How to correctly use network storage when running docker?

nanderson · June 8, 2023, 3:40am

I saw the news of 2023.6.0 introducing network storage for backups. Running in a docker container I am unable to utilize the new feature, but it got me wanting to reconfigure my docker setup to utilize my Synology NAS for backups. Originally I was going to add a new volume to my container pointing to /mnt/nas that’s managed by the host’s fstab. The resulting docker container failed to run due to some permission errors so I tried to have the container itself mount the nfs share but this exhausts my knowledge of docker and nfs shares pretty quickly. Based on this stack exchange post, I put together the following docker-compose file.

version: "3.2"

services:
    homeassistant:
        container_name: homeassistant
        image: "ghcr.io/home-assistant/home-assistant:stable"
        volumes:
          - ~/test/home-assistant/config:/config
          - /etc/localtime:/etc/localtime:ro
          - /run/dbus:/run/dbus:ro
          - nfs-backups:/config/backups
        restart: unless-stopped
        privileged: true
        network_mode: host

volumes:
  nfs-backups:
    driver_opts:
      type: "nfs"
      o: "addr=[nfs-address],nolock,soft,rw"
      device: ":/volume1/home-assistant/backups"

It seems to work on the initial backup I created on this fresh home assistant, but I wanted to see if others have tackled this topic and have a more refined or robust way to mount an nfs share for use with backups. I know nfs shares can be fickle and I’d hate to run with something like this only to find out all my backups are corrupt when I need them.

enzo2 · June 8, 2023, 5:54pm

Ditto, works for me as well. I suppose the alternate would be to use SMB (cifs), which has worked well for me on my frigate docker container, which is a more intensive use case. I’m sure people have differing opinions on SMB vs NFS. Probably if one or the other works, then it doesn’t matter.

crc-error79 · June 8, 2023, 6:20pm

why I always get stucked with permissions… user inside of container is root, owner of the nfs folder on truenas is root, so it should be ok, but if from inside of the container I try to create a file touch test I get permission denied error…

apollo@apollo:~/docker_data$ docker exec -it home-assistant /bin/bash 
8b3f94619094:/config# touch backups/test
touch: backups/test: Permission denied
8b3f94619094:/config# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
8b3f94619094:/config#

For some reason truenas doesn’t map the share as I specified… so I have solved

thanks @nanderson for the share

timj.pdx · June 8, 2023, 10:00pm

NFS blocks root access to the server. You will come across as user ‘nobody’ and probably have not any permissions on the server. You need run as a normal user on the client and have the files on the server owned by the same person.

nanderson · June 9, 2023, 4:59am

I’m sure it’s not great practice but I have my NFS share squash all users to admin to avoid some pain with permissioning.

WallyR · June 9, 2023, 5:42am

You would probably be surprised if someone with the same name as you could access your bank account and withdraw money.

Just because the name is the same then the user might not be and root is a REALLY common username.

crc-error79 · June 9, 2023, 6:42am

ok but what if my root has same number on both sides?

nas
root:root - 0:0

other
root:root - 0:0

can I withdraw the money from bank now?

edit “phone corrector”

WallyR · June 9, 2023, 4:19pm

No, because you also have a hidden token for each user that is machine specific.
If you want to be able to use the same user across machines then you need a synchronisation service, like a domain service or Yellow pages service for Linux or similar.
These services will sync domain users, but root will typically stay as a machine specific user.

timj.pdx · June 9, 2023, 10:06pm

NFS client just passes the uid to the server. If the uid maps to a different user on the server, NFS does not care. If the uid is ‘0’ (root) it maps the uid to the ‘nobody’ account on the server (uid: 65538). The ‘nobody’ user should not have any permissions to do any damage on the server.

crc-error79 · June 10, 2023, 7:36am

Thank you I am not a big linux expert I thought that use the same user/group on both sides was enough.

Ok, I know we are OT now, but I want to understand

Is it only related to root user?
If I create an user with the same number & group (different from root) can I access?
Or will I have the same “mechanics”?

NAS
my_nfs_user:my_nfs_user 3000:3000

PC
my_nfs_user:my_nfs_user 3000:3000

thanks

WallyR · June 10, 2023, 11:40am

I had to read up on the Linux user system.
As long as you use self made values for users and groups then you are fine.
Root and a few other specific standard users/groups have security mechanisms to prevent rights elevation in inappropriate ways.