search

ehough / docker-nfs-server

A lightweight, robust, flexible, and containerized NFS server.
https://hub.docker.com/r/erichough/nfs-server/
GNU General Public License v3.0
669 stars 221 forks source link

User permissions #45

Closed Exlipse7 closed 4 years ago

Exlipse7 commented 4 years ago

I have a question about user specific permissions, specifically with this container build. Normally on NFS, the nfs-server directory/file permissions would map 1-1 with the nfs-client permissions, so if uid=1000 has write access on the server then uid=1000 on the client would also have write access. At which levels do I need the users to exist? Just inside the container, just inside the docker-host, or both? Also, do I need to run the container as a particular user? On all of my other containers I've built them to run as a docker user that only has access to areas of the host it needs to function. Any help on how nfs user mapping works with regard to this container would be great. Thank you!

ehough commented 4 years ago

All good questions! I'll do my best to answer.

At which levels do I need the users to exist? Just inside the container, just inside the docker-host, or both?

You don't really need to create users anywhere; the container will happily serve files that are owned by a non-existent (from the container's perspective) user. The NFS server doesn't care if there's a matching user in /etc/password or otherwise. Whatever numeric IDs that the container sees for the files (ls -n) is what will be served up via NFS, and it's up to the NFS client to try to match the user ID to a local user.

Does that make sense?

do I need to run the container as a particular user?

I haven't tested running the container as a user other than root. It very well may be possible and I think I will experiment. But since you are required to run the container with CAP_SYS_ADMIN, running as a non-root user won't give you much added security. i.e. a non-root user granted CAP_SYS_ADMIN has lots of power compared to a "regular" user.

Normally on NFS, the nfs-server directory/file permissions would map 1-1 with the nfs-client permissions, so if uid=1000 has write access on the server then uid=1000 on the client would also have write access.

Just to be pedantic, what you described here is 100% accurate for NFSv3; the numeric IDs on the client and server are assumed to be of the same namespace. NFSv4 introduces the ability to use user ID mapping, which is a lot more flexible but also significantly harder to configure.

Hope that answers your questions for now? I'm going to close the issue but please feel free to continue the discussion or ask follow-ups.

Exlipse7 commented 4 years ago

Yes, that all makes sense. Thank you very much. I guess I was more concerned about writing back to the server, if (since the container is running as root) that would affect the permissions on files created by the nfs-client. If it 'just works' as a pass-through and the files are made with the permissions from the client side then that's great. It may be a lack of understanding on my part of the finer details of NFS in general.