Store Volumes on a CIFS NAS

Hello,
I was thinking to use my NAS to share the local Docker Volumes, in order to take advantage of its feature (e.g. backup, large space, etc.). So, I have mounted a CIFS Share and I could save some test Volumes and mount on the container. Everything is fine, but it ended up with all files having the same permissions (e.g. 777), as I mount by the CIFS Share by file_mode=0777,dir_mode=0777. So, all the files are executable and R/W which should be a security issue IMHO, and as I have some scripts there, changing the filemask (e.g. 644) is not an option or I wouldn’t be able to run the scripts.

Any suggestions for this?

Thanks!

1 Like

CIFS doesn’t support Linux file permissions, this is why you have to set the file_mode and dir_mode. If the NAS supports NFS, you can try that.

Hello @rimelek,
Thank you for getting back!
Yes, NFS would be my first choice, but as my NAS doesn’t support it, I have tried with CIFS.
And as explained it works (pretty well), but the permissions are a security issue IMHO.
So, I will end up using the local storage, until I get a new NAS.

Regards,

Just an idea if you can change how you run the script. Scripts don’t have to be executable if they are the just the arguments of the shell. So instead of running

/mnt/scripts/myscript.sh

you can run

bash /mnt/scripts/myscript.sh

at least until you can get a new NAS

Hello @rimelek,
Thank you again for your messages!
Yes, that is a possible workaround, but adding some additional complexity.
So, I think I will end using the local storage only, until I get a new NAS. :slight_smile:
In the meantime, I was also interested to understand how people here have set their Docker environments…

I can not imagine that any NAS exist that doesn’t come with NFS out of the box.
All Synology and QNAP boxes should allow exposing a share via NFS.

I use NFS v4 for most of my remote shares, and CIFS for special cases, where using NFS v4 resulted in odd permissions, that prevented other CIFS clients to access the data. I don’t recall what the exact problem was, but it could be a Synology specific problem. While CIFS makes it necessary to provide credentials in your volume declaration, NFS doesn’t.

I declare my volumes like this:

volumes:
  cifs_volume:
    driver_opts:
      type: cifs 
      o: username=xxx,password=yyyy,uid=33450,gid=100,vers=3.0
      device: //192.168.x.x/myshare

  nfs_volume:
    driver_opts:
      type: nfs 
      o: addr=192.168.x.x,nfsvers=4
      device: :/volume1/myshare

The cifs mounts implicitly use file_mode=0755, dir_mode=0755 on my system. Aligning uid and gid in the cifs option with the uid/gid of the process inside the container is key to use 755 permissions instead of 777 permissions.

Well, it’s an old NAS from Buffalo and supports CIFS, Mac share or FTP/SFTP but as long it works for me it doesn’t worth to buy a new one.

Regards,
IMG_20230328_155855

I see, it’s a lack of imagination on my side :slight_smile:

To be honest, I was used to work on enterprise scale NAS in the past :wink: