[Lxc-users] FUSE and capabilities
Trent W. Buck
twb at cybersource.com.au
Mon Feb 14 23:45:54 UTC 2011
Milan Zamazal <pdm at zamazal.org> writes:
> I tried to use FUSE/EncFS in a container on a Debian 6.0 machine and
> I've found I have to enable CAP_SYS_ADMIN in order to make it work.
> Without it, permission error is reported on encfs invocation (and yes,
> I've got /dev/fuse enabled in lxc.cgroup.devices.allow, it wouldn't work
> without it even with CAP_SYS_ADMIN set).
>
> Do I have to enable CAP_SYS_ADMIN to allow any mount in a container or
> is there a way to allow user mounts (such as FUSE or USB flash mounts)
> without giving such a wide permission to the container?
I think current best practice is not to give the container mount
privileges; for static mounts you can create lxc.mount entries in the
lxc .conf; for dynamic mounts there isn't any sane solution AFAICT.
I suppose if I had to support desktop wank, I would set up a udev rule
on the host to mount removable devices in /media/<VOL ID>, and then
rbind-mount /media into the container(s). I can't think of a way to
handle mounting offhand, so I'd mount them -osync to reduce data loss.
More information about the lxc-users
mailing list