[lxc-devel] mounting a crypted volume in a container

lxc at zitta.fr lxc at zitta.fr
Tue Mar 2 22:10:58 UTC 2010 

Le 02/03/2010 18:13, Daniel Lezcano a écrit :
>
> lxc at zitta.fr wrote:
>> hi,
>>
>> I'm trying to provide a crypted volume to a container :
>> - So i have added it to the container's fstab :
>>         root at ksxxx:~# cat /var/lib/lxc/newzer.ovh2.p.zitta.fr/fstab
>>         /lxc/root/newzer.ovh2.p.zitta.fr
>> /var/lib/lxc/newzer.ovh2.p.zitta.fr/rootfs none rbind 0 0
>>         /dev/mapper/crypt_newzer
>> /var/lib/lxc/newzer.ovh2.p.zitta.fr/rootfs/home ext4 defaults 0 0
>> - Looked which minor/major to allow
>>         root at ksxxx:~# ls -l /dev/mapper/
>>         total 0
>>         crw-rw---- 1 root root  10, 60 2010-02-13 14:22 control
>>         brw-rw---- 1 root disk 252,  3 2010-03-02 12:51 crypt_newzer
>>         brw-rw---- 1 root disk 252,  3 2010-03-02 12:51
>> crypt_newzer_unformatted
>>         brw-rw---- 1 root disk 252,  1 2010-02-13 14:22
>> vg0-backup_restore
>>         brw-rw---- 1 root disk 252,  2 2010-03-02 12:22 vg0-cr_newzer
>>         brw-rw---- 1 root disk 252,  0 2010-02-13 14:22 vg0-lxc
>> - I have allowed it (i have deduced it from exemples)
>>         root at ksxxx:~# cat /var/lib/lxc/newzer.ovh2.p.zitta.fr/config |
>> grep 252:3
>>         lxc.cgroup.devices.allow = b 252:3 rwm
>> - And plouf, an error :(
>>         root at ksxxx:~# lxc-start -n newzer.ovh2.p.zitta.fr
>>         lxc-start: Operation not permitted - failed to mount
>> '/dev/mapper/crypt_newzer' on
>> '/var/lib/lxc/newzer.ovh2.p.zitta.fr/rootfs/home'
>>         lxc-start: failed to setup the mounts for
>> 'newzer.ovh2.p.zitta.fr'
>>         lxc-start: failed to setup the container
>>
>> So I'm wondering if it is possible, if i have made a mistake... Voila
>>
>> Any idea?
>> Thanks
>>   
> You want to use an image to mount the rootfs, right ?
> This is partly implemented but disabled in the code right now.
> Do you have an example of the image I can download somewhere in the
> net, so I can finish this part and test ?
>
> In the meantime, you can mount the image somewhere in a directory and
> use it as the rootfs - I know this is not what you want to do but
> anyway ... :)
>
>
>
I have done a what you need, URL will follow in a private mail.

For my problem, it is a crypted datadir for a backup server, not a rootfs.
I wanted to use /var/lib/lxc/container/fstab to have the block device
mounted at lxc startup whitout use any wrapper around lxc-start.

For my education, is there any differences between these two solutions :
- using /var/lib/lxc/container/fstab
- mknod in the container + use his /etc/fstab

Regards,

Guillaume ZITTA

More information about the lxc-devel mailing list