-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(Dockerfile): Allow ipfs mount in Docker container #5560
Conversation
It sounds like you probably already know this, but expanding on that "clarify the requirements" part: Having CAP_SYS_ADMIN (without an enclosing user namespace -- which docker does not do) is equivalent to full power on the host, including countless ways to leave the container. I dunno if that's a concern if someone wants to run ipfs in docker for purely operational convenience reasons, but it should probably be mentioned at least briefly... |
@warpfork yep I understand. There's definitely no other way to use FUSE in a container. I want simply trying to solve #4329. I don't understand the original use case or even whether it makes sense to use ipfs mount inside of a docker container. It would be helpful to get feedback from the original issue filer @davidcittadini as to the use case |
@warpfork on the upside, none of this code requires you run docker privileged, unless you want to use |
Should we merge this along with some documentation and a warning in the readme? By default nothing would change - but it would add this capability for people who were willing to run it with elevated privs. Or should we just avoid even suggesting this use because it's a little unorthodox from a security standpoint? |
ec1f771
to
87c918e
Compare
I'm ok with that. As @warpfork mentioned having |
This looks fine to me 👍 Passing |
fixes #4329 License: MIT Signed-off-by: hannahhoward <[email protected]>
87c918e
to
d0ed138
Compare
Goals
Allow
ipfs mount
to be run with docker image built from DockerfileImplementation
-- install fuse during build phase
-- copy fusermount to smaller busybox image for run phase
-- create mount directorys for
ipfs mount
(/ipfs
&/ipns
)For Discussion
Because a portion of FUSE runs at the kernel level, you have utilize the host machine's FUSE device: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
This means for this command to work, you have to run:
This raises the question of whether it makes sense to support
ipfs mount
in Docker at all. If so, we should probably update the readme, to clarify the requirements for running w/ ipfs mountHowever, I wonder what use case @davidcittadini had in mind when he posted the original issue this fixes.
Also, for whatever reason, I had to actually modify the hosts permissions for /dev/fuse on Docker for Mac, but I believe this to be a Mac specific issue.
fixes #4329
License: MIT
Signed-off-by: hannahhoward [email protected]