Mounting Azure Files SMB share in a container

In order to mount the new Azure Files SMB share as a bind mount in a container, we will leverage the SMB Global Mapping feature that was introduced in Window Server 1709. Global mappings have been introduced specifically for this purpose, that is, mounting SMB shares on the host so that they're visible to containers. Let's get started:

1. First, ensure that you are logged in so that you can execute Azure PowerShell (using the Connect-AzAccount command).
2. Next, let's define a few variables that will be used in the commands we'll execute soon:

$resourceGroupName = "docker-storage-resource-group"
$storageAccountName = "dockerstorageaccount"
$fileShareName = "docker-bind-mount-share"

The names being used here are exactly the same as the ones we used in the previous subsection while creating the Azure Files SMB share.

3. The next step is to define the $storageAccount and $storageAccountKeys variables:

$storageAccount = Get-AzStorageAccount `
 -ResourceGroupName $resourceGroupName `
 -Name $storageAccountName
$storageAccountKeys = Get-AzStorageAccountKey `
  -ResourceGroupName $resourceGroupName `
    -Name $storageAccountName

These variables will be used for the retrieval of file share details and credentials for access, both of which are needed for SMB Global Mapping.

4. Now, optionally, you can persist your share credentials in Windows Credential Manager using the cmdkey command:

Invoke-Expression -Command `
    ("cmdkey /add:$([System.Uri]::new($storageAccount.Context.FileEndPoint).Host) " + `
    "/user:AZURE\$($storageAccount.StorageAccountName) /pass:$($storageAccountKeys[0].Value)")

5. We will also need details regarding Azure Files SMB share, so let's define a new variable called $fileShare:

$fileShare = Get-AzStorageShare -Context $storageAccount.Context | Where-Object { 
    $_.Name -eq $fileShareName -and $_.IsSnapshot -eq $false
}

6. At this point, you can also check if the file share details have been retrieved successfully. By doing this, you will be able to detect if, for example, $fileShareName contains the wrong share name:

if ($fileShare -eq $null) {
    Write-Error "Azure File share not found"
}

7. The last step, before creating an SMB Global Mapping, is to define a credentials object, which will be used for mapping creation:

$password = ConvertTo-SecureString `
    -String $storageAccountKeys[0].Value `
    -AsPlainText `
    -Force
$credential = New-Object System.Management.Automation.PSCredential `-ArgumentList "AZURE\$($storageAccount.StorageAccountName)", $password

8. Finally, we can use the New-SmbGlobalMapping command in order to create the mapping for Azure Files SMB share:

New-SmbGlobalMapping `
    -RemotePath "\\$($fileShare.StorageUri.PrimaryUri.Host)\$($fileShare.Name)" `
    -Credential $credential `
    -Persistent $true `
    -LocalPath G:

The preceding command will mount your Azure Files SMB share persistently as the G: drive. You can use this path later for bind mounts for Docker containers. Now, you can test if your mapping works correctly by moving some test files to the G: drive using Windows Explorer.

Globally mapped SMB shares, when used as bind mounts, are transparently visible for the containers as regular directories in the local filesystem. All of the "heavy lifting" is performed by the container host, which is responsible for managing the SMB share connection.

Let's demonstrate this feature by creating a simple PowerShell process-isolated container:

1. First, create a directory called G:\ContainerData in the SMB share for our demonstration container:

 New-Item -ItemType Directory -Force -Path G:\ContainerData

2. Now, we can run the container by providing the new directory in the Azure Files SMB share as a bind mount with C:\Data as the target:

docker run -it --rm `
           --isolation=process `
           --mount type=bind,source=G:\ContainerData,target=C:\Data               `mcr.microsoft.com/powershell:windowsservercore-1903

With this, we can easily prove that our solution works and that the container state files are indeed stored in Azure Cloud!

3. In the running container, create a file that contains data. For example, get a list of the currently running processes and store it as a processes.txt file:

Get-Process > C:\Data\processes.txt

4. Now, log in to Azure Portal (https://portal.azure.com/) and do the following:
   1. Navigate to Storage accounts from the main menu.
   2. Open the dockerstorageaccount account.
   3. In the storage account menu, open Files under the File service group.
   4. Open the docker-bind-mount-share file share from the list.

You will see a familiar directory structure. Navigate into the ContainerData directory to see that the processes.txt file is indeed there and contains the data that was stored in the container:

Please note that this scenario can also be achieved with a regular SMB File Server hosted in your local network, which may be a suitable solution if you use them in your infrastructure already.

Congratulations! You have successfully created a Windows container that uses Azure Cloud storage to persist container state. In the next section, we will learn how to run MongoDB inside Windows containers as an example of a multi-container solution.