NFS CSI and userns-remap

dbd · August 12, 2022, 10:22am

Hi.

I’m playing with a test Nomad cluster, to manage Docker containers. For obvious security reason, I’d like to run Docker daemon with “userns-remap=default”, which is working nicely for simple workloads.

Now come into play CSI plugins. Tried a few different NFS ones (for example in0rdr/nomad-csi-driver-nfs-example: Example for CSI Driver NFS with Nomad - nomad-csi-driver-nfs-example - Codeberg.org or rocketDuck / NFS CSI-Plugin · GitLab). As I’m running with userns-remap, I disable this for the controller and nodes job by adding in the tasks’ config

userns_mode = "host"
privileged = "true"

But when the NFS share is to be mounted, I still get the error

mount.nfs: not installed setuid - "user" NFS mounts not supported.

Also tried with

cap_add = ["sys_admin"]

with no more success.

As soon as I disable userns-remap in Docker daemon, everything is working, but I don’t really want to disable it globally .

Anyone here managed to get CSI plugins working with userns-remap turned on ?

dbd · August 18, 2022, 1:53pm

Just a followup as I found where the issue is coming from. If userns-remap is enabled at the daemon level, file ownership inside Docker images will be remapped, no matter if userns is disabled for a specific container (because Docker images are shared among all the containers). So we end with /bin/mount owned by the remapped user (in my case, 100000), and as /bin/mount is SUID, even root exec’ing it will have the privileges dropped to 100000, and the mount fails.

Now looking for a proper fix for this (I mean, something nicer than a chown root:root or chmod u-s in an entrypoint wrapper)

dbd · August 18, 2022, 2:12pm

For those having a similair issue, for now I’m doing this

Define a template stanza which adds my entrypoint wrapper, like this (in this example /linstor-csi is the original entrypoint of the image)

      template {
        data = <<-EOF
          #!/bin/sh
          set -e
          chown root:root /bin/mount /bin/umount
          exec /linstor-csi "$@"
        EOF
        destination = "local/entrypoint.sh"
        perms = "755"
      }

override the entrypoint to exec adding this in the config section of the task

entrypoint = ["/local/entrypoint.sh"]

It’s not pretty, and I’d gladly take a cleaner solution. But I still prefer this rather than disabling userns-remap globally