cr0x.net — Hard Problems. Clean Solutions.
English

Docker CIFS volumes are slow: the truth (and better alternatives)

November 8, 2025 • February 3, 2026 • Read: 23 min • Views: 8

Was this helpful?

It starts with a complaint that sounds vague and harmless: “The container is slow.” Then you look closer and it’s always the same shape: a Docker volume backed by a CIFS/SMB share, and an app that touches files like it’s being paid per syscall.

On paper, CIFS is “just a network filesystem.” In production, it’s a latency amplifier wrapped around metadata, permission mapping, caching limitations, and an optimistic belief that your workload is mostly sequential reads. Spoiler: your workload is not.

What “slow CIFS volume” really means

When people say “CIFS is slow,” they’re usually compressing several distinct failure modes into one grumpy sentence:

  • High latency per operation: each stat(), open, close, chmod, rename becomes a network round trip (or several).
  • Metadata-heavy workloads: language package managers, git checkouts, web apps with lots of tiny files, Python import storms, PHP autoloaders, Node node_modules, Java classpath scanning. These are CIFS’ natural predators.
  • Write durability semantics: SMB tries to provide Windows-friendly semantics around locking and consistency. That’s not free.
  • Client-side caching constraints: Linux CIFS often must trade caching aggressiveness for correctness, especially with multi-client access.
  • Permission mapping and identity translation: not glamorous, but it adds overhead and causes retries and surprises.

Also: Docker doesn’t magically make CIFS faster. Containers just make it easier to accidentally put a database on a network share and then act surprised when it behaves like a database on a network share.

One hard rule: if your app does a lot of small random I/O or filesystem metadata calls, CIFS inside a container is a performance tax you pay on every request. Your “throughput” can look fine in a big-file copy test and still be unusable in real workloads.

Facts and history: why SMB behaves like this

Some context helps, because SMB/CIFS isn’t slow because it’s “bad.” It’s slow because it’s doing work you didn’t ask for, for clients you didn’t invite, across networks you didn’t intend.

8 interesting facts (short, concrete, and useful)

  1. “CIFS” is effectively the older SMB dialect (SMB1 era). Most modern setups are SMB2/SMB3, but people still say “CIFS” like it’s a brand of tissue.
  2. SMB1 was chatty by design. SMB2 reduced round trips dramatically, but workloads with lots of metadata still hurt because the client still needs answers.
  3. SMB3 added encryption and multichannel. Great for security and resilience, sometimes not great for CPU and latency if misconfigured.
  4. Opportunistic locks (oplocks) and leases exist to improve caching, but they introduce invalidation traffic and tricky semantics under concurrency.
  5. Windows semantics matter: SMB is built to preserve Windows file locking and sharing modes. Linux apps that assume POSIX-y behavior can trigger extra checks.
  6. Linux CIFS uses the kernel client (cifs.ko) and it’s been steadily improved, but correctness constraints still limit aggressive caching in multi-writer scenarios.
  7. Metadata cost dominates on high-latency links: even 2–5 ms RTT can make “thousands of tiny operations” feel like molasses, regardless of gigabit bandwidth.
  8. Docker volumes are not a storage abstraction miracle: the kernel still does the same mount/I/O. Docker just makes it easier to deploy the mistake consistently.

The real root causes (not the myths)

Myth: “It’s bandwidth. We need faster networking.”

Bandwidth matters for large sequential reads/writes. CIFS volume pain in containers is usually IOPS and latency plus metadata amplification. You can have a 10 GbE link and still get wrecked by 3 ms RTT and 20k stat() calls per request. Your link will be bored while your app is on its knees.

Myth: “It’s Docker overhead.”

Docker adds some overhead in specific cases (overlay filesystems, user namespaces, mount propagation quirks). But for a bind mount or named volume backed by CIFS, the dominant cost is the network filesystem semantics. Docker is mostly an innocent bystander holding the bag.

Reality #1: Latency makes metadata workloads nonlinear

If a request triggers 500 filesystem metadata operations and each costs a network round trip, the math is brutal. CIFS can pipeline and batch some operations, but not enough to save a chatty workload from itself.

Reality #2: Caching is constrained by correctness

Linux CIFS can cache attributes and directory entries, but if multiple clients can modify the same tree, caching becomes a liability. You can tune caching (more on that later), but you’re always trading correctness and cross-client coherency for speed.

Reality #3: Containers hide identity and permission mismatches

Inside a container, UID/GID might not match what the SMB server expects. That leads to permission checks, failed writes, and sometimes fallback behaviors. Even when it “works,” you can end up with extra chown/chmod attempts that hammer metadata paths.

Reality #4: SMB signing/encryption can be a silent CPU tax

SMB signing and encryption are good, often necessary, and sometimes expensive. If either side lacks AES acceleration or you pin the container CPU too tightly, your “storage problem” is actually “crypto is eating your lunch.”

Reality #5: Locking semantics bite databases and build tools

SQLite, many build systems, and some application servers rely on file locks and fsync patterns that are fine on local ext4/xfs. Over SMB, the semantics can be slower, or worse, subtly different. That’s how you get “slow” and “weird” in the same ticket.

Paraphrased idea from Werner Vogels: “Everything fails, all the time—design for it.” CIFS over a network will fail in more creative ways than your local disk ever had time for.

Fast diagnosis playbook

This is the order I use when someone pings “CIFS volume slow” and I want an answer before lunch.

1) Prove it’s the mount (not the app)

  • Compare the same operation on CIFS vs local disk: file create, stat storms, small writes.
  • Check if the slowdown correlates with metadata operations rather than throughput.

2) Measure latency, not just throughput

  • Ping RTT to the server.
  • Look for retransmits, congestion, duplex issues, Wi-Fi “enterprise” surprises.

3) Identify the SMB dialect and security features

  • Confirm SMB3 vs SMB2 vs accidental SMB1 fallback.
  • Check signing/encryption status; verify CPU saturation on either side.

4) Inspect caching and mount options

  • Attribute caching (actimeo), client caching (cache=), read/write sizes, and whether options are being ignored.

5) Determine if you have multi-client writers

  • If multiple nodes/containers write to the same tree, your caching knobs are limited.
  • If it’s single-writer, you can be bolder.

6) Check the server and the path

  • Is the SMB server a Windows box, Samba, or a NAS appliance?
  • Is the backing storage slow (spindles, overloaded RAID, thin-provisioned cloud disk)?

Joke #1: Network filesystems are like office printers—when they work, nobody notices; when they don’t, everyone suddenly has opinions about infrastructure.

Practical tasks: commands, outputs, decisions

Below are real tasks you can run on a Linux Docker host. Each includes: command, sample output, what it means, and what decision you make.

Task 1: Confirm the mount type and options actually in use

cr0x@server:~$ findmnt -T /var/lib/docker/volumes/appdata/_data -o TARGET,SOURCE,FSTYPE,OPTIONS
TARGET                              SOURCE                FSTYPE OPTIONS
/var/lib/docker/volumes/appdata/_data //nas01/share        cifs   rw,relatime,vers=3.1.1,cache=strict,username=svc_app,uid=1000,gid=1000,actimeo=1

What it means: This is a CIFS mount (SMB) with SMB 3.1.1 and strict caching. Attribute cache timeout is 1 second.

Decision: If the workload is metadata-heavy and single-writer, consider increasing actimeo and/or changing cache= to improve speed. If multi-writer, be cautious.

Task 2: Verify SMB dialect and capabilities via kernel logs

cr0x@server:~$ dmesg | grep -i cifs | tail -n 5
[ 9342.112233] CIFS: VFS: \\nas01 negotiated SMB3.1.1 dialect
[ 9342.112240] CIFS: VFS: cifs_mount failed w/return code = -13
[ 9410.445566] CIFS: VFS: \\nas01 Server supports multichannel
[ 9410.445577] CIFS: VFS: \\nas01 requires packet signing

What it means: SMB3.1.1 is negotiated, multichannel is supported, and signing is required. There was a permission failure earlier (-13).

Decision: Ensure you’re not silently falling back to SMB1. Also investigate signing overhead and that earlier auth error (may indicate retries/backoff).

Task 3: Measure basic network RTT and jitter

cr0x@server:~$ ping -c 20 nas01
PING nas01 (10.20.1.50) 56(84) bytes of data.
64 bytes from 10.20.1.50: icmp_seq=1 ttl=63 time=1.92 ms
64 bytes from 10.20.1.50: icmp_seq=2 ttl=63 time=2.08 ms
...
--- nas01 ping statistics ---
20 packets transmitted, 20 received, 0% packet loss, time 19024ms
rtt min/avg/max/mdev = 1.71/2.05/2.61/0.21 ms

What it means: RTT ~2 ms. That’s “fine” for humans and “expensive” for thousands of metadata calls.

Decision: If your workload is metadata-heavy, you need caching, workload changes, or a different storage backend—not just more bandwidth.

Task 4: Check for retransmits and TCP pain

cr0x@server:~$ ss -ti dst 10.20.1.50:445 | head -n 20
ESTAB 0 0 10.20.1.10:52144 10.20.1.50:445
	 cubic wscale:7,7 rto:204 rtt:2.3/0.4 ato:40 mss:1448 pmtu:1500 rcvmss:1448 advmss:1448 cwnd:10 bytes_acked:1289341 segs_out:10873 segs_in:10122 send 50.3Mbps lastsnd:12 lastrcv:12 lastack:12 pacing_rate 100.6Mbps retrans:0/12

What it means: Low RTT, some retrans history but currently zero active retrans. If you see growing retransmits, your storage is being sabotaged by the network.

Decision: If retransmits are non-trivial, fix network before tuning SMB. No mount option beats packet loss.

Task 5: Quick metadata micro-benchmark (file create storm)

cr0x@server:~$ time bash -c 'd=/var/lib/docker/volumes/appdata/_data/testmeta; rm -rf "$d"; mkdir -p "$d"; for i in $(seq 1 5000); do : > "$d/f_$i"; done'
real	0m38.412s
user	0m0.311s
sys	0m5.992s

What it means: 5,000 tiny creates took 38 seconds. That’s not “a bit slow,” that’s “your app is going to time out.”

Decision: This is a metadata latency problem. Consider moving hot paths to local disk, using NFS with appropriate tuning, or using a local cache layer.

Task 6: Compare the same test on local disk

cr0x@server:~$ time bash -c 'd=/tmp/testmeta; rm -rf "$d"; mkdir -p "$d"; for i in $(seq 1 5000); do : > "$d/f_$i"; done'
real	0m0.486s
user	0m0.169s
sys	0m0.301s

What it means: Same workload is ~80× faster locally. This is why people think “Docker is slow” when it’s really “remote metadata is slow.”

Decision: Don’t put metadata-heavy workloads on CIFS unless you accept the cost or redesign the workload.

Task 7: Inspect CIFS stats (client-side clues)

cr0x@server:~$ cat /proc/fs/cifs/Stats
Resources in use
CIFS Session: 2
Share (unique mount targets): 1
SMB Request/Response Buffer: 1 Pool size: 5
SMB Small Req/Resp Buffer: 1 Pool size: 30
Operations (MIDs): 0
Total vfs operations: 482109
Total ops: 612990
Total reconnects: 3

What it means: Reconnects exist. Even a few reconnects can create “random pauses” that look like app hiccups.

Decision: If reconnects increase, look at SMB server stability, idle timeouts, firewall state tracking, and network interruptions.

Task 8: Confirm whether SMB encryption is enabled (and costing CPU)

cr0x@server:~$ grep -iE 'Encryption|Signing|Dialect' /proc/fs/cifs/DebugData | head -n 20
Dialect: 3.1.1
Security: NTLMSSP
Signing: Enabled
SMB3 encryption: Enabled

What it means: Encryption is enabled. Great for security; possibly expensive for CPU.

Decision: If CPUs are saturated during I/O, consider whether encryption is required end-to-end. If it is required, ensure modern CPUs and avoid tiny-I/O workloads.

Task 9: Watch CPU steal/saturation during I/O

cr0x@server:~$ mpstat -P ALL 1 5
Linux 6.5.0 (server) 	01/03/2026 	_x86_64_	(16 CPU)

12:03:10 AM  CPU   %usr %nice %sys %iowait %irq %soft %steal %idle
12:03:11 AM  all   22.10  0.00  18.44   9.33 0.00  0.88   0.00 49.25
12:03:12 AM  all   25.20  0.00  21.77  10.12 0.00  1.01   0.00 41.90

What it means: High system CPU and iowait suggests the kernel is doing a lot of filesystem/network work. If %usr isn’t high but %sys is, SMB overhead is plausible.

Decision: If CPU is the bottleneck, tuning mount options won’t save you. You need workload changes, fewer small ops, or different storage.

Task 10: Identify the worst offenders (metadata vs data)

cr0x@server:~$ strace -f -tt -T -o /tmp/trace.txt docker exec app sh -c 'php -r "for($i=0;$i<2000;$i++){stat(\"/data/smallfile_$i\");}"'
cr0x@server:~$ tail -n 5 /tmp/trace.txt
12:04:21.553221 stat("/data/smallfile_1998", {st_mode=S_IFREG|0644, st_size=0, ...}) = 0 <0.006842>
12:04:21.560219 stat("/data/smallfile_1999", {st_mode=S_IFREG|0644, st_size=0, ...}) = 0 <0.006991>

What it means: Each stat() takes ~7 ms. Multiply that by thousands and you get sadness with a ticket number.

Decision: Either increase caching (if safe), reduce stats (app config), or move those files local.

Task 11: Benchmark SMB throughput with a big sequential write (to avoid fooling yourself)

cr0x@server:~$ dd if=/dev/zero of=/var/lib/docker/volumes/appdata/_data/dd.test bs=8M count=256 oflag=direct status=progress
2147483648 bytes (2.1 GB, 2.0 GiB) copied, 13 s, 165 MB/s
256+0 records in
256+0 records out
2147483648 bytes (2.1 GB, 2.0 GiB) copied, 13.0256 s, 165 MB/s

What it means: Throughput is fine. This is the classic trap: “165 MB/s, so storage is fast.” Meanwhile your app is dying on metadata calls.

Decision: Stop using only throughput tests. Always run a metadata test too.

Task 12: Check Docker mount propagation and whether you’re stacking filesystems

cr0x@server:~$ docker inspect app | grep -n '"Type"\|"Source"\|"Destination"' | head -n 20
145:            "Type": "volume",
146:            "Source": "/var/lib/docker/volumes/appdata/_data",
147:            "Destination": "/data",

What it means: The container sees a volume mounted at /data. If your container is also using overlayfs for other paths, that’s normal. The key is that your hot path is hitting CIFS directly.

Decision: If the app writes temp files, redirect temp directories to local storage (tmpfs or local volume) and keep CIFS only for cold/shared data.

Task 13: Confirm the CIFS kernel module version and loaded parameters

cr0x@server:~$ modinfo cifs | egrep 'version:|parm:|filename:' | head -n 15
filename:       /lib/modules/6.5.0/kernel/fs/smb/client/cifs.ko
version:        2.45
parm:           CIFSMaxBufSize:Network buffer size (int)
parm:           enable_oplocks:Enable or disable oplocks (int)
parm:           linux_ext:Enable Linux CIFS Extensions (int)

What it means: You’re using the in-kernel SMB client. Version and features vary across kernel versions; upgrades can change behavior.

Decision: If you’re on an ancient kernel, consider upgrading. SMB client performance and correctness have improved materially over time.

Task 14: Validate DNS and name resolution aren’t adding latency

cr0x@server:~$ time getent hosts nas01
10.20.1.50      nas01
real	0m0.006s
user	0m0.002s
sys	0m0.003s

What it means: Name resolution is fast. If this takes hundreds of milliseconds due to broken DNS, SMB reconnects and mount attempts get slow and flaky.

Decision: Fix DNS or use stable IPs in mount definitions (with awareness of failover).

Mount options that help (and ones that lie)

Mount options are not magic spells. They are trade-offs, usually between performance and coherency. If you have multiple clients writing to the same tree, your tuning envelope is small.

Start with sane defaults

For modern SMB servers, use SMB3 explicitly. Don’t let negotiation “figure it out.” When it “figures it out” wrong, you’ll spend a week benchmarking ghosts.

cr0x@server:~$ sudo mount -t cifs //nas01/share /mnt/share \
  -o vers=3.1.1,username=svc_app,uid=1000,gid=1000,serverino,rw

Options that often matter

  • vers=3.1.1: pin a modern dialect. If the server can’t do it, you want to know.
  • actimeo=: attribute caching timeout. Bigger values can massively speed up metadata-heavy reads; can also hide cross-client changes.
  • cache= (strict, loose, none): controls client caching policy. “Loose” can be faster and less correct.
  • rsize=, wsize=: tune read/write chunk sizes. Helps throughput, less helpful for metadata storms.
  • noserverino vs serverino: inode behavior. Mismatches can break apps that rely on stable inode numbers; performance impact varies but correctness impact can be real.

Options that are frequently misunderstood

  • nounix/unix: affects Unix extensions, permissions, and behavior. Use deliberately, not by copying a blog snippet from 2014.
  • soft/hard: that’s an NFS concept; SMB failure semantics differ. You still need to think about timeouts and retry behavior, but the knob isn’t the same.
  • “Just increase wsize and it’s fixed”: if your problem is metadata, bigger I/O buffers won’t matter.

A realistic “single-writer, mostly-read” tuning example

If you have a single container writing and the rest reading (or a single node), you can take more risk:

cr0x@server:~$ sudo mount -t cifs //nas01/share /mnt/share \
  -o vers=3.1.1,username=svc_app,uid=1000,gid=1000,rw,cache=loose,actimeo=30

What you get: Fewer round trips for stats and directory traversals.

What you pay: Another client might not see updates immediately. If you have multiple writers, you just created a consistency lottery.

Docker-specific gotchas with CIFS volumes

Named volumes with the local driver and CIFS

A common pattern is Docker’s local volume driver with CIFS options. It’s convenient, reproducible, and also easy to misconfigure.

cr0x@server:~$ docker volume create \
  --driver local \
  --opt type=cifs \
  --opt device=//nas01/share \
  --opt o=vers=3.1.1,username=svc_app,password=REDACTED,uid=1000,gid=1000,rw \
  appdata

That works, but you’ve now sprinkled credentials into places you may regret. Use a credentials file on the host where possible, and watch permissions on that file.

Overlayfs isn’t the villain, but it can be collateral damage

When the container filesystem uses overlayfs and your app mixes overlay paths with CIFS mounts, you can get weird patterns: fast reads from the image layer, slow reads from mounted data, and confusing strace traces that make you chase the wrong thing.

User namespaces and UID/GID mismatches

If you run Docker with userns-remap or rootless mode, CIFS UID/GID mapping can get awkward fast. The container’s “uid 1000” might map to something else on the host. Then you get permission-denied retries, fallback behavior, and performance cliffs that vanish when you run as root (which is its own cliff, just a different kind).

Healthchecks can become accidental load tests

Healthchecks that touch files on CIFS every few seconds across many containers become a steady metadata drizzle. Multiply by dozens of containers and you’ve built a tiny DDoS against your own NAS, slowly, politely, and continuously.

Joke #2: Putting a database on CIFS is like towing a race car with a shopping cart—technically it moves, but everyone looks uncomfortable.

Three corporate mini-stories from the trenches

Mini-story 1: The incident caused by a wrong assumption

At a mid-sized company, a team migrated a legacy app into containers. They wanted “shared storage” across two Docker hosts for uploads and generated thumbnails. The fastest path to a demo was a CIFS share from an existing Windows file server. It worked. Everyone clapped. The ticket was closed with a smile.

Two weeks later, a marketing campaign hit. The app didn’t fall over immediately. It just started timing out in uneven waves. CPU was fine. Memory was fine. The network graphs looked calm. The app logs were full of slow request warnings and occasional file-not-found errors that didn’t make sense.

The wrong assumption was subtle: “If a file exists on the share, every container will see it immediately.” In reality, attribute caching plus directory enumeration plus concurrent writes produced stale views. One container created a thumbnail and another container didn’t see it yet, so it regenerated it. Sometimes they raced. Sometimes they overwrote. Occasionally a reader got a partially-written file because the app assumed local atomicity that wasn’t actually guaranteed the way they used it.

The fix wasn’t heroic. They stopped sharing the hot path. Uploads landed on local disk first, then an async job pushed finalized artifacts to shared storage. The shared storage became a distribution point, not a live scratchpad. Errors vanished. Performance stabilized. The postmortem sentence was blunt: “We treated a network filesystem like a local filesystem under concurrency.”

Mini-story 2: The optimization that backfired

Another place, another “clever fix.” A team had a Node.js service with huge dependency trees. Startup was painfully slow because it read thousands of small files from a CIFS volume. Someone found a tuning suggestion: increase caching aggressively. They set cache=loose and bumped actimeo high. Cold start improved dramatically. Everyone clapped again. Different meeting room, same clapping.

Then came the backfire: deployments started failing in a new way. The service would start with an old version of a config file, even though the file had been updated on the share by the deployment job. Rollouts became nondeterministic. Half the fleet behaved like the new version, half like the old. Debugging was a circus because “just restart it” sometimes fixed it and sometimes didn’t.

The root cause was predictable in hindsight: they traded coherency for speed without changing the workflow. A network share used for shared configuration and live code paths needs freshness guarantees. Caching that’s “loose” is basically a handshake agreement with the universe.

The fix was to stop using CIFS for that purpose. They built immutable images that contained dependencies and config defaults, and used a configuration service for runtime settings. CIFS stayed, but only for large artifacts where caching staleness didn’t create correctness bugs.

Mini-story 3: The boring but correct practice that saved the day

A larger org had CIFS volumes in production because of corporate constraints: Windows-based storage team, existing access controls, and auditors who liked the word “SMB” because it sounded familiar. The SRE team didn’t love it, but they were realistic: some fights are budget fights, not technical fights.

So they did the boring thing. They created a standard: CIFS mounts were allowed only for cold data and append-mostly logs, never for databases, never for dependency trees, never for build scratch, never for high-churn temp directories. Every CIFS-backed workload needed a micro-benchmark in CI that ran both a throughput test and a metadata test, with thresholds.

They also added routine checks: alert on CIFS reconnects, track SMB server CPU, and measure p99 file operation latency from inside representative containers. Nobody celebrated these dashboards. They were not sexy. They were correct.

Six months later, the storage team pushed a change that altered SMB signing settings. Performance degraded slightly. The dashboards caught it quickly, and rollback happened before customer impact. The “boring standard” prevented an incident because it narrowed where CIFS could hurt, and the monitoring made the failure mode obvious.

Better alternatives (and when to pick each)

If you read nothing else: stop using CIFS as the default container storage backend for performance-sensitive workloads. Use it when you need Windows-native sharing semantics or you’re forced to. Otherwise, pick a tool that matches the workload.

1) Local disk (ext4/xfs) + replication (preferred for databases)

If the data is owned by a service (Postgres, MySQL, Elasticsearch, Redis persistence), use local storage and handle replication at the application layer. You’ll get predictable latency, proper fsync behavior, and fewer weird locks.

2) NFSv4.1+ for shared POSIX-ish storage

NFS isn’t automatically “faster,” but it tends to align better with Linux semantics and tooling. It can perform better on metadata-heavy workloads, depending on server and client settings. It also fails differently. Sometimes that’s the whole point.

3) Object storage for artifacts (S3-compatible APIs)

If your containers need to read/write blobs, stop pretending it’s a filesystem. Use object storage. You trade POSIX semantics for scalability and a much better time under concurrency. Your app might need changes, but your future self will send a thank-you note.

4) Block storage (iSCSI, Fibre Channel, cloud volumes) + a filesystem

If you need filesystem semantics and performance, put the filesystem on block storage and mount locally. Then share via app-level mechanisms, not by having multiple clients hammer the same filesystem unless you’re using a clustered filesystem intentionally.

5) A local caching layer in front of CIFS

If corporate reality says CIFS stays, put a cache in front of it. Options include:

  • Sync-to-local on startup (rsync-like) and periodic refresh.
  • Write-back patterns for logs/artifacts (local spool, async upload).
  • Explicit application caching (in-memory, Redis, CDN for static content).

This works because it changes the I/O shape: fewer network round trips, fewer metadata operations, fewer synchronous writes.

Common mistakes: symptoms → root cause → fix

This is the section that prevents repeat incidents.

1) Symptom: “Throughput is good but the app still times out”

Root cause: Metadata latency dominates (stat/open/close storms). Big-file tests lie.

Fix: Run metadata micro-benchmarks; increase actimeo only if safe; move dependency trees and temp files to local disk; redesign workload to use fewer filesystem calls.

2) Symptom: “Random 5–30 second freezes”

Root cause: SMB reconnects, server-side hiccups, firewall/NAT state timeouts, or DNS delays during reconnect.

Fix: Check /proc/fs/cifs/Stats reconnects, TCP retransmits, dmesg; stabilize network path; ensure keepalives; reduce idle timeouts; fix DNS.

3) Symptom: “Works on one host, slow on another”

Root cause: Different mount options, different SMB dialect negotiated, different kernel versions, or CPU crypto capability differences.

Fix: Compare findmnt output; pin vers=; standardize kernel and CIFS settings; verify encryption/signing and CPU usage.

4) Symptom: “Permission denied” mixed with slowness

Root cause: UID/GID mapping mismatch, user namespaces, or server ACL evaluation causing repeated failures.

Fix: Align identities; use consistent uid=/gid=; consider using Samba with proper Unix extensions if you need POSIX permissions; avoid chown storms at container start.

5) Symptom: “File exists, but app can’t see it yet”

Root cause: Client caching or directory entry caching delays; cross-client coherency issues.

Fix: Reduce caching aggressiveness for shared config/code paths; don’t use CIFS as a coordination mechanism; use a service registry/config service or explicit synchronization.

6) Symptom: “Database corruption / lock errors / weird fsync behavior”

Root cause: Network filesystem semantics don’t match what the database expects under failure, locking, or durability constraints.

Fix: Do not run databases on CIFS. Use local disk or purpose-built clustered storage with known semantics for that database.

7) Symptom: “CPU spikes during file copies”

Root cause: SMB encryption/signing overhead, possibly with small I/O.

Fix: Confirm encryption/signing; ensure AES-NI/CPU acceleration; increase I/O sizes where possible; consider alternative storage path if CPU is the bottleneck.

Checklists / step-by-step plan

Step-by-step: stabilize a slow CIFS-backed Docker workload (practical plan)

  1. Identify the hot path: which directories are on CIFS, and which are latency-sensitive (config, deps, temp, cache, DB files).
  2. Run two benchmarks: one throughput (dd) and one metadata (create/stat storm). Record times.
  3. Measure RTT and retransmits: if network is dirty, stop and fix that first.
  4. Confirm dialect/security: SMB3.1.1, and whether signing/encryption are on.
  5. Check reconnects: if reconnects occur, treat it as a reliability issue, not just performance.
  6. Move temp directories local: set TMPDIR, app cache directories, build outputs to local disk or tmpfs.
  7. Remove databases from CIFS: migrate to local volumes with replication/backups.
  8. Reduce metadata pressure: vendor dependencies into images; avoid runtime installs from CIFS; minimize directory scans.
  9. Tune caching only when safe: if single-writer, increase actimeo and consider cache=loose for read-heavy trees.
  10. Standardize mount definitions: same options everywhere, pinned vers=, credentials handled securely.
  11. Instrument p95/p99 filesystem latency: strace sampling, application timing, and CIFS stats.
  12. Plan an exit: pick an alternative storage design for the next quarter; don’t let “temporary CIFS” become immortal.

Operational checklist: when CIFS is unavoidable

  • Pin SMB dialect (vers=3.1.1 or a known-good).
  • Document whether the share is single-writer or multi-writer.
  • Keep CIFS for large files and cold data, not metadata storms.
  • Alert on reconnects and elevated retransmits.
  • Keep mount options consistent across hosts.
  • Test after kernel updates; SMB client behavior changes over time.

FAQ

1) Is “CIFS” the same as SMB?

In everyday ops talk, yes. Technically, CIFS usually refers to older SMB1-era dialects. On Linux you often mount with -t cifs even when negotiating SMB3.

2) Why is CIFS especially painful in containers?

Containers encourage patterns like “mount a share and run everything on it,” including dependency trees, caches, and sometimes databases. Containers also multiply the number of concurrent clients and metadata operations.

3) What’s the single biggest predictor of “CIFS is slow”?

Metadata-heavy workloads plus non-trivial RTT. If your app does lots of small filesystem calls, you’ll feel every millisecond.

4) Can mount options actually fix it?

They can improve it, sometimes dramatically, but they can’t change physics. If your workload needs local-disk latency and you’re doing cross-network metadata, options are just choosing which corner you want to cut.

5) Should I use cache=loose?

Only when you understand the coherency trade-off and the share isn’t used for live coordination across writers. It’s a performance lever with a correctness price tag.

6) Is NFS always faster than SMB?

No. But NFS often aligns better with Linux workloads and can perform better for metadata patterns, depending on server/client configuration and the storage behind it.

7) What about SMB multichannel—will it speed things up?

It can help throughput and resilience when properly configured on both client and server with multiple NICs. It won’t magically fix metadata latency, and it can add complexity.

8) Why do big file copies look fine while the app crawls?

Sequential I/O can stream well over SMB. Apps usually do mixed I/O with lots of opens/stats/small writes. Different performance universe.

9) Is running Postgres/MySQL on CIFS supported?

Even when it “works,” it’s a reliability and performance gamble. Use local disk or storage designed for database semantics. CIFS is a file-sharing protocol, not a database substrate.

10) What’s a safe pattern if I must share data across containers?

Share finalized artifacts, not live working sets. Write locally, then publish. Treat CIFS as a distribution layer, not a transactional workspace.

Next steps you can actually do this week

If you’re already running CIFS volumes in Docker and it’s slow, don’t start by rewriting the world. Do this:

  1. Run the metadata micro-benchmark on the CIFS mount and locally. If the gap is huge, you have your diagnosis.
  2. Move the hot churn (temp, caches, dependency installs, build outputs) to local storage. This alone often cuts pain by an order of magnitude.
  3. Confirm SMB dialect and security settings so you’re not accidentally negotiating something ancient or expensive without realizing it.
  4. Standardize mount options and measure before/after. Don’t tune blind.
  5. Pick an alternative for the next iteration: local disk + replication for databases, NFS for shared POSIX-ish trees, object storage for blobs, or a cache-in-front pattern if CIFS is mandated.

Then write it down as a rule: CIFS is acceptable for cold shared data. It’s not a default home directory for production containers. Your future on-call rotation will quietly appreciate your lack of creativity.

← Previous
Code-Friendly Tables: Fixed vs Auto Layout, Wrapping, and Numeric Alignment
Next →
PCIe and GPUs: when x8 is fine and when it hurts

Related articles

Docker: The Compose Pattern That Prevents 90% of Production Outages February 6, 2026 Docker Registry Login Fails: Credential Store and Auth Fixes That Actually Work February 1, 2026 Docker Compose Stack Migration: Move to a New Host Without Downtime Myths January 30, 2026 Debian 13: nftables + Docker — stop auto-rules from surprising you (and fix it) (case #39) January 30, 2026 Docker Rate Limiting and WAF in Front of Containers Without Blocking Real Users January 23, 2026 Docker “network not found”: rebuild networks without breaking everything January 23, 2026 Docker Build Cache Invalidation: Why Builds Are Slow and How to Speed Them Up January 22, 2026 Docker Compose: Depends_on Lied to You — Proper Readiness Without Hacks January 22, 2026 Docker Daemon Won’t Start: Read This Log First (Then Fix It) January 21, 2026 Docker “manifest unknown”: tags vs digests explained (and fixed) January 21, 2026

Leave a comment