[lxc-users] [lxd] autofs

Rémy Dernat remy.d1 at gmail.com
Mon Jul 4 10:20:30 UTC 2016 

Ok, I will answer to myself, my container was not running priviledged.

It is now working fine in priviledged container.

However, I am quite interesting in doing such a thing in an unpriviledged
container. I tried:

(my profile is 'vlan' because I also need some NAT stuff).

echo Y | sudo tee /sys/module/fuse/parameters/userns_mounts
echo Y | sudo tee /sys/module/ext4/parameters/userns_mounts
lxc profile set vlan raw.lxc lxc.aa_profile=unconfined
lxc profile device add vlan autofs unix-char path=/dev/autofs
lxc profile device add vlan fuse unix-char path=/dev/fuse
lxc profile device add vlan loop0 unix-block path=/dev/loop0
lxc profile apply my-container vlan
lxc restart my-container


My apparmor from host is:

cat /etc/apparmor.d/lxc/lxc-default-with-mounting
# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default-with-mounting
flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>

# allow standard blockdevtypes.
# The concern here is in-kernel superblock parsers bringing down the
# host with bad data.  However, we continue to disallow proc, sys,
securityfs,
# etc to nonstandard locations.
  mount fstype=ext*,
  mount fstype=xfs,
  mount fstype=nfs,
  mount fstype=nfs4,
  mount fstype=rpc_pipefs,
  mount fstype=autofs,
  mount fstype=btrfs,
  mount options=(rw, bind),
}


Although I think this is not needed as I already wrote:
lxc profile set vlan raw.lxc lxc.aa_profile=unconfined

I restarted both lxd and apparmor without success.

It seems that the only way to do it is a nested container or a priviledged
one.

CHeers,

Rémy

2016-07-04 10:28 GMT+02:00 Rémy Dernat <remy.d1 at gmail.com>:

> Hi Tycho,
>
> It is launched from root, so, I supposed that is my container is
> priviledged. Here is the content of my
> "/etc/apparmor.d/lxc/lxc-default-with-mounting" :
>
>
>
>     # Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers,
> which
>     # will source all profiles under /etc/apparmor.d/lxc
>
>     profile lxc-container-default-with-mounting
> flags=(attach_disconnected,mediate_deleted) {
>       #include <abstractions/lxc/container-base>
>
>     # allow standard blockdevtypes.
>     # The concern here is in-kernel superblock parsers bringing down the
>     # host with bad data.  However, we continue to disallow proc, sys,
> securityfs,
>     # etc to nonstandard locations.
>       mount fstype=ext*,
>       mount fstype=xfs,
>       mount fstype=btrfs,
>     }
>
>
> I tried to add "mount fstype=nfs,", then restart my lxd service and my
> container, but that did not changed anything.
>
> In fact, I am not able to mount any nfs shared:
>
>
> mount -t nfs nas-0-2:/export/bio /tmp/bio
> mount.nfs: access denied by server while mounting nas-0-2:/export/bio
>
>
> Although nas-0-2 allows mounts from my client IP.
>
>
> :(
>
>
>
>
> 2016-07-01 21:57 GMT+02:00 Tycho Andersen <tycho.andersen at canonical.com>:
>
>> On Fri, Jul 01, 2016 at 04:15:57PM +0200, Rémy Dernat wrote:
>> > Hi,
>> >
>> > I tried to install basically autofs in the container and mount
>> directories
>> > with automount, but as a newbie, everything failed ;)
>> >
>> > automount -f --debug
>> > automount: test mount forbidden or incorrect kernel protocol version,
>> > kernel protocol version 5.00 or above required.
>> >
>> > I know that in OpenVZ, you need to mount the filesystem on the host and
>> > then use simfs on the container through a container "mount" file.
>> > Then, I saw problems with LXC here:
>> > http://comments.gmane.org/gmane.linux.kernel.containers.lxc.general/894
>> > And after reading https://github.com/lxc/lxd/issues/714 , I tried:
>> >
>> > lxc config device add my-container autofs unix-char path=/dev/autofs
>> >
>> > Now on container side:
>> > #ls -l /dev/autofs
>> > crw-rw---- 1 root root 10, 235 Jul  1 14:06 /dev/autofs
>> >
>> >
>> > However, the issue is still here:
>> > automount -f --debug
>> > automount: test mount forbidden or incorrect kernel protocol version,
>> > kernel protocol version 5.00 or above required.
>> >
>> > "autofs4" module is loaded in the kernel.
>> >
>> > I tried to remove/purge autofs and switch to autofs5 package and I have
>> > also the same error.
>>
>> Is the container privileged? Are you in an apparmor mode which allows
>> mounts? I don't think unprivileged mounting of autofs is allowed, and
>> our apparmor profiles by default disallow most kinds of mounts.
>>
>> > The container, like the host are ubuntu16.04.
>> >
>> > Any help would be useful !
>> >
>> > Best regards,
>> > Remy
>>
>> > _______________________________________________
>> > lxc-users mailing list
>> > lxc-users at lists.linuxcontainers.org
>> > http://lists.linuxcontainers.org/listinfo/lxc-users
>>
>> _______________________________________________
>> lxc-users mailing list
>> lxc-users at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160704/8642a530/attachment.html>

More information about the lxc-users mailing list