SOLVED Configuring Dataset and NFS permissions for virtualized docker

[mihies]

Hi guys,

I'm running alpine as virtual machine and within it the docker. I'd like to use mounted ZFS datasets for docker volumes.
On TrueNAS (Cobia) side:
I have a local group docker_share consisting with root and my username members.
I'd create a dataset, set its ACL Mode to SMB/NFS4, set owner user to root and group to docker_share, set NFS4 permissions to user@, group@ and everyone@ to Full Control.
Then I'd enable NFS share for said dataset.

On Alpine side:
I'd mount NFS share from above (fstab:

TRUENAS_IP:/mnt/myvolume /mnt/myvolume nfs4 rw,hard,intr,rsize=8192,wsize=8192,timeo=14 0 0

)

It almost works except when I start a docker container using this volume it gets "Permission denied" here and there.
Basically the question is, how do I enable permissions on dataset/NFS share in the way docker will work. I thought everyone@ should do the trick.
I also guess I'm missing something stupid.
TIA

 

[anodos]

Hi guys,

I'm running alpine as virtual machine and within it the docker. I'd like to use mounted ZFS datasets for docker volumes.
On TrueNAS (Cobia) side:
I have a local group docker_share consisting with root and my username members.
I'd create a dataset, set its ACL Mode to SMB/NFS4, set owner user to root and group to docker_share, set NFS4 permissions to user@, group@ and everyone@ to Full Control.
Then I'd enable NFS share for said dataset.

On Alpine side:
I'd mount NFS share from above (fstab:

)

It almost works except when I start a docker container using this volume it gets "Permission denied" here and there.
Basically the question is, how do I enable permissions on dataset/NFS share in the way docker will work. I thought everyone@ should do the trick.
I also guess I'm missing something stupid.
TIA

What operations are being rejected?

 

[mihies]

Here is an example of tt-rss whining when it is created from scratch:

app-1 | adduser: /var/www/html: Operation not permitted
app-1 | cp: can't create '/var/www/html/index.php': Permission denied

docker mount is like

- /mnt/tt-rss/app:/var/www/html

and ls -la /mnt/tt-rss yields

drwxr-xr-x 2 1100 66533 2 Feb 16 15:06 app
drwxr-xr-x 2 dockrema nogroup 2 Feb 16 15:06 config.d
drwx------ 19 170 nogroup 25 Feb 16 15:07 data

If I use a local volume, everything is fine.
Sidenote: I'm using container isolation with user namespaces as described in https://wiki.alpinelinux.org/wiki/Docker

When I restart the container, then postgres yields errors as well, such as

find: /var/lib/postgresql/data: Permission denied

where volume is mounted as

- /mnt/tt-rss/data:/var/lib/postgresql/data

and has been populated during creation.

Does this clear anything?

 

[mihies]

I guess the container namespace isolation is at play here. Turning it off does the trick and everything works as expected.