[lxc-users] lxc and encfs

Mittelsdorf, Bjoern Bjoern.Mittelsdorf at scheer-group.com
Tue Feb 23 10:35:45 UTC 2016


Hi all, 
hi Serge,

I was not able to create a seccomp config which works as intended.
Admittedly I found no useful example and tried understanding the parser which I probably did not :-)

Here is my config:

2
blacklist
[all]
reject_force_unmount


lxc-start --version
1.0.7

The containers are unprivileged.

Best regards

Björn

-----Ursprüngliche Nachricht-----
Von: Serge Hallyn [mailto:serge.hallyn at ubuntu.com] 
Gesendet: Freitag, 19. Februar 2016 02:47
An: LXC users mailing-list
Betreff: Re: [lxc-users] lxc and encfs

Quoting Mittelsdorf, Bjoern (Bjoern.Mittelsdorf at scheer-group.com):
> Hi all,
> 
> I face a problem with encfs encrypted folders mounted into lxc containers.
> 
> I have a public encfs folder, which is controlled and provided by the 
> host,
> encrypted: /var/lxc-crypt
> public: /var/lxc-data
> 
> containing one directory for each container, e.g.:
> /var/lxc-data/xyz
> 
> Each container mounts his directory via its config:
> 
> lxc.mount.entry = /var/lxc-data/xyz 
> /var/vm/xyz/rootfs/var/encryptedData none bind 0 0
> 
> Each time I shutdown one of the containers the host mount point for the unencrypted data goes to waste, dragging the other container mount points down with it:
> 
> ls -ltr /var/
> ls: cannot access /var/lxc-data: Transport endpoint is not connected 
> total 56
> d?????????  ? ?      ?         ?            ? lxc-data
> 
> I am aware of the fact that encfs is not the best choice but I would really happily stick with it for the moment.
> 
> As you can see, I have no clue what is going on.

Do you have reject_force_umount in your seccomp policy?  This is a known bug in fuse, and really all you can do is not allow your containers to force-umount fuse (and therefore sadly, all) filesystems.



More information about the lxc-users mailing list