NFS directly inside container?

It’s not possible without hacks. NFS isn’t allowed for unprivileged users, so you either need a privileged container and apparmor tweaks or you need an unprivileged container with syscall interception to run that one action as real root.

In either case, you end up with your container running stuff as real root in the kernel which can be rather unsafe. The bind-mount approach is safest as the container can only consume the mounted thing, not initiate mounts itself.

I suspect that in a few years someone will have finally taken the time to go through the pletora of NFS features and will have decided which are safe for unprivileged use and which aren’t and will have updated the kernel driver to allow for unpriv use, but this isn’t the case currently so you’re just left with workarounds.

1 Like