-
Notifications
You must be signed in to change notification settings - Fork 833
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mount --bind mount: permission denied #60
Comments
@sijnc hey can you show me your .yaml file, im also trying to run it on kubernetes |
+1 What's the best practice for this? |
I haven't researched this enough to know how to do it another way or what security implications it has. Would appreciate if someone could share some knowledge on this! |
While trying to make https://github.com/atmoz/sftp#bindmount-dirs-from-another-location working I also experienced the same issue. However it's not necessary to use For more information about this you can read the official documentation here https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities and an interesting stackoverflow answer here https://stackoverflow.com/questions/36553617/how-do-i-mount-bind-inside-a-docker-container Hope it helps. |
Thank you @arkan! I will add instructions to the readme |
Can anyone help on this, using docker compose? I am using the version: '2.4'
services:
sftp:
image: atmoz/sftp
restart: always
cap_add:
- SYS_ADMIN
ports:
- '22001:22'
volumes:
# generated host keys.
- ~/docker-persist/sftp/keys/host/ssh_host_ed25519_key:/etc/ssh/ssh_host_ed25519_key
- ~/docker-persist/sftp/keys/host/ssh_host_rsa_key:/etc/ssh/ssh_host_rsa_key
# authorized public keys.
- ~/docker-persist/sftp/keys/authorized/bkraul/id_rsa.pub:/home/bkraul/.ssh/keys/id_rsa.pub:ro
# users file
- ~/docker-persist/sftp/users.conf:/etc/sftp/users.conf:ro
# data directories.
- ~/docker-persist/myfolder:/data/myfolder
# bind mounts script
- ~/docker-persist/sftp/bindmounts.sh:/etc/sftp.d/bindmounts.sh This is what the log says:
UPDATE: This seems to work using |
Running privileged containers or with sys_admin is a security risk according to the O'Reilly book "Container Security" and those blogs: Both disable the isolation of a container according to those sources. |
This is still a problem with swarm. Swarmed environments do not support |
I was going crazy trying to bind a mounted external drive to a path inside the image via podman. I could see the folder in the SFTP client, but always got "permission denied" when entering the folder. Finally, I also had to run podman itself as Basically, I had to do this:
Would love to run it with lower privileges but nothing I tried works. Does anyone have any more surgical/precise solution to fix the permissions without using |
@Arcitec Example of my apparmor profile:
I hope it is helpful for you. |
I worked around this by setting:
securityContext: privileged: true
in the Kubernetes container spec to enable docker --privileged, can you comment on the security implications of doing this and are there any other workarounds for mount --bind that don't require --privileged?
Thanks
The text was updated successfully, but these errors were encountered: