I ran a test on a linux mint bare metal machine where I created an ubuntu docker image and installed encfs on it. If I map the encrypted folder and decrypted folder volumes, then any file I put in decrypted folder was encrypted into the encrypted folder and the docker and host sides were perfectly synced.

 

Now I try to repeat on my Unraid machine. While in the docker image, a file placed in decrypted folder is encrypted just fine and shows up in the encrypted folder properly. If I look in the encrypted folder on the host, I see the encrypted file. If I look in the decrypted folder on the host, it's empty. If I create a file in decrypted folder on the host, it is NOT visible in the mapped folder inside the docker. When I unmount encfs inside the docker, now the file I created on the host is visible inside the docker. In fact, while encfs is not mounted, syncing in and out of the docker is fine. Since it's only the decrypted folder that not visible outside the docker, it has to have something to do some kind of encfs visibility permissions. I did try to encfs mount with -o allow_root and allow_user but it didn't help.

What's going on?

Thanks!

UPDATE: I just tried the same scenario using a linux mint VM with the exact same results.

Edited July 12, 20241 yr by nowhere99

When you set up the mapping to the docker did you chose one of the ‘slave’ methods of access?  

I think I've solved it. I had already added --cap-add SYS_ADMIN and --devices /dev/fuse to the run command but I also added --security-opt apparmor=unconfined and made sure the volume lines ended in :shared and now it works. The real fix was the unconfining apparmor tho. Fun stuff! Thanks itimpi!

I think I've solved it. I had already added --cap-add SYS_ADMIN and --devices /dev/fuse to the run command but I also added --security-opt apparmor=unconfined and made sure the volume lines ended in :shared and now it works. The real fix was the unconfining apparmor tho. Fun stuff! Thanks itimpi!

 

UPDATE: I'm still testing. the mounts are located in a share "test", set to ARRAY only. I have /mnt/user/test/enc and /mnt/user/test/dec set as bind mounts with my solution above in the docker run and image creation, they are bound to /enc and /dec in the docker. Almost everything works GREAT. Creating files in /mnt/user/test/dec automatically creates the encrypted version in /mnt/user/test/enc. BUT if I look in /mnt/user0/test/dec, I don't see any of the files I create in /mnt/user/test/dec. However, I DO see the encrypted versions in the enc folder on both user and user0. So, I THINK something is still wrong with "propagation" but I don't think it's in the same terms as "docker bind propagation". Bind propagation seems to deal with sub mounts, not visibility of files in hard links of the decrypted folder. Is this getting interesting to anyone yet? 

Edited July 13, 20241 yr by nowhere99