[lxc-users] lxc and encfs
Mittelsdorf, Bjoern
Bjoern.Mittelsdorf at scheer-group.com
Fri Feb 26 15:19:02 UTC 2016
Hi Serge,
I tried both configurations given at the end of this mail, but to no avail.
See debug log below.
Seccomp fails.
Is LXC version 1.0.7 too old?
Sorry to be bothering :-(
Best regards
Björn
Unprivileged Container Config:
lxc.mount.entry = /var/lxc-data/backupPROD /var/vm/backupPROD/rootfs/var/encryptedData none bind 0 0
# Distribution configuration
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
lxc.arch = x86_64
# Container specific configuration
lxc.id_map = u 0 800000 65536
lxc.id_map = g 0 800000 65536
lxc.rootfs = /var/vm/backupPROD/rootfs
lxc.utsname = backupPROD
# Network configuration
lxc.network.type = veth
lxc.network.link = lxcbr0
# Seccomp configuration (fuse bugfix)
lxc.seccomp = /etc/lxc/seccomp-default.conf
Debug Log:
lxc-start 1456498445.086 INFO lxc_start_ui - lxc_start.c:main:265 - using rcfile /var/vm/backupPROD/config
lxc-start 1456498445.117 INFO lxc_confile - confile.c:config_idmap:1325 - read uid map: type u nsid 0 hostid 800000 range 65536
lxc-start 1456498445.117 INFO lxc_confile - confile.c:config_idmap:1325 - read uid map: type g nsid 0 hostid 800000 range 65536
lxc-start 1456498445.117 WARN lxc_log - log.c:lxc_log_init:316 - lxc_log_init called with log already initialized
lxc-start 1456498445.118 WARN lxc_cgmanager - cgmanager.c:cgm_get:954 - do_cgm_get exited with error
lxc-start 1456498445.119 INFO lxc_lsm - lsm/lsm.c:lsm_init:48 - LSM security driver nop
lxc-start 1456498445.128 INFO lxc_seccomp - seccomp.c:parse_config_v2:285 - processing: .reject_force_unmount.
lxc-start 1456498445.128 INFO lxc_seccomp - seccomp.c:parse_config_v2:358 - Adding non-compat rule for reject_force_unmount action 0
lxc-start 1456498445.128 WARN lxc_seccomp - seccomp.c:do_resolve_add_rule:191 - Seccomp: failed to resolve syscall: reject_force_unmount
lxc-start 1456498445.128 WARN lxc_seccomp - seccomp.c:do_resolve_add_rule:192 - This syscall will NOT be blacklisted
lxc-start 1456498445.128 INFO lxc_seccomp - seccomp.c:parse_config_v2:369 - Adding compat rule for reject_force_unmount action 0
lxc-start 1456498445.128 INFO lxc_seccomp - seccomp.c:parse_config_v2:377 - Adding non-compat rule bc nr1 == nr2 (-1, -1)
lxc-start 1456498445.128 WARN lxc_seccomp - seccomp.c:do_resolve_add_rule:191 - Seccomp: failed to resolve syscall: reject_force_unmount
lxc-start 1456498445.128 WARN lxc_seccomp - seccomp.c:do_resolve_add_rule:192 - This syscall will NOT be blacklisted
lxc-start 1456498445.128 INFO lxc_seccomp - seccomp.c:parse_config_v2:285 - processing: ..
lxc-start 1456498445.128 INFO lxc_seccomp - seccomp.c:parse_config_v2:358 - Adding non-compat rule for action 0
lxc-start 1456498445.128 WARN lxc_seccomp - seccomp.c:do_resolve_add_rule:191 - Seccomp: failed to resolve syscall:
lxc-start 1456498445.128 WARN lxc_seccomp - seccomp.c:do_resolve_add_rule:192 - This syscall will NOT be blacklisted
lxc-start 1456498445.128 INFO lxc_seccomp - seccomp.c:parse_config_v2:369 - Adding compat rule for action 0
lxc-start 1456498445.128 INFO lxc_seccomp - seccomp.c:parse_config_v2:377 - Adding non-compat rule bc nr1 == nr2 (-1, -1)
lxc-start 1456498445.128 WARN lxc_seccomp - seccomp.c:do_resolve_add_rule:191 - Seccomp: failed to resolve syscall:
lxc-start 1456498445.128 WARN lxc_seccomp - seccomp.c:do_resolve_add_rule:192 - This syscall will NOT be blacklisted
lxc-start 1456498445.128 INFO lxc_seccomp - seccomp.c:parse_config_v2:390 - Merging in the compat seccomp ctx into the main one
lxc-start 1456498445.129 DEBUG lxc_conf - conf.c:lxc_create_tty:3667 - allocated pty '/dev/pts/0' (5/6)
lxc-start 1456498445.129 DEBUG lxc_conf - conf.c:lxc_create_tty:3667 - allocated pty '/dev/pts/2' (7/8)
lxc-start 1456498445.129 DEBUG lxc_conf - conf.c:lxc_create_tty:3667 - allocated pty '/dev/pts/5' (9/10)
lxc-start 1456498445.129 DEBUG lxc_conf - conf.c:lxc_create_tty:3667 - allocated pty '/dev/pts/6' (11/12)
lxc-start 1456498445.129 INFO lxc_conf - conf.c:lxc_create_tty:3678 - tty's configured
lxc-start 1456498445.129 DEBUG lxc_start - start.c:setup_signal_fd:247 - sigchild handler set
lxc-start 1456498445.129 DEBUG lxc_console - console.c:lxc_console_peer_default:500 - opening /dev/tty for console peer
lxc-start 1456498445.129 DEBUG lxc_console - console.c:lxc_console_peer_default:506 - using '/dev/tty' as console
lxc-start 1456498445.129 DEBUG lxc_console - console.c:lxc_console_sigwinch_init:179 - 3153 got SIGWINCH fd 17
lxc-start 1456498445.129 DEBUG lxc_console - console.c:lxc_console_winsz:88 - set winsz dstfd:14 cols:211 rows:50
lxc-start 1456498445.428 INFO lxc_start - start.c:lxc_init:443 - 'backupPROD' is initialized
lxc-start 1456498445.436 DEBUG lxc_start - start.c:__lxc_start:1058 - Not dropping cap_sys_boot or watching utmp
lxc-start 1456498445.436 INFO lxc_start - start.c:lxc_spawn:802 - Cloning a new user namespace
lxc-start 1456498445.436 INFO lxc_cgroup - cgroup.c:cgroup_init:62 - cgroup driver cgmanager initing for backupPROD
lxc-start 1456498445.617 NOTICE lxc_start - start.c:do_start:656 - switching to gid/uid 0 in new user namespace
lxc-start 1456498445.620 DEBUG lxc_conf - conf.c:setup_rootfs:1613 - mounted '/var/vm/backupPROD/rootfs' on '/usr/lib/x86_64-linux-gnu/lxc'
lxc-start 1456498445.620 INFO lxc_conf - conf.c:setup_utsname:900 - 'backupPROD' hostname has been setup
lxc-start 1456498445.620 DEBUG lxc_conf - conf.c:setup_netdev:2786 - 'eth0' has been setup
lxc-start 1456498445.620 INFO lxc_conf - conf.c:setup_network:2807 - network has been setup
lxc-start 1456498445.620 DEBUG lxc_conf - conf.c:check_autodev:3908 - Set exec command to /sbin/init
lxc-start 1456498445.621 INFO lxc_conf - conf.c:check_autodev:3946 - Autodev not required.
lxc-start 1456498445.735 DEBUG lxc_conf - conf.c:mount_entry:2058 - remounting /var/lxc-data/backupPROD on /usr/lib/x86_64-linux-gnu/lxc//var/encryptedData to respect bind or remount options
lxc-start 1456498445.736 DEBUG lxc_conf - conf.c:mount_entry:2073 - (at remount) flags for /var/lxc-data/backupPROD was 4102, required extra flags are 6
lxc-start 1456498445.736 DEBUG lxc_conf - conf.c:mount_entry:2108 - mounted '/var/lxc-data/backupPROD' on '/usr/lib/x86_64-linux-gnu/lxc//var/encryptedData', type 'none'
lxc-start 1456498445.736 DEBUG lxc_conf - conf.c:mount_entry:2108 - mounted 'proc' on '/usr/lib/x86_64-linux-gnu/lxc/proc', type 'proc'
lxc-start 1456498445.746 DEBUG lxc_conf - conf.c:mount_entry:2108 - mounted 'sysfs' on '/usr/lib/x86_64-linux-gnu/lxc/sys', type 'sysfs'
lxc-start 1456498445.746 DEBUG lxc_conf - conf.c:mount_entry:2058 - remounting /sys/fs/fuse/connections on /usr/lib/x86_64-linux-gnu/lxc/sys/fs/fuse/connections to respect bind or remount options
lxc-start 1456498445.746 DEBUG lxc_conf - conf.c:mount_entry:2073 - (at remount) flags for /sys/fs/fuse/connections was 4096, required extra flags are 0
lxc-start 1456498445.746 DEBUG lxc_conf - conf.c:mount_entry:2082 - mountflags already was 4096, skipping remount
lxc-start 1456498445.746 DEBUG lxc_conf - conf.c:mount_entry:2108 - mounted '/sys/fs/fuse/connections' on '/usr/lib/x86_64-linux-gnu/lxc/sys/fs/fuse/connections', type 'none'
lxc-start 1456498445.747 DEBUG lxc_conf - conf.c:mount_entry:2058 - remounting /sys/kernel/debug on /usr/lib/x86_64-linux-gnu/lxc/sys/kernel/debug to respect bind or remount options
lxc-start 1456498445.747 DEBUG lxc_conf - conf.c:mount_entry:2073 - (at remount) flags for /sys/kernel/debug was 4096, required extra flags are 0
lxc-start 1456498445.747 DEBUG lxc_conf - conf.c:mount_entry:2082 - mountflags already was 4096, skipping remount
lxc-start 1456498445.747 DEBUG lxc_conf - conf.c:mount_entry:2108 - mounted '/sys/kernel/debug' on '/usr/lib/x86_64-linux-gnu/lxc/sys/kernel/debug', type 'none'
lxc-start 1456498445.747 DEBUG lxc_conf - conf.c:mount_entry:2058 - remounting /sys/kernel/security on /usr/lib/x86_64-linux-gnu/lxc/sys/kernel/security to respect bind or remount options
lxc-start 1456498445.747 DEBUG lxc_conf - conf.c:mount_entry:2073 - (at remount) flags for /sys/kernel/security was 4096, required extra flags are 0
lxc-start 1456498445.747 DEBUG lxc_conf - conf.c:mount_entry:2082 - mountflags already was 4096, skipping remount
lxc-start 1456498445.747 DEBUG lxc_conf - conf.c:mount_entry:2108 - mounted '/sys/kernel/security' on '/usr/lib/x86_64-linux-gnu/lxc/sys/kernel/security', type 'none'
lxc-start 1456498445.747 DEBUG lxc_conf - conf.c:mount_entry:2058 - remounting /sys/fs/pstore on /usr/lib/x86_64-linux-gnu/lxc/sys/fs/pstore to respect bind or remount options
lxc-start 1456498445.747 DEBUG lxc_conf - conf.c:mount_entry:2073 - (at remount) flags for /sys/fs/pstore was 4096, required extra flags are 0
lxc-start 1456498445.747 DEBUG lxc_conf - conf.c:mount_entry:2082 - mountflags already was 4096, skipping remount
lxc-start 1456498445.747 DEBUG lxc_conf - conf.c:mount_entry:2108 - mounted '/sys/fs/pstore' on '/usr/lib/x86_64-linux-gnu/lxc/sys/fs/pstore', type 'none'
lxc-start 1456498445.810 DEBUG lxc_conf - conf.c:mount_entry:2058 - remounting /dev/console on /usr/lib/x86_64-linux-gnu/lxc/dev/console to respect bind or remount options
lxc-start 1456498445.810 DEBUG lxc_conf - conf.c:mount_entry:2073 - (at remount) flags for /dev/console was 4096, required extra flags are 0
lxc-start 1456498445.810 DEBUG lxc_conf - conf.c:mount_entry:2082 - mountflags already was 4096, skipping remount
lxc-start 1456498445.810 DEBUG lxc_conf - conf.c:mount_entry:2108 - mounted '/dev/console' on '/usr/lib/x86_64-linux-gnu/lxc/dev/console', type 'none'
lxc-start 1456498445.811 DEBUG lxc_conf - conf.c:mount_entry:2058 - remounting /dev/full on /usr/lib/x86_64-linux-gnu/lxc/dev/full to respect bind or remount options
lxc-start 1456498445.811 DEBUG lxc_conf - conf.c:mount_entry:2073 - (at remount) flags for /dev/full was 4096, required extra flags are 0
lxc-start 1456498445.811 DEBUG lxc_conf - conf.c:mount_entry:2082 - mountflags already was 4096, skipping remount
lxc-start 1456498445.811 DEBUG lxc_conf - conf.c:mount_entry:2108 - mounted '/dev/full' on '/usr/lib/x86_64-linux-gnu/lxc/dev/full', type 'none'
lxc-start 1456498445.811 DEBUG lxc_conf - conf.c:mount_entry:2058 - remounting /dev/null on /usr/lib/x86_64-linux-gnu/lxc/dev/null to respect bind or remount options
lxc-start 1456498445.811 DEBUG lxc_conf - conf.c:mount_entry:2073 - (at remount) flags for /dev/null was 4096, required extra flags are 0
lxc-start 1456498445.811 DEBUG lxc_conf - conf.c:mount_entry:2082 - mountflags already was 4096, skipping remount
lxc-start 1456498445.811 DEBUG lxc_conf - conf.c:mount_entry:2108 - mounted '/dev/null' on '/usr/lib/x86_64-linux-gnu/lxc/dev/null', type 'none'
lxc-start 1456498445.811 DEBUG lxc_conf - conf.c:mount_entry:2058 - remounting /dev/random on /usr/lib/x86_64-linux-gnu/lxc/dev/random to respect bind or remount options
lxc-start 1456498445.811 DEBUG lxc_conf - conf.c:mount_entry:2073 - (at remount) flags for /dev/random was 4096, required extra flags are 0
lxc-start 1456498445.811 DEBUG lxc_conf - conf.c:mount_entry:2082 - mountflags already was 4096, skipping remount
lxc-start 1456498445.811 DEBUG lxc_conf - conf.c:mount_entry:2108 - mounted '/dev/random' on '/usr/lib/x86_64-linux-gnu/lxc/dev/random', type 'none'
lxc-start 1456498445.811 DEBUG lxc_conf - conf.c:mount_entry:2058 - remounting /dev/tty on /usr/lib/x86_64-linux-gnu/lxc/dev/tty to respect bind or remount options
lxc-start 1456498445.811 DEBUG lxc_conf - conf.c:mount_entry:2073 - (at remount) flags for /dev/tty was 4096, required extra flags are 0
lxc-start 1456498445.811 DEBUG lxc_conf - conf.c:mount_entry:2082 - mountflags already was 4096, skipping remount
lxc-start 1456498445.811 DEBUG lxc_conf - conf.c:mount_entry:2108 - mounted '/dev/tty' on '/usr/lib/x86_64-linux-gnu/lxc/dev/tty', type 'none'
lxc-start 1456498445.811 DEBUG lxc_conf - conf.c:mount_entry:2058 - remounting /dev/urandom on /usr/lib/x86_64-linux-gnu/lxc/dev/urandom to respect bind or remount options
lxc-start 1456498445.811 DEBUG lxc_conf - conf.c:mount_entry:2073 - (at remount) flags for /dev/urandom was 4096, required extra flags are 0
lxc-start 1456498445.811 DEBUG lxc_conf - conf.c:mount_entry:2082 - mountflags already was 4096, skipping remount
lxc-start 1456498445.811 DEBUG lxc_conf - conf.c:mount_entry:2108 - mounted '/dev/urandom' on '/usr/lib/x86_64-linux-gnu/lxc/dev/urandom', type 'none'
lxc-start 1456498445.812 DEBUG lxc_conf - conf.c:mount_entry:2058 - remounting /dev/zero on /usr/lib/x86_64-linux-gnu/lxc/dev/zero to respect bind or remount options
lxc-start 1456498445.812 DEBUG lxc_conf - conf.c:mount_entry:2073 - (at remount) flags for /dev/zero was 4096, required extra flags are 0
lxc-start 1456498445.812 DEBUG lxc_conf - conf.c:mount_entry:2082 - mountflags already was 4096, skipping remount
lxc-start 1456498445.812 DEBUG lxc_conf - conf.c:mount_entry:2108 - mounted '/dev/zero' on '/usr/lib/x86_64-linux-gnu/lxc/dev/zero', type 'none'
lxc-start 1456498445.812 ERROR lxc_utils - utils.c:safe_mount:1434 - No such file or directory - Mount of '/sys/firmware/efi/efivars' onto '/usr/lib/x86_64-linux-gnu/lxc/sys/firmware/efi/efivars' failed
lxc-start 1456498445.812 INFO lxc_conf - conf.c:mount_entry:2047 - failed to mount '/sys/firmware/efi/efivars' on '/usr/lib/x86_64-linux-gnu/lxc/sys/firmware/efi/efivars' (optional): No such file or directory
lxc-start 1456498445.812 DEBUG lxc_conf - conf.c:mount_entry:2058 - remounting /proc/sys/fs/binfmt_misc on /usr/lib/x86_64-linux-gnu/lxc/proc/sys/fs/binfmt_misc to respect bind or remount options
lxc-start 1456498445.812 DEBUG lxc_conf - conf.c:mount_entry:2073 - (at remount) flags for /proc/sys/fs/binfmt_misc was 4110, required extra flags are 14
lxc-start 1456498445.812 DEBUG lxc_conf - conf.c:mount_entry:2108 - mounted '/proc/sys/fs/binfmt_misc' on '/usr/lib/x86_64-linux-gnu/lxc/proc/sys/fs/binfmt_misc', type 'none'
lxc-start 1456498445.812 INFO lxc_conf - conf.c:mount_file_entries:2357 - mount points have been setup
Quoting Serge:
The reject_force_unmount is a special keyword, put it between blacklist and [all], so
2
blacklist
reject_force_unmount
might work, or at least
2
blacklist
reject_force_unmount
[all]
really so long as you're doing this, filtering outkexec_load, init_module, finit_module, and open_by_handle_at are worth your while.
More information about the lxc-users
mailing list