Bind mounts are not allowed despite `balena-socket` flag

Hello there

I’m getting the following error:

$ balena push 192.168.100.119 --debug
[debug] Using . as build source
[Debug]   Checking we can access device
[Debug]   Sending request to http://192.168.100.119:48484/ping
[Debug]   Checking device version: 10.6.27
[Info]    Starting build on device 192.168.100.119
[Debug]   Loading project...
[Debug]   Resolving project...
[Debug]   docker-compose.yml file found at "."
[Debug]   Creating project...
Bind mounts are not allowed

ValidationError: Bind mounts are not allowed
    at validateServiceVolume (/usr/local/Cellar/balena-cli/12.1.3/libexec/lib/node_modules/balena-cli/node_modules/resin-compose-parse/build/compose.js:179:15)
    at /usr/local/Cellar/balena-cli/12.1.3/libexec/lib/node_modules/balena-cli/node_modules/resin-compose-parse/build/compose.js:164:13
    at Array.forEach (<anonymous>)
    at normalizeService (/usr/local/Cellar/balena-cli/12.1.3/libexec/lib/node_modules/balena-cli/node_modules/resin-compose-parse/build/compose.js:163:25)
    at /usr/local/Cellar/balena-cli/12.1.3/libexec/lib/node_modules/balena-cli/node_modules/resin-compose-parse/build/compose.js:99:28
    at /usr/local/Cellar/balena-cli/12.1.3/libexec/lib/node_modules/balena-cli/node_modules/lodash/lodash.js:13401:38
    at /usr/local/Cellar/balena-cli/12.1.3/libexec/lib/node_modules/balena-cli/node_modules/lodash/lodash.js:4905:15
    at baseForOwn (/usr/local/Cellar/balena-cli/12.1.3/libexec/lib/node_modules/balena-cli/node_modules/lodash/lodash.js:2990:24)
    at Function.mapValues (/usr/local/Cellar/balena-cli/12.1.3/libexec/lib/node_modules/balena-cli/node_modules/lodash/lodash.js:13400:7)
    at Object.normalize (/usr/local/Cellar/balena-cli/12.1.3/libexec/lib/node_modules/balena-cli/node_modules/resin-compose-parse/build/compose.js:98:32)
    at createProject (/usr/local/Cellar/balena-cli/12.1.3/libexec/lib/node_modules/balena-cli/build/utils/compose.js:114:33)
    at Object.loadProject (/usr/local/Cellar/balena-cli/12.1.3/libexec/lib/node_modules/balena-cli/build/utils/compose_ts.js:39:12)
    at async Object.deployToDevice (/usr/local/Cellar/balena-cli/12.1.3/libexec/lib/node_modules/balena-cli/build/utils/device/deploy.js:96:21)

My configuration is:

services:
  tunnel:
    build: ./tunnel
    labels:
      io.balena.features.balena-socket: '1'
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
    networks:
      - tunnel

But persists even with:

services:
  tunnel:
    build: ./tunnel
    labels:
      io.balena.features.balena-socket: '1'
    privileged: true
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
    networks:
      - tunnel

This error disappears however if I comment out the volumes line:

version: "2"
networks:
  tunnel:
services:
  tunnel:
    build: ./tunnel
    labels:
      io.balena.features.balena-socket: '1'
    # volumes:
    #   - "/var/run/docker.sock:/var/run/docker.sock"
    networks:
      - tunnel

Hey there! We don’t support mounting volumes from the host system. We only support named volumes. Can you describe your use case in more detail to see if we can suggest a better approach?

Sure thing @jviotti, so, I have to expose ports 5198, 5199 and 5200 to the public internet while I’m behind a carrier-grade NAT and firewall. I’m trying to use CloudFlare’s Argon Tunnel and was going to try using Hera but since that isn’t possible, I’ll try running the cloudflared client myself.

Btw, would you have any other suggestions on port forwarding? How would you accomplish this? I do have servers.

Hi @amingilani – thanks for the additional info, and for letting us know your use case.

Looking at the two projects you listed, it seems that Hera watches the Docker daemon (or balena-engine daemon) for new containers, then creates Argo tunnels as needed for those new containers; the Argo tunnels in turn expose the required ports to the Internet. This is why you’re approaching the problem of exposing ports to the Internet by trying to mount the balena-engine socket inside your container. As you’ve found, adding this directly isn’t permitted. However, you can try using the io.balena.features.balena-socket label for that container; you can find more details on that here: https://www.balena.io/docs/learn/develop/multicontainer/#labels.

You may also be interested in this article; it’s not a configuration we can support, but it may be useful to you.

At the moment, we are not able to expose multiple ports through our public endpoints, but this is something we have been asked about before. I’ve added your vote to our internal tracking system for this request.

Let us know how this works out for you!

All the best,
Hugh

Thanks @saintaardvark!

As it turns out, Argo Tunnel only works with HTTP traffic and I need TCP and UDP traffic :slight_smile: I’ve put in a request to sign up for CloudFlare Spectrum and in the meantime I’m experimenting forwarding with my own server.

I’ve managed to forward TCP with SSH tunneling, and I’m not exploring how to do UDP robustly. I’ll post a solution here when I figure it out and share my project in the forum.