Mounting possibilities

[devnote-dev]

It was proven in #4387 that setting up a mount to target /home/container/<dir> in a server will work, and it will show up in the file manager. Prior to this, it was thought that mounts could go virtually anywhere except in /home/container or a subdirectory of it (and stated in the docs). This raises some important questions...

Should this be allowed?

There are a couple of arguments that are against this, the first being that the functionality of the mount directory in the file manager is unexpected. According to #4387 (comment):

[...] if you edit the contents of the plugins directory on the panel (in your example), either the mount will cause the container to error on creation or the files shown in that directory on the file manager will be ignored.

The second #4387 (comment) is a bit ambiguous as to what would be fixed, my interpretations are:

• Mounting into /home/container may be fixed in a future Docker release; or
• The unexpected functionality from the file manager may be fixed in a future Docker release.

If this is allowed, what are the restrictions?

Mounts are writable by default which may be an issue if/when multiple servers (or users in said servers) are trying to write to the same files simultaneously via the file manager or API. This is going into unknown territory and it could be a thing that Docker handles already. Similarly, what if you only wanted certain servers to have write access to the mount, and the rest read-only? Should there be support for per-server mount accessibility, or would administrators have to make separate mounts with the separate file permissions? Should that even be allowed?

Opinions

Note This section has my opinions, not the ones of core team members or others that contribute to the project. The point of this discussion is that anyone can comment below from this and we can branch further discussions from this.

Addressing the first major question, I think that this should be allowed. There is already a lot of confusion over how mounts work and I would argue that there is a lack of information about mounts in servers. Even if this does not become a supported feature, I believe more work can be done to improve the current client-side UI – and just general representation – for mounts (this may be extracted into a separate issue).

Regarding the second question, I'd say this is largely dependent on how Docker handles things, but I like the idea of per-server mount accessibility options. This could be applied in the current system, although it would be limited to users who know what they're doing to actually use it.

What do you think?

[yesBad]

I believe it should be allowed, but yeah you've made good points as how it should work exactly.

[parkervcp]

The reason they would fail in the past was a docker limitation. This may have been resolved and thus not an issue anymore as I called out already.

[QuintenQVD0]

The file in the mount that was a plugin for minecraft did not show in the pterodactyl file manager. The mc server did see the .jar plugin that was mounted, but failed to load it because it could not write it config anywhere. As there are 2 mounts to that server, both with their target in /home/container

[devnote-dev]

Can you verify that this was an issue with the mount and not the plugin itself? Because according to your Docker logs, everything was mounted correctly, so there should be no reason for it to fail to create the file. There was also the start of a NullPointerException stack trace in your container logs so I would be inclined to believe that has something to do with the issue.

[jughead0800]

Does this break the point of containerization? depending on who can read/write to a shared mount, in a public setting a malicious actor could potentially compromise multiple servers from a single file directory.

[QuintenQVD0]

every server has there own mount /home/container what is mounted to the disk by default /var/lib/pterodactyl/volumes/
you can add extra mounts to like /files what on the dis is /var/lib/pterodactyl/mounts/files but you can not go back to mounts/ folder. it is locked. This is just that panel / wings allows you to add a mount over /home/container

[devnote-dev]

As far as I'm aware, mounts still don't show up in the file manager right now (this may have been fixed and I just haven't noticed yet), but otherwise yes it would be a security concern, I don't think there is anything that could be done to restrict this though. At this moment in time, any user with subuser control permissions can add as many subusers as they want to a server (see #2456) and if said subusers have access to the file manager then they can do virtually anything to the files, so in part with my second opinion for per-server mount accessibility options, it would be the responsibility of the server owner and panel administrators to moderate mounts and only give write access to servers that actually need it or can be trusted.