[lxc-users] FUSE in an unprivileged container

Serge Hallyn serge.hallyn at ubuntu.com
Thu Jun 12 14:48:48 UTC 2014


Quoting Ivan Ogai (ivan at wikical.com):
> Hi,
> 
> in an unprivileged container set up following the instructions at
> https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers and having
> Ubuntu 14.04 as host, I'm trying to install the Wuala client (a software which
> mounts a remote directory using FUSE) so I'am trying to make FUSE works, but
> when trying to mount for a test with sshfs I get the error:
> 
>     fusermount: mount failed: Operation not permitted
> 
> 
> The fuse device is present in the container and has the proper permissions.
> 
> I have this in its config file:
> 
>     lxc.cgroup.devices.allow = c 10:229 rwm
>     lxc.mount.entry = /dev/fuse dev/fuse none bind,optional,create=file
>     lxc.loglevel = 2
>     lxc.logfile = /home/ivan/.local/share/lxc/wuala/lxc.log
>     lxc.cap.keep = CAP_SYS_ADMIN
> 
> 
> In the host I have added following line to /etc/apparmor.d/lxc/lxc-default.
> 
>     mount fstype=fuse options=(rw, bind, ro, nosuid, nodev, user),
> 
> 
> Unfortunately nothing is logged in the lxc.log file (not anywhere else either),
> and the -d option in sshfs doesn’t output more than without.
> 
> I would very much appreciate any idea pointing me to the way to solve
> it.

fuse mounts in an unprivileged container are very interesting to us, but
I've not yet had time to look into it myself.  If you make progress please
let us know.  Othewise I don't have many hints for you, but at least,

on the host you can install auditd, then check /var/log/audit/auditd.log
for DENIED messages.  I don't expect anything meaningfull will be there
but it's worth checking.

otherwise, the denied message probably comes from a capable() check in
the kernel which has not been converted to ns_capable().  Tracking that
down may not be all that easy.

-serge


More information about the lxc-users mailing list