[lxc-users] [lxd] autofs

Tycho Andersen tycho.andersen at canonical.com
Mon Jul 4 18:07:42 UTC 2016 

On Mon, Jul 04, 2016 at 12:20:30PM +0200, Rémy Dernat wrote:
> Ok, I will answer to myself, my container was not running priviledged.
> 
> It is now working fine in priviledged container.
> 
> However, I am quite interesting in doing such a thing in an unpriviledged
> container. I tried:
> 
> (my profile is 'vlan' because I also need some NAT stuff).
> 
> echo Y | sudo tee /sys/module/fuse/parameters/userns_mounts
> echo Y | sudo tee /sys/module/ext4/parameters/userns_mounts
> lxc profile set vlan raw.lxc lxc.aa_profile=unconfined
> lxc profile device add vlan autofs unix-char path=/dev/autofs
> lxc profile device add vlan fuse unix-char path=/dev/fuse
> lxc profile device add vlan loop0 unix-block path=/dev/loop0
> lxc profile apply my-container vlan
> lxc restart my-container
> 
> 
> My apparmor from host is:
> 
> cat /etc/apparmor.d/lxc/lxc-default-with-mounting
> # Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
> # will source all profiles under /etc/apparmor.d/lxc
> 
> profile lxc-container-default-with-mounting
> flags=(attach_disconnected,mediate_deleted) {
>   #include <abstractions/lxc/container-base>
> 
> # allow standard blockdevtypes.
> # The concern here is in-kernel superblock parsers bringing down the
> # host with bad data.  However, we continue to disallow proc, sys,
> securityfs,
> # etc to nonstandard locations.
>   mount fstype=ext*,
>   mount fstype=xfs,
>   mount fstype=nfs,
>   mount fstype=nfs4,
>   mount fstype=rpc_pipefs,
>   mount fstype=autofs,
>   mount fstype=btrfs,
>   mount options=(rw, bind),
> }
> 
> 
> Although I think this is not needed as I already wrote:
> lxc profile set vlan raw.lxc lxc.aa_profile=unconfined
> 
> I restarted both lxd and apparmor without success.
> 
> It seems that the only way to do it is a nested container or a priviledged
> one.

The kernel refuses to let non-root mount a large majority of
filesystems; ext4 and the proc filesystems and such are special
exceptions, not the rule.

> CHeers,
> 
> Rémy
> 
> 2016-07-04 10:28 GMT+02:00 Rémy Dernat <remy.d1 at gmail.com>:
> 
> > Hi Tycho,
> >
> > It is launched from root, so, I supposed that is my container is
> > priviledged. Here is the content of my
> > "/etc/apparmor.d/lxc/lxc-default-with-mounting" :
> >
> >
> >
> >     # Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers,
> > which
> >     # will source all profiles under /etc/apparmor.d/lxc
> >
> >     profile lxc-container-default-with-mounting
> > flags=(attach_disconnected,mediate_deleted) {
> >       #include <abstractions/lxc/container-base>
> >
> >     # allow standard blockdevtypes.
> >     # The concern here is in-kernel superblock parsers bringing down the
> >     # host with bad data.  However, we continue to disallow proc, sys,
> > securityfs,
> >     # etc to nonstandard locations.
> >       mount fstype=ext*,
> >       mount fstype=xfs,
> >       mount fstype=btrfs,
> >     }
> >
> >
> > I tried to add "mount fstype=nfs,", then restart my lxd service and my
> > container, but that did not changed anything.
> >
> > In fact, I am not able to mount any nfs shared:
> >
> >
> > mount -t nfs nas-0-2:/export/bio /tmp/bio
> > mount.nfs: access denied by server while mounting nas-0-2:/export/bio
> >
> >
> > Although nas-0-2 allows mounts from my client IP.
> >
> >
> > :(
> >
> >
> >
> >
> > 2016-07-01 21:57 GMT+02:00 Tycho Andersen <tycho.andersen at canonical.com>:
> >
> >> On Fri, Jul 01, 2016 at 04:15:57PM +0200, Rémy Dernat wrote:
> >> > Hi,
> >> >
> >> > I tried to install basically autofs in the container and mount
> >> directories
> >> > with automount, but as a newbie, everything failed ;)
> >> >
> >> > automount -f --debug
> >> > automount: test mount forbidden or incorrect kernel protocol version,
> >> > kernel protocol version 5.00 or above required.
> >> >
> >> > I know that in OpenVZ, you need to mount the filesystem on the host and
> >> > then use simfs on the container through a container "mount" file.
> >> > Then, I saw problems with LXC here:
> >> > http://comments.gmane.org/gmane.linux.kernel.containers.lxc.general/894
> >> > And after reading https://github.com/lxc/lxd/issues/714 , I tried:
> >> >
> >> > lxc config device add my-container autofs unix-char path=/dev/autofs
> >> >
> >> > Now on container side:
> >> > #ls -l /dev/autofs
> >> > crw-rw---- 1 root root 10, 235 Jul  1 14:06 /dev/autofs
> >> >
> >> >
> >> > However, the issue is still here:
> >> > automount -f --debug
> >> > automount: test mount forbidden or incorrect kernel protocol version,
> >> > kernel protocol version 5.00 or above required.
> >> >
> >> > "autofs4" module is loaded in the kernel.
> >> >
> >> > I tried to remove/purge autofs and switch to autofs5 package and I have
> >> > also the same error.
> >>
> >> Is the container privileged? Are you in an apparmor mode which allows
> >> mounts? I don't think unprivileged mounting of autofs is allowed, and
> >> our apparmor profiles by default disallow most kinds of mounts.
> >>
> >> > The container, like the host are ubuntu16.04.
> >> >
> >> > Any help would be useful !
> >> >
> >> > Best regards,
> >> > Remy
> >>
> >> > _______________________________________________
> >> > lxc-users mailing list
> >> > lxc-users at lists.linuxcontainers.org
> >> > http://lists.linuxcontainers.org/listinfo/lxc-users
> >>
> >> _______________________________________________
> >> lxc-users mailing list
> >> lxc-users at lists.linuxcontainers.org
> >> http://lists.linuxcontainers.org/listinfo/lxc-users
> >
> >
> >

> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

More information about the lxc-users mailing list