ricclopez
Cadet
- Joined
- Jul 26, 2023
- Messages
- 2
Hello!
I've done a bunch of searching on this topic, but I haven't been able to find any solutions that worked for me.
I'm running TrueNAS CORE 13.0-U3.1 and hosting an NFS share off of one of my ZFS datasets. I'm trying to access this share from a docker container on a different server. In that docker container, none of the users or groups that TrueNAS knows about exist, but I made sure that the service in the container is running with a UID and GID that has access to the folder I'm trying to access.
The issue I'm facing is that unless I create the user/groups and set up group membership in container the same way that it is set up on the server, the user in the container cannot access data that its GID should have access to.
Simplified setup:
user1 has uid 1010
user2 has uid 1020
group1 has gid 1010
group2 has gid 1020
where "user1" is in "group1", and "user2" is in both "group1" and "group2". Based on these group memberships and permissions, I expect "user2" to have RWX access to both "content" and "content2", however, if I don't create the user and group locally and adjust the membership (i.e. in the docker container, the user and group are just 1020, no name), "user2" cannot access "content2". If I create "user2" and groups 1 and 2 in the container, and make "user2" a member of both groups, the user then gains access to the folder.
I have tried both NFSv3 (with and without the "Support> 16 groups" setting) and NFSv4 (with NFSv3 ownership model) but neither has had any success. I've also confirmed that changing the group owner of "content2" to "user2" grants access in the container.
So basically, if I don't create the user/group locally with correct membership, it seems like the user only has access to data where either the UID or GID is a direct match. My guess here is that the client is denying access based on a local check of the user/group permissions before even sending anything to the server for verification. If this is correct, is there any way to get around it? Is there any other solution here? I don't have the capability to create the users/groups in the container in an automated way, and I don't particularly want to give RWX to "other" to allow access.
Thanks in advance! This is my first post here, so apologies if I missed any pertinent information. Please let me know and I'll be happy to provide anything I've missed
I've done a bunch of searching on this topic, but I haven't been able to find any solutions that worked for me.
I'm running TrueNAS CORE 13.0-U3.1 and hosting an NFS share off of one of my ZFS datasets. I'm trying to access this share from a docker container on a different server. In that docker container, none of the users or groups that TrueNAS knows about exist, but I made sure that the service in the container is running with a UID and GID that has access to the folder I'm trying to access.
The issue I'm facing is that unless I create the user/groups and set up group membership in container the same way that it is set up on the server, the user in the container cannot access data that its GID should have access to.
Simplified setup:
Code:
drwx--x--x 8 user1 group1 ./ drwxrwx--x 70 user1 group2 content/ drwxrwx--x 70 user1 group1 content2/
user1 has uid 1010
user2 has uid 1020
group1 has gid 1010
group2 has gid 1020
where "user1" is in "group1", and "user2" is in both "group1" and "group2". Based on these group memberships and permissions, I expect "user2" to have RWX access to both "content" and "content2", however, if I don't create the user and group locally and adjust the membership (i.e. in the docker container, the user and group are just 1020, no name), "user2" cannot access "content2". If I create "user2" and groups 1 and 2 in the container, and make "user2" a member of both groups, the user then gains access to the folder.
I have tried both NFSv3 (with and without the "Support> 16 groups" setting) and NFSv4 (with NFSv3 ownership model) but neither has had any success. I've also confirmed that changing the group owner of "content2" to "user2" grants access in the container.
So basically, if I don't create the user/group locally with correct membership, it seems like the user only has access to data where either the UID or GID is a direct match. My guess here is that the client is denying access based on a local check of the user/group permissions before even sending anything to the server for verification. If this is correct, is there any way to get around it? Is there any other solution here? I don't have the capability to create the users/groups in the container in an automated way, and I don't particularly want to give RWX to "other" to allow access.
Thanks in advance! This is my first post here, so apologies if I missed any pertinent information. Please let me know and I'll be happy to provide anything I've missed
