Using ecryptfs inside Docker without --privileged.

2020-06-29 04:51发布

问题:

I'm required to set up a Docker container inside which part of the filesystem is encrypted. Please let's not dwell on the why, the answer is ugly and more political than technical.

In case it matters, the particular part to be encrypted will be a volume mount from the host, although I'm initially trying this out just in the container's /tmp. Because of the way our deployment works it would be inconvenient to do the ecryptfs stuff directly on the volume, outside the container; I want to do the mount inside as part of a shell script run as the CMD.

I can do this ok provided I run the container with --privileged (thanks to this throwaway comment) - but I don't want to grant everything that comes with that. By trial and error I've discovered that adding --cap-add IPC_LOCK gets over the first inscrutable error (Exiting. Unable to obtain passwd info) but the process later fails with this:

mount: block device /tmp/enc is write-protected, mounting read-only
mount: cannot mount block device /tmp/enc read-only
Error mounting eCryptfs: [-1] Operation not permitted
Check your system logs; visit <http://ecryptfs.org/support.html>

Adding all the capabilities doesn't help here - the problem lies elsewhere.

The docker-run docs say that --privileged also takes down the barriers relating to the --device parameter, gives fuse as an example of something that would need --device set, and shows rather similar looking errors in the "before" example. ecryptfs and fuse seem like they'd have a certain amount in common, so this feels like a good clue.

I tried adding --device /tmp/enc to my docker run command, to no avail (host doesn't know about about this path, which makes sense). I also noticed that there's a /dev/ecryptfs (though I don't know what it does) and tried that. Container ran, but ecryptfs mount wouldn't work.

It's starting to seem worryingly as if this can't be done... Any ideas?

回答1:

It seems that the actual storage-drivers used by docker do not work on eCryptFS.

Check these issues in the repository.