Azure docker container can only read azure file share volume mount when public access is on

Question

I have an azure Docker container running nginx. It has an azure file share mounted as a volume. It all works well until I set network settings to "Enabled from selected virtual networks and IP addresses", after which it says Host is down.

It's clearly an access issue.

I've added the docker container's IP address to the list of allowed IP addresses.

The container is created using az container create --resource-group xxxx --f file.yaml

In file.yaml, the volume is defined as:

volumeMounts:
 - mountPath: /etc/nginx/conf
   name: myvolname

 volumes:
 - name: myvolname
   azureFile:
      sharename: mysharename
      storageAccountName: myaccountname
      storageAccountKey: myaccountkey

I have created a system assigned identity and have tried giving it certain roles on the file share account via Access Control, but no luck. I don't know what other permissions I need to set in order to get this to work.

Edit 1: Thanks Suresh. I've tried your recommendations but still no luck. If I try to run YAML when public access is set back to restricted, I get the following message in the output: "message":

"Error: Failed to start container mycontainer, Error response: to create containerd task: failed to create shim task: failed to create container xxxx: guest RPC failure: failed to create container: failed to run runc create/exec call for container xxxxx with exit status 1: container_linux.go:380: starting container process caused: process_linux.go:545: container init caused: rootfs_linux.go:76: mounting "/run/gcs/c/xxxx/sandboxMounts/tmp/atlas/azureFileVolume/caas-xxxx/myshare/mnt" to rootfs at "/etc/nginx/conf" caused: stat /run/gcs/c/xxxxx/sandboxMounts/tmp/atlas/azureFileVolume/caas-xxxx/myshare/mnt: host is down: unknown", "name": "Failed", "type": "Warning"

EDIT 2: I've run az storage share list from within the docker container itself. When access on storage account is set to public, it lists the shares. When it is switched back to restricted, it gives an authorization error. That confirms that it is a permissions issue. I've verified that the container IP address is in the list of allowed addresses and the system assigned identity has a number of permissions. Either the system assigned identity doesn't have the correct roles assigned or I'm missing something else. What role assignments should be assigned to allow basic access to the file shares?

EDIT 3: I've set firewall IP allowed address to 0.0.0.0/0 and have given the system assigned identity the owner role and still can't mount the volume unless I set firewall to public.

Answer 1

I set network settings to "Enabled from selected virtual networks and IP addresses", after which it says Host is down.

• It restricts access to the container only from the specified virtual networks and IP addresses. This could indeed be the reason why your container is reporting "Host is down" as it might not be able to reach the necessary resources due to network restrictions.

• Check whether you have grant necessary permissions access to storage file Data SMB Share Reader and for also Storage Blob Data Contributor for the ACI as below.

• SBDC

• After the changes with the above the YAML file should look:

apiVersion: '2021-08-01'
location: <your_location>
name: <your_container_name>
properties:
  containers:
  - name: <your_container_name>
    properties:
      image: nginx
      resources:
        requests:
          cpu: 1.0
          memoryInGB: 1.5
      volumeMounts:
      - mountPath: /etc/nginx/conf
        name: myvolname
  osType: Linux
  ipAddress:
    type: Public
    ports:
    - protocol: tcp
      port: 80
  identity:
    type: SystemAssigned  # Ensure you have assigned a system-assigned identity.
  volumes:
  - name: myvolname
    azureFile:
      sharename: mysharename
      storageAccountName: myaccountname
      storageAccountKey: myaccountkey

• Use the following command to check the storage mount's latency or general reachability:

tcpping Storageaccount.file.core.windows.net