I need to access some EOS dirs inside a Docker container. To be clear, I don’t need to mount EOS inside the container, I just want to make a single path available. Is this possible?
So far, I’ve had no success, here’s what I tried:
Get a Kerberos ticket, eosfusebind -> all works ok, I can see inside /eos/project/c/cernvm …
I try to run a Docker container binding the directory:
# docker run -it --rm -v /eos/project/c/cernvm:/eos/project/c/cernvm ubuntu:xenial bash
and I get an error:
Error response from daemon: Cannot start container 382800caa21d0121956e43fb9aa16bfb749731e763ee78c75d27aa915d71c4bc: stat /eos/project/c/cernvm: permission denied
The error also occurs if I run the container with “–privileged=true”.
Any help is appreciated, let me know if I can provide more info.
I think it’s necessary that the user that runs the docker command (typically root) has access rights to the EOS folder that you want to mount/map into the container with the “-v” flag. If this is not possible you could allow other users with EOS access rights to use docker by adding them to the docker group.
In the container itself you need to create a user that has the same UID as the user for which you have created the kerberos ticket and have run “eosfusebind -g”. Then su’ing to this user in the container gives you access to the EOS files mounted/mapped into the container.
Both mounting EOS and the “docker run” command are run by root. In the host environment, root doesn’t have any problem accessing the relevant folder in EOS.
In the container, I’ve tried accessing it as root and as a user with the same uid as in the host (I used the --uid parameter to “docker run”).
What version of docker are you running? There have been some changes in Docker over the versions in how namespaces, fuse and volume mounting of the fuse filesystems have worked.
What you’ve done should work fine, and it certainly works fine in our environment using Citrine 4.2.28, and Docker 17.05.
I think this is the problem. I’m using an ancient version of Docker (1.7.1) the one available for SLC6. I’ll try installing a newer version of Docker on that machine.
Please let us know if it works. Back in older versions of Docker, the default namespace configuration on file systems meant that filesystems, particularly fuse mounts, wouldn’t work properly. It’s quite a few versions ago meaning unfortunately I can’t remember the magic command sequences to get it working.
Either way, I’d highly recommend going to at least version 17 if possible.
I hoped to be able to run a certain script accessing the EOS mount, from Docker as a quick work-around for a problem I’ve encountered. Unfortunately, it seems that the version of Docker and the OS are too old…
The proper solution will involve upgrading the machine to CentOS 7, installing a new version of Docker. It’s good to know that this configuration shouldn’t cause problems. The upgrade work will take place some time in Oct, I’ll write back here with the results.
Hi to everyone,
if you are still dealing with this problem, I had a similar one and the problen is in the path of the project:
/eos/project/c/cernvm
I don’t know why, but /eos/project/ is not passed to the container, it has only project-a, project-b, project-c, etc… . In fact it is enough to change all the references from /eos/project/c/ to /eos/project-c/ and it worked for me.
Hope it helped.
Matteo