[lxc-users] Using docker *and* nfs in lxd?
Serge Hallyn
serge.hallyn at ubuntu.com
Fri Apr 29 17:31:41 UTC 2016
Quoting Dan Kegel (dank at kegel.com):
> I'm not really conversant with whether the lxc container was unconfined, but
> https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1575757 shows what
> I did from start to finish:
>
> sudo apt-get install nfs-kernel-server
> sudo lxc-create -n nfstest -t download -- -d ubuntu -r xenial -a amd64
Yeah this is not in a user namespace unless you've updated
/etc/lxc/default.conf. So root in that container is global
root.
> Add
> lxc.mount.auto = cgroup
> lxc.aa_profile = lxc-container-default-with-nesting
> to the config file
> sudo lxc-start -n nfstest
> sudo lxc-attach -n nfstest apt-get update
> sudo lxc-attach -n nfstest apt-get install nfs-kernel-server # success!
>
> Does that answer the question?
yup.
So my guess is this is an inherent feature of the nfs kernel module,
that it insists the mounter be privileged against the user ns in which
the nfs server is. The other possibility would be that there's an
overmounted rpc_pipefs somewhere so the kernel doesn't want to let you
unmask that. But I don't think that is it.
Really I never recommend nfs exports from a container, as
far as I know there are still plenty of other bugs in that.
More information about the lxc-users
mailing list