[feature] Allow mounting sub-directories of named volumes #32582
Comments
|
This would be super useful for me as well 👍 Sorry for my shallow knowledge but, what would be the difficulties in this? Making sure there's no "chroot escape -a-like"? |
|
Even I am looking for this similar feature, but couldnt find any useful links explaining how to achieve this. Kubernetes has this support via sub-path notation. |
thaJeztah
added
area/volumes
kind/feature
|
Having ability to specify sub-directory from a named volume would be really helpful. E.g. https://hub.docker.com/r/tvial/docker-mailserver/ container requires 3 volumes by default:
Ideally, I would like to create one named volume, e.g. using RexRay volume driver named rex_mail and then mount sub-directories of this volume in the service. One of the options could be mounting at the service level, like this:
Or maybe as an alternative way (e.g. if it will be easier from the point of view of backwards compatibility), to handle this at the top level for volumes, creating mappings between named volume sub-directories and new volumes to use at the service level. E.g. something like this:
And then at the service level to use these sub-directories as:
There are multiple reasons why the ability to mount name volume only once and map various sub-directories in it to various directories in the container is important:
|
|
This could be added to the new mount syntax. Not too keen on supporting this with the old |
|
Basically add a new field here called There are likely some implications in supporting this that will limit future possibilities that which need to be explored... |
|
A 👍 from me also - posted a duplicate ticket here: docker/compose#5367 (comment). The ability to create a volume and build complex subfolder / file mappings (maybe supporting conditions) would be amazing. |
|
@cpuguy83 taking your suggestion, I made a sample implementation of this feature. I checked that it works with a local copy of the cli. It works similar to how @spatialvlad described it. Take a look at the code changes here and let me know if this design is acceptable. If anyone would like to try it out with the cli, you can do so with this cli and running this sample command: |
|
@y2kpr I like the design. nice work. |
|
@y2kpr Thanks! Looks good, but needs tests. |
|
Thanks for the feedback! I will try to submit a PR with checks for symlink traversal and tests by this weekend. |
|
Design looks good (from the description above); we should indeed have tests for various scenarios (single container using multiple paths from the same volume, multiple containers using the same, or different paths from a volume etc., possibly "corner cases" where paths overlap inside the container) |
|
@y2kpr have you been able to continue on the PR? |
|
@Mathiasdm I just have some testing left to do. I was on vacation for a while and I get back tomorrow. I am planning to finish it by this weekend |
|
Over the weekend I tried to write some unit tests but had no success. Being very new to the code base and without many reference unit tests around the code I added, I am having trouble mocking things correctly (especially in the daemon). I would like someone who is more familiar with the code base to take it from here or guide me on how to do the unit tests (@cpuguy83 know anyone?). Unfortunately, I do not have enough time to tinker with it and figure it out on my own. Once the unit tests are done, the integration tests (if we want some) are straightforward. I just need to add some CLI commands after updating the docker CLI. |
|
@y2kpr I guess it would depend on what exactly you are going to unit test and what your implementation looks like. |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
@y2kpr were you still working on this? |
|
@thaJeztah Unfortunately, I will not be able to work on it at least until summer (mid may) |
|
This feature would be incredibly useful for the kinds of transparent/reproducible computational science workflows that we're supporting at Gigantum. None of us are Go experts (and certainly not Docker codebase experts), but we would be interested in knowing how we could best support getting this feature landed. I'd be happy to take a crack at writing some API integration tests, or it might be more productive to put a bounty on finishing this up. It seems like this is the closest thing to a starting point, and I only see surface testing there - not any inspection to see if the data contained in volumes is correct. I welcome any feedback, in particular from @y2kpr as this is your patch! In the meantime, I'll see about cloning your clone, and applying the changes recommended by @cpuguy83. |
|
popping in to add my support for this feature. at the moment, it seems like the mickey mouse verbose solution is to define each of the subdirectories as unique volumes. would be AWESOME to just define the parent and use namedvolume/subdir for the various service volumes. love you long time. |
|
This feature would make this much easier. |
This comment has been minimized.
This comment has been minimized.
|
@y2kpr and @davclark, I see statements above from both of you about getting back to this PR. Any ETA? I'm stirring the pot, because this feature would help with what my team is trying to accomplish. If there are no immediate plans to bring this feature to completion, I'm interested in throwing my time at the problem starting next week, if my assistance would be welcome. |
|
Sorry to have just gone silent... Currently, I'm evaluating dotmesh as an alternative to using stock docker volumes. So this is less relevant to us. Given the lack of input and my lack of knowledge about Docker, I was reluctant to put too much time into this. Please keep this thread updated with any activity. I'm happy to review or help develop tests, just want to make sure it's a reasonable use of time! |
|
This would greatly reduce the complexity of many compose setups and more importantly allow people to use volumes with off the shelf containers instead of forking them off for customization. From a Docker design standpoint you want the application using a Docker volume isolated in Docker easy to spin up and easy to destroy without having to mess with the host's local filesystem. |
|
If you REALLY want to do this ONLY ONCE version: "3.5"
services:
calibre-web:
image: linuxserver/calibre-web:arm64v8-latest
container_name: calibre-web
# SOLUTION START
# "data/admin/files/CALIBRE" is specific to my usecase
volumes:
# https://github.com/ec-/Quake3e/blob/2c96f6d58619a29589bac577288497964c943a3e/code/qcommon/q_math.c#L569
- /var/lib/docker/volumes/docker_nextcloud/_data/data/admin/files/CALIBRE:/books:rw
# SOLUTION END
ports:
- 8083:8083
restart: unless-stopped |
|
|
|
Podman can do this. |
Ain't that a shame tho? |
|
@53c70r |
|
How do we not have this feature in 2023? Where are the maintainers? |
|
@owenthewizard Because it's not easy to implement in a secure way (e.g. Kubernetes has had multiple advisories in this area), and part of this was why previous attempts to implement this stranded. Maintainers help maintain the project, but do so either in their own time, or time granted by their employers, which (in most cases) won't be full time on open source projects. There's always gonna be more feature requests and bug fixes than maintainers, so work must be prioritised, which means not every feature request can be worked on (if at all). This project is open source, so if features are important to you, read the CONTRIBUTING.md on how to contribute. The good news on this one, is that work is in progress again (but still things to discuss/review) #45687 |
|
Of course I understand that open source projects are usually on a volunteer basis, but this is Docker, who in addition to recently raising their prices is sponsored by many corporate entities. |
Sadly I am not the expert here, but one question with that. What is the use of contributing with PRs that seek to address the issues, if the maintainers, due to the reasons you explained above, will never get to merge them? Is forking and ultimate fragmentation of the project the only way? |
|
Maintainers have said repeatedly we'll accept a change but it needs to address security concerns as it's not as simple as grabbing the sub-path. There is an open pr and it does look pretty good, but still need to give it a full review. |
|
+1 |
|
All I can say at this point is: Pretty Please? :-p |
|
Please? + 1 |
|
@thaJeztah Super happy this is merged!
Is there a rough estimate / timescale as to when the next release might appear with these changes? I know docker desktop will notify me but I am more wondering about planning update of some linux boxes! :-) |
|
It was merged after the 25 release, so unfortunately it's going to have to wait for the 26.x release cycle. 👍 |
|
CLI already supports it (starting from v26.0.0-rc1): docker/cli#4331 (and you can already install it from the Compose support is still WIP (it needs to move to v26 first). |
|
v26.0.0 is released, so you can already try out this feature. |
|
Seeing this appear in windows docker desktop update today! |
and others
Similar to how bind mounts let you mount subfolders i.e
-v /host/path:/container/path, is it possible for the same functionality to be available for named volumes? i.e-v namedvolume/path:/container/path. Right now in order to mount a named volume, you must mount the entire volume.I apologize in advance if this has been discussed somewhere already, but I couldn't find anything saying this isn't doable.
The text was updated successfully, but these errors were encountered: