. (small gripe is that I can’t figure out why the permissions are 777/world - side issue for now)
  • 3 containers (call them ContA-C) and in each of the container run commands, using the -v /media/data:/data command to mount the volumes inside the container. Yes I understand it can be simplified now using a storage container, and I can work on that later, for now I need to straighten out the permissions situation.

Now I’m going to drop in the blocks here that I believe are relevant to help paint the full picture on the permissions configs. I removed excess lis in directories to just simplify and focus on the specific directories in question.

SYNOLOGY - logged in as root viewing the Volume1 where all the directories we need to mount are located
atlantis> ls -la d--------- 16 root root 4096 Dec 28 17:03 logging d--------- 6 root root 4096 Sep 4 18:14 media d--------- 4 root root 4096 Dec 28 09:58 temp

etc/passwd contents for shareuser
shareuser:x:1037:100:Account used for mounting shares to docker host:/var/services/homes/shareuser:/bin/sh
group file has shareuser in the appropriate users group (100) as well

UBUNTU - logged in as reg-user and viewing the /media directory where I’ve mounted the CIFS shares
reg-user@osiris:/media$ ls -la drwxr-xr-x 13 root root 4096 Dec 27 19:00 . drwxr-xr-x 22 root root 4096 Dec 27 06:56 .. drwxrwxrwx 16 shareuser users 0 Dec 28 17:03 logging drwxrwxrwx 6 shareuser users 0 Sep 4 18:14 media drwxrwxrwx 4 shareuser users 0 Dec 28 09:58 temp

etc/passwd contents for shareuser
shareuser:x:1037:100::/home/shareuser:/bin/bash
group file has shareuser in the appropriate users group (100) as well

DOCKER - from inside the docker (docker exec -it bash), this is how the mount points appear (I call the temp directory local inside the dockers). Also this particular host setup has a startup script that creates a user to match the UID/GID of a user on the host to ease permissions inside the docker container.
root@31cbf0b53d65:/# ls -la drwxrwxrwx 4 abc users 0 Dec 28 09:58 local drwxrwxrwx 2 abc users 0 Dec 27 21:46 logging drwxrwxrwx 326 abc users 0 Dec 28 00:24 media

etc/passwd content for abc (mapped to shareuser uid/gid)
abc:x:1037:100::/config:/bin/false
group file has shareuser in the appropriate users group (100) as well - I do notice there is also an abc group with gid 100 as well - possibly an issue?
users:x:100:abc nogroup:x:65534: libuuid:x:101: netdev:x:102: crontab:x:103: syslog:x:104: docker_env:x:8377: ssh:x:105: abc:x:100:

FSTAB ENTRY FROM UBUNTU - only the relevant mount entries, nothing else wild in my fstab as it’s a fresh OS build and no customizations to it
//atlantis/media /media/media cifs credentials=/home/shareuser/.smbcredentials,iocharset=utf8,uid=1037,gid=100,file_mode=0755,dir_mode=0755 0 0 //atlantis/logging /media/logging cifs credentials=/home/shareuser/.smbcredentials,iocharset=utf8,uid=1037,gid=100,file_mode=0755,dir_mode=0755 0 0 //atlantis/temp /media/temp cifs credentials=/home/shareuser/.smbcredentials,iocharset=utf8,uid=1037,gid=100,file_mode=0755,dir_mode=0755 0 0