I'm required to set up a Docker container inside which part of the filesystem is encrypted. Please let's not dwell on the why, the answer is ugly and more political than technical.
In case it matters, the particular part to be encrypted will be a volume mount from the host, although I'm initially trying this out just in the container's /tmp
. Because of the way our deployment works it would be inconvenient to do the ecryptfs stuff directly on the volume, outside the container; I want to do the mount inside as part of a shell script run as the CMD
.
I can do this ok provided I run the container with --privileged
(thanks to this throwaway comment) - but I don't want to grant everything that comes with that. By trial and error I've discovered that adding --cap-add IPC_LOCK
gets over the first inscrutable error (Exiting. Unable to obtain passwd info
) but the process later fails with this:
mount: block device /tmp/enc is write-protected, mounting read-only
mount: cannot mount block device /tmp/enc read-only
Error mounting eCryptfs: [-1] Operation not permitted
Check your system logs; visit <http://ecryptfs.org/support.html>
Adding all the capabilities doesn't help here - the problem lies elsewhere.
The docker-run docs say that --privileged
also takes down the barriers relating to the --device
parameter, gives fuse as an example of something that would need --device
set, and shows rather similar looking errors in the "before" example. ecryptfs and fuse seem like they'd have a certain amount in common, so this feels like a good clue.
I tried adding --device /tmp/enc
to my docker run
command, to no avail (host doesn't know about about this path, which makes sense). I also noticed that there's a /dev/ecryptfs
(though I don't know what it does) and tried that. Container ran, but ecryptfs mount wouldn't work.
It's starting to seem worryingly as if this can't be done... Any ideas?