Login/Register
use gcsfuse to mount google cloud storage buckets in a docker container
Asked Answered
dockerfusegcsfuse
I

3

7

I am trying to mount a google cloud bucket from within a docker container and get the following error: 

[root@cdbdc9ccee5b workdir]# gcsfuse -o allow_other  --debug_gcs --key-file=/src/gcloud_service_account.json my-bucket-name /gcloud
Using mount point: /gcloud
Opening GCS connection...
Opening bucket...
daemonize.Run: readFromProcess: sub-process: mountWithArgs: mountWithConn:     setUpBucket: OpenBucket: Bad credentials for bucket "my-bucket". Check the bucket name and your credentials.

My credentials work on my host machine, but not on the running container. The API says not to use root to connect, but you can override that with the -o allow_other flag (fuse flag). Any ideas are appreciated.

This is running on a centos7 base image

Illailladvised answered 13/1, 2016 at 3:49 Comment(2)
probably silly question, but did you also add the credentials-file to the container? How did you start the container, is it having the right privileges to run fuse? Note that there's also a volume plugin here; github.com/coduno/docker-volume-gcsBravo
Yep, the credentials file is definitely on the host in the /src dir. I started the container like this: docker run -p 3000:3000 \ -e GOOGLE_APPLICATION_CREDENTIALS=/src/gcloud_service_account.json \ --name gcsfuseTest \ path/to/image Will take a look at the plugin. I am planning on running this on Google Container Engine however. Thanks for your reply.Illailladvised
P
5

Root versus not is a red herring here; the credentials in question are GCS credentials.

See here for documentation on handing GCS credentials to gcsfuse. The easiest way to do this is with the credentials you configured your GCE VM with originally (assuming you're running on GCE), which is what makes running gcsfuse work without any further effort usually. But if that doesn't work, you can use the flag --key-file to give gcsfuse a path to a JSON key file you download from the Google Developers Console.

Pentachlorophenol answered 13/1, 2016 at 9:56 Comment(6)
Thanks for your response. I am planning on running this in the Google Container Engine, but am testing the gcfuse stuff locally within a Docker container. I've read all the documentation on the URL you provided, but it doesn't work within Docker. The only way I can get gcsfuse to read in my credentials is with the --key-file. exporting GOOGLE_APPLICATION_CREDENTIALS=/src/gcloud_service_account.js hasn't worked yet. Again, these credentials work on my host laptop (OSX). Have you gotten gcsfuse to work within Docker before? If so, a glipse at connection commands would be useful. Thanks again.Illailladvised
I haven't tried Docker in particular, and don't know anything about configuring Docker. But gcsfuse isn't doing anything magical here; it's just reading an environment variable. If it's not working, there must be something wrong with whatever configuration causes that environment variable to be set (or with the value it's set to). In any case, can you just use --key-file if that works?Pentachlorophenol
I was able to mount finally, but have a new issue with reading or writing to the directory "Input/output error". See updated question for more detail. Thanks for your help.Illailladvised
Great! Do you mind instead opening a new question for the new issue (run with --foreground to get more debug info for that one), and submit the way you solved this as an answer here and mark it as accepted?Pentachlorophenol
Thanks for the advice jacobsa. Closed this one out and added a follow up here: #34780421Illailladvised
not sure 'red herring' is the right analogy here? that implies an adversarial intent to mislead (eg when a demagogue distracts people from some issue with irrelevant, flashy soundbites about something else)Soares
I
5

Update: I was able to get gcsfuse to mount. I had to run docker with the --priviledged option. (thanks #thaJeztah for the breadcrumb!)

Illailladvised answered 14/1, 2016 at 0:48 Comment(2)
do you have a git repo with this? I was able to get gcsfuse running in docker but I cannot share it with other images :(Fonzie
I cant run this via the build command. Is there a workaround for when building an image? I'm trying to push a container to google cloud for replicationHoecake
M
4

You really want to avoid running containers using the --privileged option. I believe you only need to add the SYS_ADMIN capability and access to the /dev/fuse device.

docker run \
    --rm -it \
    --cap-add SYS_ADMIN \
    --device /dev/fuse \
    ubuntu
Mudlark answered 20/2, 2019 at 18:18 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.