[lxc-users] Using docker *and* nfs in lxd?
Dan Kegel
dank at kegel.com
Fri Apr 29 16:09:24 UTC 2016
I'm not really conversant with whether the lxc container was unconfined, but
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1575757 shows what
I did from start to finish:
sudo apt-get install nfs-kernel-server
sudo lxc-create -n nfstest -t download -- -d ubuntu -r xenial -a amd64
Add
lxc.mount.auto = cgroup
lxc.aa_profile = lxc-container-default-with-nesting
to the config file
sudo lxc-start -n nfstest
sudo lxc-attach -n nfstest apt-get update
sudo lxc-attach -n nfstest apt-get install nfs-kernel-server # success!
Does that answer the question?
On Fri, Apr 29, 2016 at 8:58 AM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> Quoting Serge Hallyn (serge.hallyn at ubuntu.com):
>> Quoting Serge Hallyn (serge.hallyn at ubuntu.com):
>> > Quoting Dan Kegel (dank at kegel.com):
>> > > Hi all,
>> > > I'm trying to virtualize an app that uses both nfs and docker on
>> > > Ubuntu 16.04. (Yes, the app uses docker. Sigh.)
>> > >
>> > > The lxc profile lxc-container-default-with-nesting allowed installing
>> > > nfs-kernel-server, but didn't let me install docker.io.
>> > > I figured I was getting into "better use the latest stuff" territory,
>> > > so I switched to lxd.
>> > >
>> > > Following https://www.stgraber.org/2016/04/13/lxd-2-0-docker-in-lxd-712,
>> > > I was able to
>> > > get docker to run inside lxc:
>> > >
>> > > sudo apt install lxd lxd-client
>> > > sudo usermod -aG lxd $USER
>> > > (log out; log in)
>> > > lxc launch ubuntu:16.04 docker -p default -p docker
>> > > lxc exec docker -- apt update
>> > > lxc exec docker -- apt dist-upgrade -u
>> > > lxc exec docker -- apt install docker.io -y
>> > > lxc exec docker -- docker run ubuntu /bin/echo 'hello, nesty world!'
>> > >
>> > > Worked great! But
>> > > lxc exec docker -- apt install nfs-kernel-server -y
>> > >
>> > > failed; journalctl says:
>> > > nfs-idmapd.service/stat failed with result 'dependency' ...
>> > > ... failed to mount RPC Pipe File System...
>> > > ... Unit run-rpc_pipefs.mount has failed..."
>> > >
>> > > Just as with my earlier lxc problem, I'm sure there's some simple answer that'd
>> > > be obvious if I read the docs, but I can't find any lxd doc that mentions nfs,
>> > > nor am I fluent in AppArmor. Can I buy a clue?
>> >
>> > My guess is you need to add permission to mount type rpc_pipefs
>> > run-rpc_pipefs.mount, perhaps by adding it to the raw.apparmor
>> > config item using 'lxc config edit docker'
>> >
>>
>> Well this is fascinating. I can't get an allow rule to work for me,
>> but setting security.privileged: true does work, so it is apparmor
>> preventing the mount. There is no denied rule in syslog, so it
>> appears to be a silent denial, but I don't know where.
>
> Ah, it's not apparmor. You're simply not allowed to mount that unless
> you are in the initial usernamespace. You can reproduce using just
>
> lxc-usernsexec bash
> # lxc-unshare -s "MOUNT|PID"
> ## mount -t rpc_pipefs sunrpc /mnt
>
> Was your lxc (non-lxd) container not unconfined?
>
> -serge
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
More information about the lxc-users
mailing list