[lxc-users] pre-mount hook namespace

Dietmar Maurer dietmar at proxmox.com
Mon Nov 16 11:33:37 UTC 2015



> On November 16, 2015 at 11:48 AM Wolfgang Bumiller <w.bumiller at proxmox.com>
> wrote:
> 
> 
> > On November 11, 2015 at 6:04 PM Serge Hallyn <serge.hallyn at ubuntu.com>
> > wrote:
> > > > 2.
> > > > If you are just using unpriv containers to use user namespaces, you can
> > > > actually have the container be owned/started by root.  That's what I do
> > > > for some containers where their rootfs is a dmcrypt device which I
> > > > couldn't mount as an unpriv user.
> > > 
> > > They are started as root, which means I can prepare the mounts as you
> > > suggested above, but I'd again be clobbering the host's namespace.
> > 
> > Oh, right.  I forget that even when starting as root, this only works
> > for the rootfs itself, not other mounts.  (Lxd actually does handle this,
> > but at the cost of having a MS_SLAVE mount per container)
> 
> So we ended up doing just that, but now with the latest lxcfs
> upgrades (I suspect cgmanager/cgfs changes) AppArmor suddenly
> denies lxc-start to bind mount something. Here's what happens
> with raw lxc-start commands

Seems to be related to lxc update. lxc 1.1.4 works with latest lxcfs.
so the problem is introduced between lxc 1.1.4 and lxc 1.1.5



More information about the lxc-users mailing list