Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(Dockerfile): Allow ipfs mount in Docker container #5560

Merged
merged 1 commit into from
May 9, 2019

Conversation

hannahhoward
Copy link
Contributor

Goals

Allow ipfs mount to be run with docker image built from Dockerfile

Implementation

-- install fuse during build phase
-- copy fusermount to smaller busybox image for run phase
-- create mount directorys for ipfs mount (/ipfs & /ipns)

For Discussion

Because a portion of FUSE runs at the kernel level, you have utilize the host machine's FUSE device: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities

This means for this command to work, you have to run:

docker run --rm -it --cap-add SYS_ADMIN --device /dev/fuse ipfs/go-ipfs

This raises the question of whether it makes sense to support ipfs mount in Docker at all. If so, we should probably update the readme, to clarify the requirements for running w/ ipfs mount

However, I wonder what use case @davidcittadini had in mind when he posted the original issue this fixes.

Also, for whatever reason, I had to actually modify the hosts permissions for /dev/fuse on Docker for Mac, but I believe this to be a Mac specific issue.

fixes #4329

License: MIT
Signed-off-by: hannahhoward [email protected]

@ghost ghost assigned hannahhoward Oct 4, 2018
@ghost ghost added the status/in-progress In progress label Oct 4, 2018
@warpfork
Copy link
Member

warpfork commented Oct 4, 2018

It sounds like you probably already know this, but expanding on that "clarify the requirements" part: Having CAP_SYS_ADMIN (without an enclosing user namespace -- which docker does not do) is equivalent to full power on the host, including countless ways to leave the container.

I dunno if that's a concern if someone wants to run ipfs in docker for purely operational convenience reasons, but it should probably be mentioned at least briefly...

@hannahhoward
Copy link
Contributor Author

@warpfork yep I understand. There's definitely no other way to use FUSE in a container. I want simply trying to solve #4329. I don't understand the original use case or even whether it makes sense to use ipfs mount inside of a docker container. It would be helpful to get feedback from the original issue filer @davidcittadini as to the use case

@hannahhoward
Copy link
Contributor Author

@warpfork on the upside, none of this code requires you run docker privileged, unless you want to use ipfs mount

@eingenito
Copy link
Contributor

Should we merge this along with some documentation and a warning in the readme? By default nothing would change - but it would add this capability for people who were willing to run it with elevated privs. Or should we just avoid even suggesting this use because it's a little unorthodox from a security standpoint?
@Stebalien @Kubuxu ?

@hannahhoward hannahhoward force-pushed the features/dockerfile-ipfs-mount-4329 branch from ec1f771 to 87c918e Compare October 4, 2018 17:52
@Stebalien
Copy link
Member

I'm fine providing the option but, really, this is more @Kubuxu and @lgierth's territory.

@Kubuxu
Copy link
Member

Kubuxu commented Oct 5, 2018

Should we merge this along with some documentation and a warning in the readme? By default nothing would change

I'm ok with that. As @warpfork mentioned having CAP_SYS_ADMIN is almost as good as having root on the host.

@ghost
Copy link

ghost commented Oct 5, 2018

This looks fine to me 👍 Passing CAP_* is pretty standard, e.g. any dockerized VPN-style software usually gets CAP_NET_ADMIN.

@Stebalien Stebalien force-pushed the features/dockerfile-ipfs-mount-4329 branch from 87c918e to d0ed138 Compare May 9, 2019 06:35
@ghost ghost assigned Stebalien May 9, 2019
@Stebalien Stebalien merged commit 1081d04 into master May 9, 2019
@Stebalien Stebalien deleted the features/dockerfile-ipfs-mount-4329 branch May 9, 2019 06:44
@ghost ghost removed the status/in-progress In progress label May 9, 2019
@Stebalien Stebalien restored the features/dockerfile-ipfs-mount-4329 branch May 30, 2019 22:34
@Stebalien Stebalien deleted the features/dockerfile-ipfs-mount-4329 branch May 30, 2019 22:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

"ipfs mount" does not work from Dockerfile image
5 participants