This documentation is part of the "Projects with Books" initiative at zenOSmosis.
The source code for this project is available on GitHub.
Three-Tier Design
Relevant source files
Purpose and Scope
This page documents the fundamental three-tier architecture that enables sshfs-mac-docker to provide SSHFS functionality on macOS without requiring macFUSE or kernel extensions. The design isolates complex filesystem operations within a Docker container while exposing results through standard network protocols.
For details on how SSH and SMB protocols are bridged within the container, see Protocol Translation. For network configuration and port mapping specifics, see Network Architecture.
Architectural Overview
The system implements a three-tier design where each tier has distinct responsibilities and runs in different execution environments:
| Tier | Environment | Primary Role | Key Technologies |
|---|---|---|---|
| Tier 1 | macOS Host | User interface and container management | Finder, Docker CLI |
| Tier 2 | Docker Container | Protocol bridging and filesystem operations | SSHFS, Samba, FUSE |
| Tier 3 | Remote Server | Data storage and SSH authentication | SSH daemon, remote filesystem |
This separation is the core innovation that eliminates the need for macFUSE installation on macOS. All FUSE operations are contained within the Docker container's Linux environment, where FUSE is a native, well-supported technology.
Sources: README.md:1-5
The Three-Tier Structure
Diagram: Three-Tier Architecture with Code Entity Mapping
This diagram maps the architectural tiers to specific code artifacts, showing how the Dockerfile constructs each component.
Sources: README.md:1-90 Dockerfile:1-34
Tier 1: macOS Host Layer
The macOS host layer is intentionally minimal and avoids any kernel-level modifications. This tier's responsibilities are limited to:
Responsibilities
- Container Lifecycle Management : Building and running the Docker container via
docker buildanddocker runcommands - User Interaction : Providing the terminal interface for executing commands within the container via
docker exec - File Access : Mounting the SMB share through macOS Finder's native SMB client
What Does NOT Run Here
Critically, this tier does not include:
- FUSE kernel extensions (no macFUSE required)
- SSHFS client software
- Any SSH connection handling to remote servers
- Filesystem mounting operations
By excluding these components from the macOS host, the system avoids the primary pain point that sshfs-mac-docker was designed to solve: the requirement to install macFUSE and accept kernel extension modifications.
Sources: README.md:1-3
Tier 2: Docker Container Layer
The container layer is the system's core, acting as a protocol bridge and isolation boundary. This tier contains all complex filesystem operations within a controlled Linux environment.
Container Build-Time Setup
The Dockerfile:1-34 constructs this tier through several distinct phases:
| Build Phase | Lines | Purpose | Key Artifacts |
|---|---|---|---|
| Base Image | 2 | Provides Ubuntu Linux environment | ubuntu:latest |
| Package Installation | 4-6 | Installs SSHFS and Samba | sshfs, samba packages |
| User Creation | 8-9 | Creates non-root user for SSHFS | sshuser account |
| Directory Structure | 11-15 | Establishes mount points | /remote, /samba-share |
| Configuration | 17-24 | Sets up Samba and FUSE configs | smb.conf, fuse.conf |
| Integration | 29-30 | Links SSHFS mount to Samba share | Symbolic link |
| Service Launch | 32-33 | Starts Samba daemon | smbd process |
Runtime Components
Diagram: Container Internal Structure Mapping to Dockerfile
This diagram shows how runtime components correspond to build-time Dockerfile instructions.
Directory Integration
The symbolic link created at Dockerfile30 is the critical integration point:
This creates /samba-share/remote as a symbolic link pointing to /remote, where SSHFS will mount the remote filesystem. The Samba server serves /samba-share Dockerfile21 making the SSHFS-mounted content accessible via SMB without data duplication.
Sources: Dockerfile:1-34
Tier 3: Remote Infrastructure Layer
The remote infrastructure tier is external to the Docker environment and consists of:
- Remote SSH Server : The target system that the user specifies as
user@host:pathin thesshfscommand README.md49 - Remote Filesystem : The actual files and directories being accessed
- SSH Authentication : Standard SSH protocol authentication (password or key-based)
This tier is completely unaware that access is being proxied through a Docker container and SMB protocol. From the remote server's perspective, it's handling a standard SSHFS connection.
Sources: README.md:36-53
Isolation Strategy and Kernel Extension Avoidance
The macFUSE Problem
On macOS, SSHFS traditionally requires macFUSE (formerly OSXFUSE), which necessitates:
- Installing a kernel extension (kext)
- Allowing system extensions in Security & Privacy settings
- Potential compatibility issues with macOS updates
- Security concerns about third-party kernel code
Sources: README.md3
The Container Solution
The three-tier design solves this by:
Diagram: Comparison of Approaches - Traditional vs Container-Based
Why This Works
| Aspect | Traditional SSHFS | sshfs-mac-docker |
|---|---|---|
| FUSE Location | macOS kernel space | Docker container (Linux userspace) |
| Requires macFUSE | Yes | No |
| Kernel Extensions | Required on macOS | Only within container (isolated) |
| macOS System Modifications | Yes | None |
| SSH Client | Runs on macOS | Runs in container |
| File Access Protocol | Direct FUSE | SMB (native macOS support) |
The Docker container provides a Linux environment where FUSE is natively supported Dockerfile:5-6 The container's --privileged flag README.md31 allows FUSE operations within the container without affecting the host macOS kernel.
Sources: README.md:1-31 Dockerfile:5-6
Component Distribution Across Tiers
The following table maps specific components and files to their respective tiers:
| Component | Tier | File/Path | Created By | Purpose |
|---|---|---|---|---|
| Docker CLI | 1 | N/A | macOS | Container management |
| Finder | 1 | N/A | macOS | SMB client |
ubuntu:latest | 2 | N/A | Dockerfile:2 | Base image |
sshfs package | 2 | N/A | Dockerfile:6 | SSHFS client |
samba package | 2 | N/A | Dockerfile:6 | SMB server |
sshuser account | 2 | N/A | Dockerfile:9 | Non-root user |
/remote directory | 2 | /remote | Dockerfile:12 | SSHFS mount point |
/samba-share directory | 2 | /samba-share | Dockerfile:15 | Samba share root |
smb.conf | 2 | /etc/samba/smb.conf | Dockerfile:18 | Samba configuration |
fuse.conf | 2 | /etc/fuse.conf | Dockerfile:24 | FUSE permissions |
| Symbolic link | 2 | /samba-share/remote | Dockerfile:30 | Integration point |
smbd process | 2 | N/A | Dockerfile:33 | SMB daemon |
| Remote SSH Server | 3 | user@host | External | SSH daemon |
| Remote Filesystem | 3 | user@host:path | External | Data source |
Sources: Dockerfile:1-34 README.md:49-60
Data Flow Across Tiers
The three tiers collaborate to enable seamless file access:
Diagram: Cross-Tier Data Flow for File Operations
Each tier maintains clear boundaries:
- Tier 1 handles only SMB protocol communication
- Tier 2 translates between SMB and SSH/FUSE protocols
- Tier 3 provides the actual file data via SSH
Sources: README.md:46-69
Summary
The three-tier design achieves its primary goal of avoiding macFUSE by:
- Isolating FUSE operations within a Docker container (Tier 2) where Linux provides native FUSE support
- Exposing the remote filesystem through SMB, which macOS (Tier 1) natively supports
- Delegating actual file storage and SSH operations to the remote server (Tier 3)
This architecture requires no modifications to the macOS host system, making it a non-invasive solution for accessing remote filesystems via SSHFS on macOS.
Sources: README.md:1-90 Dockerfile:1-34