search

docker / for-linux

Docker Engine for Linux
https://docs.docker.com/engine/installation/
755 stars 86 forks source link

NFS-mounted subdirectories in read-only volumes are writeable #100

Open lazycodeninja opened 7 years ago

lazycodeninja commented 7 years ago

I've mounted a read-only volume that contains an NFS sub-directory in the host. Creating a file on the read-only volume is only prevented for the volume if the path is in the local file system, not for paths in the NFS sub-directory.

Expected behavior

The file isn't created and <command>: Read-only file system error, e.g. touch: /nas/test2: Read-only file system

Actual behavior

The file is created with no error.

Steps to reproduce the behavior

You'll need to create and mount an NFS share to test this, then use a basic Docker container (like Alpine) to write a file to it:

coder@workstation ~/Dev $ sudo mount -t nfs 192.168.1.102:/tmp/test-export /home/coder/Dev/temp/nfsmount # this needs to be a real NFS share
coder@workstation ~/Dev $ docker run -it -v ~/Dev/temp:/nas:ro alpine touch /nas/test2
touch: /nas/test2: Read-only file system
coder@workstation ~/Dev $ docker run -it -v ~/Dev/temp:/nas:ro alpine touch /nas/nfsmount/test2
coder@workstation ~/Dev $ ls -l ~/Dev/temp/nfsmount/
-rw-r--r-- 1 root  root     0 Sep 11 16:42 test2
coder@workstation ~/Dev $

Output of docker version:

Client:
 Version:      1.13.1-cs5
 API version:  1.27
 Go version:   go1.7.5
 Git commit:   21c42d8
 Built:        Fri Jul 21 23:47:37 2017
 OS/Arch:      linux/amd64

Server:
 Version:      1.13.1-cs5
 API version:  1.27 (minimum version 1.12)
 Go version:   go1.7.5
 Git commit:   21c42d8
 Built:        Fri Jul 21 23:47:37 2017
 OS/Arch:      linux/amd64
 Experimental: false

Output of docker info:

Containers: 83
 Running: 2
 Paused: 0
 Stopped: 81
Images: 93
Server Version: 1.13.1-cs5
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 424
 Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins: 
 Volume: local
 Network: bridge host macvlan null overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 6c463891b1ad274d505ae3bb738e530d1df2b3c7
runc version: 54296cf40ad8143b62dbcaa1d90e520a2136ddfe
init version: 949e6fa
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.4.0-89-generic
Operating System: Linux Mint 18.1
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 31.35 GiB
Name: jason-minty
ID: BD3N:YQKJ:J4UL:JVEP:BH5C:LNOI:ZWTS:JJPV:BLSR:XBVH:YTQM:7R6P
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

WARNING: No swap limit support

Additional environment details (AWS, VirtualBox, physical, etc.)

thaJeztah commented 7 years ago

I don't think there's much that can be done there. Docker mounts the ~/Dev/temp directory read-only inside the container; the nfsmount mountpoint will be read-only, but the mount that's mounted there won't be affected. Other than somehow unmounting the NFS share and remounting it read-only, I don't think that'll be possible to change.

ping @cpuguy83 @kolyshkin any ideas? Don't think this will be possible to change