[lxc-users] lxc and encfs

Serge Hallyn serge.hallyn at ubuntu.com
Tue Feb 23 17:14:36 UTC 2016


Quoting Mittelsdorf, Bjoern (Bjoern.Mittelsdorf at scheer-group.com):
> Hi all, 
> hi Serge,
> 
> I was not able to create a seccomp config which works as intended.
> Admittedly I found no useful example and tried understanding the parser which I probably did not :-)

The reject_force_unmount is a special keyword, put it between
blacklist and [all], so

2
blacklist
reject_force_unmount

might work, or at least

2
blacklist
reject_force_unmount
[all]

really so long as you're doing this, filtering outkexec_load,
init_module, finit_module, and open_by_handle_at are worth your
while.

> Here is my config:
> 
> 2
> blacklist
> [all]
> reject_force_unmount
> 
> 
> lxc-start --version
> 1.0.7
> 
> The containers are unprivileged.
> 
> Best regards
> 
> Björn
> 
> -----Ursprüngliche Nachricht-----
> Von: Serge Hallyn [mailto:serge.hallyn at ubuntu.com] 
> Gesendet: Freitag, 19. Februar 2016 02:47
> An: LXC users mailing-list
> Betreff: Re: [lxc-users] lxc and encfs
> 
> Quoting Mittelsdorf, Bjoern (Bjoern.Mittelsdorf at scheer-group.com):
> > Hi all,
> > 
> > I face a problem with encfs encrypted folders mounted into lxc containers.
> > 
> > I have a public encfs folder, which is controlled and provided by the 
> > host,
> > encrypted: /var/lxc-crypt
> > public: /var/lxc-data
> > 
> > containing one directory for each container, e.g.:
> > /var/lxc-data/xyz
> > 
> > Each container mounts his directory via its config:
> > 
> > lxc.mount.entry = /var/lxc-data/xyz 
> > /var/vm/xyz/rootfs/var/encryptedData none bind 0 0
> > 
> > Each time I shutdown one of the containers the host mount point for the unencrypted data goes to waste, dragging the other container mount points down with it:
> > 
> > ls -ltr /var/
> > ls: cannot access /var/lxc-data: Transport endpoint is not connected 
> > total 56
> > d?????????  ? ?      ?         ?            ? lxc-data
> > 
> > I am aware of the fact that encfs is not the best choice but I would really happily stick with it for the moment.
> > 
> > As you can see, I have no clue what is going on.
> 
> Do you have reject_force_umount in your seccomp policy?  This is a known bug in fuse, and really all you can do is not allow your containers to force-umount fuse (and therefore sadly, all) filesystems.
> 
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users


More information about the lxc-users mailing list