Hi,

I’m having difficulty trying to mount a cifs share within a container. It works when I run the container with --privileged but not with --cap-add SYS_ADMIN.

Is this something that requires the --privileged flag (and if so why) or am I just missing certain capabilities (and if so which ones?)

Thanks

yes you need privileged as a security measure. why this doesnt seem to be the only way and have it in the documentation i do not know. maybe there are use cases as a progammer that it doesnt apply.

I would assume the opposite. Using a privileged flag will make your container more dangerous giving you all possible capabilities and access to the host devices. I would be glad to see a list somwhere too that explains what capability is needed for common goals that isn’t obvious after reading the capability docs, but usually we don’t need to manually run a mount int he container and a volume plugin should document how it should be used if we need any speciel parameter for the container. I never needed cifs in a container, so I just searched for it and found this:

It indicates you need --cap-add DAC_READ_SEARCH too. If I try to search for an image on Docker Hub I find the same in the description: https://hub.docker.com/r/usr42/cifs

That’s an old image so I have no iddea if that is still enough, but the point is that I doubt that there would be anything that requires privileged flag, we just don’t know what capability or other config is missing so we use privieleged to at least have a working application.

Beyond the privileged flag Apparmor, Seccompor SELinux could also affect how the container works which is mentioned in the StackOverflow topic I linked above.