[lxc-users] lxc and encfs

Mittelsdorf, Bjoern Bjoern.Mittelsdorf at scheer-group.com
Fri Feb 26 15:19:02 UTC 2016


Hi Serge,

I tried both configurations given at the end of this mail, but to no avail.
See debug log below.
Seccomp fails.

Is LXC version 1.0.7 too  old?

Sorry to be bothering :-(

Best regards

Björn

Unprivileged Container Config:

	lxc.mount.entry = /var/lxc-data/backupPROD /var/vm/backupPROD/rootfs/var/encryptedData none bind 0 0
	
	# Distribution configuration
	lxc.include = /usr/share/lxc/config/ubuntu.common.conf
	lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
	lxc.arch = x86_64
	
	# Container specific configuration
	lxc.id_map = u 0 800000 65536
	lxc.id_map = g 0 800000 65536
	lxc.rootfs = /var/vm/backupPROD/rootfs
	lxc.utsname = backupPROD

	# Network configuration
	lxc.network.type = veth
	lxc.network.link = lxcbr0

	# Seccomp configuration (fuse bugfix)
	lxc.seccomp = /etc/lxc/seccomp-default.conf

Debug Log:

      lxc-start 1456498445.086 INFO     lxc_start_ui - lxc_start.c:main:265 - using rcfile /var/vm/backupPROD/config
      lxc-start 1456498445.117 INFO     lxc_confile - confile.c:config_idmap:1325 - read uid map: type u nsid 0 hostid 800000 range 65536
      lxc-start 1456498445.117 INFO     lxc_confile - confile.c:config_idmap:1325 - read uid map: type g nsid 0 hostid 800000 range 65536
      lxc-start 1456498445.117 WARN     lxc_log - log.c:lxc_log_init:316 - lxc_log_init called with log already initialized
      lxc-start 1456498445.118 WARN     lxc_cgmanager - cgmanager.c:cgm_get:954 - do_cgm_get exited with error
      lxc-start 1456498445.119 INFO     lxc_lsm - lsm/lsm.c:lsm_init:48 - LSM security driver nop
      lxc-start 1456498445.128 INFO     lxc_seccomp - seccomp.c:parse_config_v2:285 - processing: .reject_force_unmount.
      lxc-start 1456498445.128 INFO     lxc_seccomp - seccomp.c:parse_config_v2:358 - Adding non-compat rule for reject_force_unmount action 0
      lxc-start 1456498445.128 WARN     lxc_seccomp - seccomp.c:do_resolve_add_rule:191 - Seccomp: failed to resolve syscall: reject_force_unmount
      lxc-start 1456498445.128 WARN     lxc_seccomp - seccomp.c:do_resolve_add_rule:192 - This syscall will NOT be blacklisted
      lxc-start 1456498445.128 INFO     lxc_seccomp - seccomp.c:parse_config_v2:369 - Adding compat rule for reject_force_unmount action 0
      lxc-start 1456498445.128 INFO     lxc_seccomp - seccomp.c:parse_config_v2:377 - Adding non-compat rule bc nr1 == nr2 (-1, -1)
      lxc-start 1456498445.128 WARN     lxc_seccomp - seccomp.c:do_resolve_add_rule:191 - Seccomp: failed to resolve syscall: reject_force_unmount
      lxc-start 1456498445.128 WARN     lxc_seccomp - seccomp.c:do_resolve_add_rule:192 - This syscall will NOT be blacklisted
      lxc-start 1456498445.128 INFO     lxc_seccomp - seccomp.c:parse_config_v2:285 - processing: ..
      lxc-start 1456498445.128 INFO     lxc_seccomp - seccomp.c:parse_config_v2:358 - Adding non-compat rule for  action 0
      lxc-start 1456498445.128 WARN     lxc_seccomp - seccomp.c:do_resolve_add_rule:191 - Seccomp: failed to resolve syscall: 
      lxc-start 1456498445.128 WARN     lxc_seccomp - seccomp.c:do_resolve_add_rule:192 - This syscall will NOT be blacklisted
      lxc-start 1456498445.128 INFO     lxc_seccomp - seccomp.c:parse_config_v2:369 - Adding compat rule for  action 0
      lxc-start 1456498445.128 INFO     lxc_seccomp - seccomp.c:parse_config_v2:377 - Adding non-compat rule bc nr1 == nr2 (-1, -1)
      lxc-start 1456498445.128 WARN     lxc_seccomp - seccomp.c:do_resolve_add_rule:191 - Seccomp: failed to resolve syscall: 
      lxc-start 1456498445.128 WARN     lxc_seccomp - seccomp.c:do_resolve_add_rule:192 - This syscall will NOT be blacklisted
      lxc-start 1456498445.128 INFO     lxc_seccomp - seccomp.c:parse_config_v2:390 - Merging in the compat seccomp ctx into the main one
      lxc-start 1456498445.129 DEBUG    lxc_conf - conf.c:lxc_create_tty:3667 - allocated pty '/dev/pts/0' (5/6)
      lxc-start 1456498445.129 DEBUG    lxc_conf - conf.c:lxc_create_tty:3667 - allocated pty '/dev/pts/2' (7/8)
      lxc-start 1456498445.129 DEBUG    lxc_conf - conf.c:lxc_create_tty:3667 - allocated pty '/dev/pts/5' (9/10)
      lxc-start 1456498445.129 DEBUG    lxc_conf - conf.c:lxc_create_tty:3667 - allocated pty '/dev/pts/6' (11/12)
      lxc-start 1456498445.129 INFO     lxc_conf - conf.c:lxc_create_tty:3678 - tty's configured
      lxc-start 1456498445.129 DEBUG    lxc_start - start.c:setup_signal_fd:247 - sigchild handler set
      lxc-start 1456498445.129 DEBUG    lxc_console - console.c:lxc_console_peer_default:500 - opening /dev/tty for console peer
      lxc-start 1456498445.129 DEBUG    lxc_console - console.c:lxc_console_peer_default:506 - using '/dev/tty' as console
      lxc-start 1456498445.129 DEBUG    lxc_console - console.c:lxc_console_sigwinch_init:179 - 3153 got SIGWINCH fd 17
      lxc-start 1456498445.129 DEBUG    lxc_console - console.c:lxc_console_winsz:88 - set winsz dstfd:14 cols:211 rows:50
      lxc-start 1456498445.428 INFO     lxc_start - start.c:lxc_init:443 - 'backupPROD' is initialized
      lxc-start 1456498445.436 DEBUG    lxc_start - start.c:__lxc_start:1058 - Not dropping cap_sys_boot or watching utmp
      lxc-start 1456498445.436 INFO     lxc_start - start.c:lxc_spawn:802 - Cloning a new user namespace
      lxc-start 1456498445.436 INFO     lxc_cgroup - cgroup.c:cgroup_init:62 - cgroup driver cgmanager initing for backupPROD
      lxc-start 1456498445.617 NOTICE   lxc_start - start.c:do_start:656 - switching to gid/uid 0 in new user namespace
      lxc-start 1456498445.620 DEBUG    lxc_conf - conf.c:setup_rootfs:1613 - mounted '/var/vm/backupPROD/rootfs' on '/usr/lib/x86_64-linux-gnu/lxc'
      lxc-start 1456498445.620 INFO     lxc_conf - conf.c:setup_utsname:900 - 'backupPROD' hostname has been setup
      lxc-start 1456498445.620 DEBUG    lxc_conf - conf.c:setup_netdev:2786 - 'eth0' has been setup
      lxc-start 1456498445.620 INFO     lxc_conf - conf.c:setup_network:2807 - network has been setup
      lxc-start 1456498445.620 DEBUG    lxc_conf - conf.c:check_autodev:3908 - Set exec command to /sbin/init
      lxc-start 1456498445.621 INFO     lxc_conf - conf.c:check_autodev:3946 - Autodev not required.
      lxc-start 1456498445.735 DEBUG    lxc_conf - conf.c:mount_entry:2058 - remounting /var/lxc-data/backupPROD on /usr/lib/x86_64-linux-gnu/lxc//var/encryptedData to respect bind or remount options
      lxc-start 1456498445.736 DEBUG    lxc_conf - conf.c:mount_entry:2073 - (at remount) flags for /var/lxc-data/backupPROD was 4102, required extra flags are 6
      lxc-start 1456498445.736 DEBUG    lxc_conf - conf.c:mount_entry:2108 - mounted '/var/lxc-data/backupPROD' on '/usr/lib/x86_64-linux-gnu/lxc//var/encryptedData', type 'none'
      lxc-start 1456498445.736 DEBUG    lxc_conf - conf.c:mount_entry:2108 - mounted 'proc' on '/usr/lib/x86_64-linux-gnu/lxc/proc', type 'proc'
      lxc-start 1456498445.746 DEBUG    lxc_conf - conf.c:mount_entry:2108 - mounted 'sysfs' on '/usr/lib/x86_64-linux-gnu/lxc/sys', type 'sysfs'
      lxc-start 1456498445.746 DEBUG    lxc_conf - conf.c:mount_entry:2058 - remounting /sys/fs/fuse/connections on /usr/lib/x86_64-linux-gnu/lxc/sys/fs/fuse/connections to respect bind or remount options
      lxc-start 1456498445.746 DEBUG    lxc_conf - conf.c:mount_entry:2073 - (at remount) flags for /sys/fs/fuse/connections was 4096, required extra flags are 0
      lxc-start 1456498445.746 DEBUG    lxc_conf - conf.c:mount_entry:2082 - mountflags already was 4096, skipping remount
      lxc-start 1456498445.746 DEBUG    lxc_conf - conf.c:mount_entry:2108 - mounted '/sys/fs/fuse/connections' on '/usr/lib/x86_64-linux-gnu/lxc/sys/fs/fuse/connections', type 'none'
      lxc-start 1456498445.747 DEBUG    lxc_conf - conf.c:mount_entry:2058 - remounting /sys/kernel/debug on /usr/lib/x86_64-linux-gnu/lxc/sys/kernel/debug to respect bind or remount options
      lxc-start 1456498445.747 DEBUG    lxc_conf - conf.c:mount_entry:2073 - (at remount) flags for /sys/kernel/debug was 4096, required extra flags are 0
      lxc-start 1456498445.747 DEBUG    lxc_conf - conf.c:mount_entry:2082 - mountflags already was 4096, skipping remount
      lxc-start 1456498445.747 DEBUG    lxc_conf - conf.c:mount_entry:2108 - mounted '/sys/kernel/debug' on '/usr/lib/x86_64-linux-gnu/lxc/sys/kernel/debug', type 'none'
      lxc-start 1456498445.747 DEBUG    lxc_conf - conf.c:mount_entry:2058 - remounting /sys/kernel/security on /usr/lib/x86_64-linux-gnu/lxc/sys/kernel/security to respect bind or remount options
      lxc-start 1456498445.747 DEBUG    lxc_conf - conf.c:mount_entry:2073 - (at remount) flags for /sys/kernel/security was 4096, required extra flags are 0
      lxc-start 1456498445.747 DEBUG    lxc_conf - conf.c:mount_entry:2082 - mountflags already was 4096, skipping remount
      lxc-start 1456498445.747 DEBUG    lxc_conf - conf.c:mount_entry:2108 - mounted '/sys/kernel/security' on '/usr/lib/x86_64-linux-gnu/lxc/sys/kernel/security', type 'none'
      lxc-start 1456498445.747 DEBUG    lxc_conf - conf.c:mount_entry:2058 - remounting /sys/fs/pstore on /usr/lib/x86_64-linux-gnu/lxc/sys/fs/pstore to respect bind or remount options
      lxc-start 1456498445.747 DEBUG    lxc_conf - conf.c:mount_entry:2073 - (at remount) flags for /sys/fs/pstore was 4096, required extra flags are 0
      lxc-start 1456498445.747 DEBUG    lxc_conf - conf.c:mount_entry:2082 - mountflags already was 4096, skipping remount
      lxc-start 1456498445.747 DEBUG    lxc_conf - conf.c:mount_entry:2108 - mounted '/sys/fs/pstore' on '/usr/lib/x86_64-linux-gnu/lxc/sys/fs/pstore', type 'none'
      lxc-start 1456498445.810 DEBUG    lxc_conf - conf.c:mount_entry:2058 - remounting /dev/console on /usr/lib/x86_64-linux-gnu/lxc/dev/console to respect bind or remount options
      lxc-start 1456498445.810 DEBUG    lxc_conf - conf.c:mount_entry:2073 - (at remount) flags for /dev/console was 4096, required extra flags are 0
      lxc-start 1456498445.810 DEBUG    lxc_conf - conf.c:mount_entry:2082 - mountflags already was 4096, skipping remount
      lxc-start 1456498445.810 DEBUG    lxc_conf - conf.c:mount_entry:2108 - mounted '/dev/console' on '/usr/lib/x86_64-linux-gnu/lxc/dev/console', type 'none'
      lxc-start 1456498445.811 DEBUG    lxc_conf - conf.c:mount_entry:2058 - remounting /dev/full on /usr/lib/x86_64-linux-gnu/lxc/dev/full to respect bind or remount options
      lxc-start 1456498445.811 DEBUG    lxc_conf - conf.c:mount_entry:2073 - (at remount) flags for /dev/full was 4096, required extra flags are 0
      lxc-start 1456498445.811 DEBUG    lxc_conf - conf.c:mount_entry:2082 - mountflags already was 4096, skipping remount
      lxc-start 1456498445.811 DEBUG    lxc_conf - conf.c:mount_entry:2108 - mounted '/dev/full' on '/usr/lib/x86_64-linux-gnu/lxc/dev/full', type 'none'
      lxc-start 1456498445.811 DEBUG    lxc_conf - conf.c:mount_entry:2058 - remounting /dev/null on /usr/lib/x86_64-linux-gnu/lxc/dev/null to respect bind or remount options
      lxc-start 1456498445.811 DEBUG    lxc_conf - conf.c:mount_entry:2073 - (at remount) flags for /dev/null was 4096, required extra flags are 0
      lxc-start 1456498445.811 DEBUG    lxc_conf - conf.c:mount_entry:2082 - mountflags already was 4096, skipping remount
      lxc-start 1456498445.811 DEBUG    lxc_conf - conf.c:mount_entry:2108 - mounted '/dev/null' on '/usr/lib/x86_64-linux-gnu/lxc/dev/null', type 'none'
      lxc-start 1456498445.811 DEBUG    lxc_conf - conf.c:mount_entry:2058 - remounting /dev/random on /usr/lib/x86_64-linux-gnu/lxc/dev/random to respect bind or remount options
      lxc-start 1456498445.811 DEBUG    lxc_conf - conf.c:mount_entry:2073 - (at remount) flags for /dev/random was 4096, required extra flags are 0
      lxc-start 1456498445.811 DEBUG    lxc_conf - conf.c:mount_entry:2082 - mountflags already was 4096, skipping remount
      lxc-start 1456498445.811 DEBUG    lxc_conf - conf.c:mount_entry:2108 - mounted '/dev/random' on '/usr/lib/x86_64-linux-gnu/lxc/dev/random', type 'none'
      lxc-start 1456498445.811 DEBUG    lxc_conf - conf.c:mount_entry:2058 - remounting /dev/tty on /usr/lib/x86_64-linux-gnu/lxc/dev/tty to respect bind or remount options
      lxc-start 1456498445.811 DEBUG    lxc_conf - conf.c:mount_entry:2073 - (at remount) flags for /dev/tty was 4096, required extra flags are 0
      lxc-start 1456498445.811 DEBUG    lxc_conf - conf.c:mount_entry:2082 - mountflags already was 4096, skipping remount
      lxc-start 1456498445.811 DEBUG    lxc_conf - conf.c:mount_entry:2108 - mounted '/dev/tty' on '/usr/lib/x86_64-linux-gnu/lxc/dev/tty', type 'none'
      lxc-start 1456498445.811 DEBUG    lxc_conf - conf.c:mount_entry:2058 - remounting /dev/urandom on /usr/lib/x86_64-linux-gnu/lxc/dev/urandom to respect bind or remount options
      lxc-start 1456498445.811 DEBUG    lxc_conf - conf.c:mount_entry:2073 - (at remount) flags for /dev/urandom was 4096, required extra flags are 0
      lxc-start 1456498445.811 DEBUG    lxc_conf - conf.c:mount_entry:2082 - mountflags already was 4096, skipping remount
      lxc-start 1456498445.811 DEBUG    lxc_conf - conf.c:mount_entry:2108 - mounted '/dev/urandom' on '/usr/lib/x86_64-linux-gnu/lxc/dev/urandom', type 'none'
      lxc-start 1456498445.812 DEBUG    lxc_conf - conf.c:mount_entry:2058 - remounting /dev/zero on /usr/lib/x86_64-linux-gnu/lxc/dev/zero to respect bind or remount options
      lxc-start 1456498445.812 DEBUG    lxc_conf - conf.c:mount_entry:2073 - (at remount) flags for /dev/zero was 4096, required extra flags are 0
      lxc-start 1456498445.812 DEBUG    lxc_conf - conf.c:mount_entry:2082 - mountflags already was 4096, skipping remount
      lxc-start 1456498445.812 DEBUG    lxc_conf - conf.c:mount_entry:2108 - mounted '/dev/zero' on '/usr/lib/x86_64-linux-gnu/lxc/dev/zero', type 'none'
      lxc-start 1456498445.812 ERROR    lxc_utils - utils.c:safe_mount:1434 - No such file or directory - Mount of '/sys/firmware/efi/efivars' onto '/usr/lib/x86_64-linux-gnu/lxc/sys/firmware/efi/efivars' failed
      lxc-start 1456498445.812 INFO     lxc_conf - conf.c:mount_entry:2047 - failed to mount '/sys/firmware/efi/efivars' on '/usr/lib/x86_64-linux-gnu/lxc/sys/firmware/efi/efivars' (optional): No such file or directory
      lxc-start 1456498445.812 DEBUG    lxc_conf - conf.c:mount_entry:2058 - remounting /proc/sys/fs/binfmt_misc on /usr/lib/x86_64-linux-gnu/lxc/proc/sys/fs/binfmt_misc to respect bind or remount options
      lxc-start 1456498445.812 DEBUG    lxc_conf - conf.c:mount_entry:2073 - (at remount) flags for /proc/sys/fs/binfmt_misc was 4110, required extra flags are 14
      lxc-start 1456498445.812 DEBUG    lxc_conf - conf.c:mount_entry:2108 - mounted '/proc/sys/fs/binfmt_misc' on '/usr/lib/x86_64-linux-gnu/lxc/proc/sys/fs/binfmt_misc', type 'none'
      lxc-start 1456498445.812 INFO     lxc_conf - conf.c:mount_file_entries:2357 - mount points have been setup

Quoting Serge:

The reject_force_unmount is a special keyword, put it between blacklist and [all], so

2
blacklist
reject_force_unmount

might work, or at least

2
blacklist
reject_force_unmount
[all]

really so long as you're doing this, filtering outkexec_load, init_module, finit_module, and open_by_handle_at are worth your while.



More information about the lxc-users mailing list