[lxc-users] Using docker *and* nfs in lxd?

Dan Kegel dank at kegel.com
Fri Apr 29 17:43:18 UTC 2016


So lxc is a better choice than lxd when you want to export nfs
filesystems from a container,
but the real answer is "don't do that"?

I might be able to split the nfs serving part out of this app, but
it's not a great sign that right out of the gate I'm hitting a leaky
abstraction.

The app also needs good OpenGL, and that's probably the next roadblock
I'll be running into.


On Fri, Apr 29, 2016 at 10:31 AM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> Quoting Dan Kegel (dank at kegel.com):
>> I'm not really conversant with whether the lxc container was unconfined, but
>> https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1575757 shows what
>> I did from start to finish:
>>
>> sudo apt-get install nfs-kernel-server
>> sudo lxc-create -n nfstest -t download -- -d ubuntu -r xenial -a amd64
>
> Yeah this is not in a user namespace unless you've updated
> /etc/lxc/default.conf.  So root in that container is global
> root.
>
>> Add
>>   lxc.mount.auto = cgroup
>>   lxc.aa_profile = lxc-container-default-with-nesting
>> to the config file
>> sudo lxc-start -n nfstest
>> sudo lxc-attach -n nfstest apt-get update
>> sudo lxc-attach -n nfstest apt-get install nfs-kernel-server   # success!
>>
>> Does that answer the question?
>
> yup.
>
> So my guess is this is an inherent feature of the nfs kernel module,
> that it insists the mounter be privileged against the user ns in which
> the nfs server is.  The other possibility would be that there's an
> overmounted rpc_pipefs somewhere so the kernel doesn't want to let you
> unmask that.  But I don't think that is it.
>
> Really I never recommend nfs exports from a container, as
> far as I know there are still plenty of other bugs in that.
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users


More information about the lxc-users mailing list