ehough
commented
5 years ago Sorry for the late response - I was out of the office all last week.
I'm not too familiar with Swarm but I'll do my best to explain my understanding and hopefully this will help you come up with a good solution.
Without Kerberos, NFS is limited to IP-based authorization. i.e. the server checks the client IP to determine if access to a mount is permitted. If you know your client IPs ahead of time and your networking setup exposes those client IPs to the NFS server container (i.e. no NAT in between), then you can get away with this. IMHO there are very few cases where this is really useful, and to me it seems more of a relic from simpler times.
If security is a requirement, I strongly recommend you turn on Kerberos security. It's the only way to get strong authentication, encryption, and data integrity. The downside to this is, of course, that you'll need to run a Kerberos KDC, add your clients to it, and configure your clients to mount NFS using Kerberos. That's quite a lot of extra work, but once it's in place it works very well.
Does that help at all? Let me know if I can elaborate on anything. Closing this issue but let's continue the discussion.
I have a bunch of Swarm nodes running hostile code (think Jupyterhub), each node will access their own directory on the NFS. What's the best way to go with this? export file+node IP level isolation? Docker Stack (a single notebook server container on hostile node + a NFS server on NFS node)? I am not sure what's the best way to configure this that is both simple to use and optimal performance-wise.