Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Why do the edgeHub and edgeAgent containers not support Docker Volumes? #7166

Closed
F-Joachim opened this issue Dec 4, 2023 · 3 comments
Closed

Why do the edgeHub and edgeAgent containers not support Docker Volumes? #7166

F-Joachim opened this issue Dec 4, 2023 · 3 comments
Assignees
@arsing
Labels
customer-reported iotedge

Comments

@F-Joachim
Copy link

The preferred mechanism from Docker to persist data is to use Docker Volumes. Thus, we want to refactor our manifests by replacing all of our host mounts with (named) volumes mounts. The most beneficial point would be the independence of the host system and the corresponding pre-configuration of the directories (as already described here and here).
However, we are still hesitating to make the switch as we have seen that the edgeHub and edgeAgent do not yet support this Docker feature. Are there any reasons - in combination with the iotedge - why you do not support Docker Volumes?

Many thanks in advance for the clarification.
@arsing
Copy link
Member

arsing commented Dec 4, 2023

createOptions in the EA / EH twins takes any valid JSON object that dockerd's ContainerCreate API takes, which includes the ability to specify a mountpoint as a volume instead of a host dir. If you can't figure out how to construct the JSON, you can create a dummy container with docker create and whatever options you want, then docker inspect it to get the JSON, then translate that into the EA / EH config.

If EA / EH is started as root, it will fix up the permissions of the storage directory (EA and EH) and then change to a limited user, so permissions are not a problem either.

So I don't see anything that would prevent you from using docker volumes. I haven't tried it though. Try it?

@arsing arsing self-assigned this Dec 4, 2023
@F-Joachim
Copy link
Author

@arsing - Thanks for your response.

The technical realization of how to configure the volume mounts is already clear to me. The question was rather aimed at asking whether this is also a supported way of Microsoft, since the documentation does not refer to it (in contrast to Blob Storage).

As I took a closer look at the scripts you linked, I saw that both containers run as root. Only the application runs as edge<agent|hub>user. When I wrote the issue, I assumed that the container also runs as a user and therefore requires corresponding permissions for the storageFolder, which are set in the Dockerfile. However, this means that the volume mounts only work because the container is running as root. It wouldn't work with user rights, right?

I've tested the volume mounts for both edgeHub and edgeAgent (running as root) in my test environment and it works as expected.

@F-Joachim
Copy link
Author

As I took a closer look at the scripts you linked, I saw that both containers run as root. Only the application runs as edge<agent|hub>user. When I wrote the issue, I assumed that the container also runs as a user and therefore requires corresponding permissions for the storageFolder, which are set in the Dockerfile. However, this means that the volume mounts only work because the container is running as root. It wouldn't work with user rights, right?

Understood - the resulting process of the image (= edgeHub or edgeAgent application) runs with user privileges and is therefore not a security risk 👍

@jlian jlian closed this as completed Jan 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@arsing arsing

Labels
customer-reported iotedge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jlian @arsing @F-Joachim