2

I have a btrfs partition (mounted on /srv) on my host system with a subvolume (old). I would like to manage it from a docker container (I have launched it with -v /srv:/srv).

While I'm perfectly able to create a snapshot of it, I can not list other subvolume and/or delete them:

user@host:~$ docker exec -ti jenkins-slave bash
root@a5496f6bd14b:~# btrfs subvolume snapshot /srv/old /srv/new
Create a snapshot of '/srv/old' in '/srv/new'
root@a5496f6bd14b:~# ls /srv
new old
root@a5496f6bd14b:~# btrfs subvolume delete /srv/new
Delete subvolume (no-commit): '/srv/new'
ERROR: cannot delete '/srv/new': Operation not permitted
root@a5496f6bd14b:~# btrfs subvolume list /srv/new
ERROR: can't perform the search - Operation not permitted
root@a5496f6bd14b:~# ls /srv
new old

While I'm still able to do it from the host system.

GlinesMome
  • 199
  • 2
  • 11

1 Answers1

1

It appears this behavior is due to a Docker configuration setting.

I was able to get this to work by adding the "Linux Capability" CAP_SYS_ADMIN at Docker runtime.

docker run -d -t --cap-add SYS_ADMIN -v /mnt.btrfs:/mnt.btrfs debbtrfs

CAP_SYS_ADMIN
Perform a range of system administration operations including: quotactl(2), mount(2), umount(2), swapon(2), swapoff(2), sethostname(2), and setdomainname(2)

There are a whole series of other "Linux Capabilities", including a verbose description of CAP_SYS_ADMIN which can be found in the man pages:

$ man 7 capabilities

Which of these capabilities are Docker defaults, and which can be added/dropped can be found here, under "Runtime privilege and Linux capabilities":
https://docs.docker.com/engine/reference/run/

Morgan
  • 371
  • 1
  • 3