I'm trying to containerize an web application. As part of its operation, it requires access to four separate NFS mount located on different hardware. Two of the mounts live on a regular Linux box, but two others live on separate proprietary NAS appliances.
The problem is that Docker (and Kubernetes by extension) uses an internal NAT address to allow containers to talk to the outside world, which causes the source port number of an outgoing mount request to be above the privileged range of 1024. By default, NFS servers will block non-privileged mount requests unless you set the insecure option on the specific export.
For the Linux NFS export, this is easy. I add the option and the mount just works.
The NAS appliances do not have this option, and moving the data elsewhere is not feasible.
The first workaround that came to mind was proxying the NFS request through a third server that merely mounts the folders natively, and then re-exports them with the insecure bit set. I'm concerned about the availability and performance of doing it this way.
Ideally, I could set some configuration option in Docker, or in my Kubernetes pod manifest, which would force outgoing requests to a specific port to come from a specific port.
I also can't imagine that this isn't solved in most environments, given the ubiquity of NFS.
What are the most reasonable options to work around this problem?
