Support for CIFS v3.0 volumes with transport-layer encryption?

Docker Engine General
1

Hi all,

Does docker support creating and mounting CIFS/SMB v3.0 volumes with transport-layer encryption? Ideally the local volume driver?

Something like this, with “seal,vers=3.0”:

docker volume create \
	--driver local \
	--opt type=cifs \
	--opt device=//uxxxxx.your-server.de/backup \
	--opt o=addr=uxxxxx.your-server.de,username=uxxxxxxx,password=*****,file_mode=0777,dir_mode=0777 \
	--name cif-volume
**--opt o=seal,vers=3.0**

I couldn’t find something in the documentation and I wanted to check before rolling SMB v3.0…

Thanks a lot in advance!

2

How would the mount parameter look for this? The local driver accepts almost every mount parameter.

3

According to the cifs.mount ,manpage link, the required mount parameter is “seal”, which has to be provided with the parameter “vers=3.0” (or any other version >=3.0)

seal Request encryption at the SMB layer. The encryption algorithm used is AES-128-CCM.
Requires SMB3 or above (see vers).

Is that supported in docker?

—fyi: according to the RHL documentation, a typical encrypted cifs mount command would look like this:

To mount the \\server\example\ share as the DOMAIN\Administrator user over an encrypted SMB 3.0 connection into the /mnt/ directory:

mount -t cifs -o username= DOMAIN \ Administrator ,seal,vers=3.0 // server / example /mnt/ Password for user_name @// server_name / share_name : ********

4

Just in case it helps, not all command line parameters may be supported by Docker. For a different use case docker - Is it possible to mount a CIFS volume using a credentials file against the LOCAL driver? - Stack Overflow claims:

It seems the issue here is that the credentials-file is a feature of the wrapper binary “mount.cifs” while docker uses the systemcall SYS_MOUNT itself for mounting the volume

(More details in that Stack Overflow answer.)

1 Like
5

Since the extra paremeters are mount options, then can be attached to the --opt o=... , ... , ... line.

I would this assume to work:

docker volume create \
	--driver local \
	--opt type=cifs \
	--opt device=//uxxxxx.your-server.de/backup \
	--opt o=addr=uxxxxx.your-server.de,username=uxxxxxxx,password=*****,file_mode=0777,dir_mode=0777,seal,vers=3.0 \
	--name cif-volume

if it’s supported from your os, then it is high likely to be usable by docker. The only thing that I am aware of that doesn’t work is the credentials option where a credential file is referenced, that holds the username/password.

Update: Arjan was faster :slight_smile:

2 Likes
6

Just to be sure: I am not claiming it won’t work. Just a heads up that it may not be supported. I did not investigate.

7

We are aligned here :slight_smile:

There is no way telling if it works or not without trying.

8

Hi @meyay and @avbentem, thanks for your respones!

I don’t’ particularly like CIFS/SMB, but I was gonna give a try, only because it seems it is the only viable solution offering native transport encryption (i.e. without having to tunnel it, or install kerberos etc…).

But if it is not possible to use the credentials file, I think I will not even try CIFS in this use-case. I find storing the password in clear-text unacceptable. I did some digging and there doesn’t seem to be any reasonable solution/workaround.

But this is fine, as I now understand better docker’s limitations. I wish they would have documented all these simple things!!