[lxc-users] Couldn't use fuse with unprivileged container

Serge Hallyn serge.hallyn at ubuntu.com
Wed Oct 22 13:35:12 UTC 2014


Quoting Sergey (sergeyn at gmail.com):
> Hello everyone,
> 
> I'm trying to use bindfs (fuse) inside unprivileged container but it
> doesn't work.
> 
> There is modified apparmor profile:
> 
> > profile lxc-container-default-with-fuse
> > flags=(attach_disconnected,mediate_deleted) {
> >   #include <abstractions/lxc/container-base>
> >
> >   mount fstype=fuse,
> > }
> >
> 
> And container config:
> 
> lxc.include = /usr/share/lxc/config/ubuntu.common.conf
> > lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
> > lxc.arch = x86_64
> >
> > lxc.id_map = u 0 100000 65536
> > lxc.id_map = g 0 100000 65536
> > lxc.rootfs = /var/lib/lxc/ftp./rootfs
> > lxc.utsname = ftp
> > lxc.aa_profile = lxc-container-default-with-fuse
> >
> > lxc.mount.entry = /dev/fuse dev/fuse none bind,optional,create=file
> > lxc.cgroup.devices.allow = c 10:229 rwm
> > lxc.cap.keep = sys_admin
> >
> 
> But every time I tried to mount fuse fs I get the same error:
> 
> > "fusermount: mount failed: Operation not permitted"
> >
> 
> Some information from strace:
> 
> > [pid   504] mount("/dev/fuse", "/home/user/site", "fuse",
> > MS_NOSUID|MS_NODEV,
> > "allow_other,default_permissions,fd=5,rootmode=40000,user_id=0,group_id=0")
> > = -1 EPERM (Operation not permitted)
> >
> 
> I would be so grateful if you could help me with the issue.

You'll need Seth's kernel patchset for this to work.  Check the
lxc-devel mailing list for subject 'fuse'.


More information about the lxc-users mailing list