[lxc-users] Using docker *and* nfs in lxd?

Serge Hallyn serge.hallyn at ubuntu.com
Fri Apr 29 15:58:39 UTC 2016 

Quoting Serge Hallyn (serge.hallyn at ubuntu.com):
> Quoting Serge Hallyn (serge.hallyn at ubuntu.com):
> > Quoting Dan Kegel (dank at kegel.com):
> > > Hi all,
> > > I'm trying to virtualize an app that uses both nfs and docker on
> > > Ubuntu 16.04.  (Yes, the app uses docker.  Sigh.)
> > > 
> > > The lxc profile lxc-container-default-with-nesting allowed installing
> > > nfs-kernel-server, but didn't let me install docker.io.
> > > I figured I was getting into "better use the latest stuff" territory,
> > > so I switched to lxd.
> > > 
> > > Following https://www.stgraber.org/2016/04/13/lxd-2-0-docker-in-lxd-712,
> > > I was able to
> > > get docker to run inside lxc:
> > > 
> > >   sudo apt install lxd lxd-client
> > >   sudo usermod -aG lxd $USER
> > >   (log out; log in)
> > >   lxc launch ubuntu:16.04 docker -p default -p docker
> > >   lxc exec docker -- apt update
> > >   lxc exec docker -- apt dist-upgrade -u
> > >   lxc exec docker -- apt install docker.io -y
> > >   lxc exec docker -- docker run ubuntu /bin/echo 'hello, nesty world!'
> > > 
> > > Worked great!  But
> > >   lxc exec docker -- apt install nfs-kernel-server -y
> > > 
> > > failed; journalctl says:
> > > nfs-idmapd.service/stat failed with result 'dependency' ...
> > > ... failed to mount RPC Pipe File System...
> > > ... Unit run-rpc_pipefs.mount has failed..."
> > > 
> > > Just as with my earlier lxc problem, I'm sure there's some simple answer that'd
> > > be obvious if I read the docs, but I can't find any lxd doc that mentions nfs,
> > > nor am I fluent in AppArmor.  Can I buy a clue?
> > 
> > My guess is you need to add permission to mount type rpc_pipefs
> > run-rpc_pipefs.mount, perhaps by adding it to the raw.apparmor
> > config item using 'lxc config edit docker'
> > 
> 
> Well this is fascinating.  I can't get an allow rule to work for me,
> but setting security.privileged: true does work, so it is apparmor
> preventing the mount.  There is no denied rule in syslog, so it
> appears to be a silent denial, but I don't know where.

Ah, it's not apparmor.  You're simply not allowed to mount that unless
you are in the initial usernamespace.  You can reproduce using just

lxc-usernsexec bash
# lxc-unshare -s "MOUNT|PID"
## mount -t rpc_pipefs sunrpc /mnt

Was your lxc (non-lxd) container not unconfined?

-serge

More information about the lxc-users mailing list