[question] Is SYS_ADMIN / --privileged capabilities needed to run mountpoint-s3 within docker / k8s?

[vadimkantorov]

Typically these are needed to run sudo mount, but are these needed for running mounting with mountpoint-s3?

It would seem that not?

I also wonder if --mount docker's cmdline argument could be used for creating mountpoint-s3 mounts at container launch time?

Thanks!

[unexge]

Hey @vadimkantorov, mount syscall requires CAP_SYS_ADMIN capability, so I think that would be needed to mount Mountpoint inside Docker. The --privileged option of Docker seems to include a bunch of things including all capabilities, omitting --privileged and just passing CAP_SYS_ADMIN capability might work, but I haven't tested that. Best way would be just testing it I guess.

Doing mount on your host and using bind mount in Docker might work and might allow you to omit those settings from your Docker container, but I haven't tested that either.

That's being said, have you checked Mountpoint CSI Driver? The CSI Driver would handle mounting and some other parts for you if you want to use Mountpoint in Kubernetes.

[vadimkantorov]

Thank you for your explanations! I also found the huge 10-years old discussion in kubernetes/kubernetes#7890 also suggesting to use CSI for S3/FUSE but this is hard to grok for a newbie (like myself), as this discussion is decade-long and multiple solutions were discussed

Because wanting to use FUSE to access S3 is so typical, I think it would be awesome to have a README section about this specifically: usage in Kubernetes / Docker (found this: docker/for-linux#321) / general root-less (found this using user namespaces: https://zameermanji.com/blog/2022/8/5/using-fuse-without-root-on-linux/) environments and list existing solutions / limitations

[unexge]

The CSI Driver is linked in Getting started section of README, and there is this README for running Mountpoint inside Docker, but that doesn't seem to be linked from README maybe we can make it more easy to find.

[vadimkantorov]

Thank you! Yes, a brief explanation of the current state of affairs for root-less / SYS_ADMIN-less use in regular linux (via user namespaces), docker and k8s would be extremely useful in the main README (also newbies might not know what is CSI and that it's e.g. the only existing non-hacky way for k8s).

I think your docker README still relies on passing SYS_ADMIN, right? At least, I suggest adding discussion on ways around it (there were those attempts on custom apparmor/seccomp configs to replace SYS_ADMIN and also with using unshare / user namespaces which have likely their own limitations - I wonder if Docker can directly create a user namespace at the start? so that the call of unshare is not needed)