steefdebruijn / docker-roonserver

RoonServer downloading Roon on first run
105 stars 30 forks source link

Additional Docker permissions required for SMB/CIFS remote file share capabilities #15

Closed paulowen closed 2 years ago

paulowen commented 2 years ago

For remote CIFS/SMB shares to function as music storage or backup targets within the container, additional docker permissions are required. Docker by default prevents mounting a remote volume inside the container as a security measure.

I thought of two options, find a way to tweak Docker security permissions and let roon do its thing with shares natively, or mount the share to the host and publish to the container as a local folder. I suspect the container would go nuts with any hiccup in the latter so I chose the former. The decision was helped by seeing your published Dockerfile is doing nothing sinister in the image. Perhaps adding this to the documentation can help others?

Without the permission tweaks, the roon app reports in a red box "There was an unexpected error: UnexpectedError" when attempting to mount the share - not so helpful. Under the hood errors are seen in the RoonServer logs (/data/RoonServer/Logs/RoonServer_log.txt) as:

Warn: [roon/cifs] failed to connect to CIFS storage: Unable to apply new capability set.

Searching around I found this where answer https://stackoverflow.com/a/40330794 solved the problem for me.

Adding the following to my docker-compose file now works (cap_add relevant to Docker, security_opt relevant to Ubuntu 20.04 running on my host):

cap_add:
    - SYS_ADMIN
    - DAC_READ_SEARCH
security_opt:
    - apparmor:unconfined

...or to a docker run command:

--cap-add SYS_ADMIN --cap-add DAC_READ_SEARCH --security-opt apparmor:unconfined

An alternative is to instead simply run the container with the privileged flag to disable the security measures entirely, but perhaps that is too loose? I don't know if one is looser than the other, or if there is a tighter solution than I listed. Hopefully those more familiar with Docker can chime in.

alex-matthews commented 2 years ago

@paulowen would you mind sharing your full docker-compose file so far as it relates to this image? I'm looking to replicate your config but can't find an example schema for a roonserver container and I'm very new to docker and docker-compose.

paulowen commented 2 years ago

This will get it done. I use a version with MACVLAN as the network driver to get around port conflicts, but that is unnecessary.

version: "3.7"
services:
  docker-roonserver:
    image: steefdebruijn/docker-roonserver:latest
    container_name: docker-roonserver
    hostname: docker-roonserver
    network_mode: host
    environment:
        TZ: "Australia/Melbourne"
    volumes:
      - './app:/app'
      - './data:/data'
      - './music:/music'
      - './backup:/backup'
    restart: always
    cap_add:
      - SYS_ADMIN
      - DAC_READ_SEARCH
    security_opt:
      - apparmor:unconfined