search

GoogleCloudPlatform / gcsfuse

A user-space file system for interacting with Google Cloud Storage
https://cloud.google.com/storage/docs/gcs-fuse
Apache License 2.0
2.05k stars 426 forks source link

Running gcsfuse from within a Docker container on GCE VM, no access to parent VM needed #566

Open MarkEdmondson1234 opened 2 years ago

MarkEdmondson1234 commented 2 years ago

Hi, I wondered if you could help with what seems the final step to working with gcsfuse within a Docker container on GCE.

I've installed gcsfuse in the Docker container successfully, and can access it from within the RStudio terminal running in that Docker container, but get the error below when trying to link the user's file system to a bucket:

mkdir /home/mark/bucket
gcsfuse marks-bucket-of-stuff /home/mark/bucket

2021/11/06 09:43:32.069583 Start gcsfuse/0.37.0 (Go version go1.17.2) for app "" using mount point: /home/mark/bucket
2021/11/06 09:43:32.078671 Opening GCS connection...
2021/11/06 09:43:32.213056 Mounting file system "marks-bucket-of-stuff"...
daemonize.Run: readFromProcess: sub-process: mountWithArgs: mountWithConn: Mount: mount: running /usr/bin/fusermount: exit status 1

I'm not sure what the error means. I've read that it may be user access and running the Docker in --privileged mode would help, but that seems to be only if I need to access the file system on the parent VM. I'm happy to keep everything within the Docker container, using the Cloud Storage bucket to keep state inbetween varying Docker containers running version of RStudio. (tracking my progress in https://github.com/cloudyr/googleComputeEngineR/issues/109 )

For reference the Docker file I am using is below, which builds successfully

FROM rocker/tidyverse
MAINTAINER Mark Edmondson (r@sunholo.com)

# install gcsfuse deps
RUN apt-get update && apt-get install -y gnupg lsb-release wget
RUN lsb_release -c -s > /tmp/lsb_release

RUN GCSFUSE_REPO=$(cat /tmp/lsb_release); \
    echo "deb http://packages.cloud.google.com/apt gcsfuse-$GCSFUSE_REPO main" | \
    tee /etc/apt/sources.list.d/gcsfuse.list
RUN wget -O - https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -

# install system deps
RUN apt-get -qqy update && apt-get install -qqy \
    openssh-client \
    qpdf \
    libsodium-dev \
    gcsfuse

## Install packages from CRAN
RUN install2.r --error \ 
    -r 'http://cran.rstudio.com' \
    googleAuthR \ 
    googleComputeEngineR \ 
    googleAnalyticsR \ 
    searchConsoleR \ 
    googleCloudStorageR \
    bigQueryR \ 
    googleCloudRunner \
    zip \
    ## install Github packages
    && installGithub.r cloudyr/googleCloudStorageR \
                       cloudyr/googleComputeEngineR \
                       MarkEdmondson1234/googleCloudRunner \
    ## clean up
    && rm -rf /tmp/downloaded_packages/ /tmp/*.rds

COPY Rprofile.site /usr/local/lib/R/etc/Rprofile.site
tomsaleeba commented 2 years ago

running the Docker in --privileged mode would help, but that seems to be only if I need to access the file system on the parent VM

I think this assumption is wrong. Privileged mode is to allow the docker container to perform privileged actions, like the FUSE mount that we're asking gcsfuse to do for us.

I had the same error as you and adding --privileged fixed the problem. According to this comment we can give lesser permissions to the container and things still work:

 --cap-add SYS_ADMIN --device /dev/fuse --security-opt apparmor:unconfined

...and this works for me too.