[lxc-users] Couldn't use fuse with unprivileged container
Serge Hallyn
serge.hallyn at ubuntu.com
Wed Oct 22 13:35:12 UTC 2014
Quoting Sergey (sergeyn at gmail.com):
> Hello everyone,
>
> I'm trying to use bindfs (fuse) inside unprivileged container but it
> doesn't work.
>
> There is modified apparmor profile:
>
> > profile lxc-container-default-with-fuse
> > flags=(attach_disconnected,mediate_deleted) {
> > #include <abstractions/lxc/container-base>
> >
> > mount fstype=fuse,
> > }
> >
>
> And container config:
>
> lxc.include = /usr/share/lxc/config/ubuntu.common.conf
> > lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
> > lxc.arch = x86_64
> >
> > lxc.id_map = u 0 100000 65536
> > lxc.id_map = g 0 100000 65536
> > lxc.rootfs = /var/lib/lxc/ftp./rootfs
> > lxc.utsname = ftp
> > lxc.aa_profile = lxc-container-default-with-fuse
> >
> > lxc.mount.entry = /dev/fuse dev/fuse none bind,optional,create=file
> > lxc.cgroup.devices.allow = c 10:229 rwm
> > lxc.cap.keep = sys_admin
> >
>
> But every time I tried to mount fuse fs I get the same error:
>
> > "fusermount: mount failed: Operation not permitted"
> >
>
> Some information from strace:
>
> > [pid 504] mount("/dev/fuse", "/home/user/site", "fuse",
> > MS_NOSUID|MS_NODEV,
> > "allow_other,default_permissions,fd=5,rootmode=40000,user_id=0,group_id=0")
> > = -1 EPERM (Operation not permitted)
> >
>
> I would be so grateful if you could help me with the issue.
You'll need Seth's kernel patchset for this to work. Check the
lxc-devel mailing list for subject 'fuse'.
More information about the lxc-users
mailing list