[lxc-users] How to spawn an unprivileged LXC container with squashfs rootfs ?

Yasoda Padala padala.yasoda at gmail.com
Fri Aug 17 03:08:50 UTC 2018 

Hi All,
I want to spawn an unprivileged LXC container with container rootfs as
squashfs filetype.
(goal is to have container rootfs as compressed and read-only)

1. Created a squashfs file out of container's rootfs using the below
command:
*mksquashfs rootfs rootfs.squashfs*
 2. Changed the rootfs path in the container config to refer to this newly
created rootfs.squashfs file
please find attached container config file

LXC is giving the below error while starting the unprivileged container

lxc-start 20180817025351.739 ERROR    lxc_conf - conf.c:setup_rootfs:1220 -
Failed to mount rootfs
"/home/oxpd/.local/share/lxc/spawn_squashfs_rootfs/rootfs.squashfs" onto
"/usr/lib/x86_64-linux-gnu/lxc" with options "(null)".

      lxc-start 20180817025351.739 ERROR    lxc_conf -
conf.c:do_rootfs_setup:3899 - failed to setup rootfs for
'spawn_squashfs_rootfs'

      lxc-start 20180817025351.739 ERROR    lxc_conf -
conf.c:lxc_setup:3981 - Error setting up rootfs mount after spawn

      lxc-start 20180817025351.739 ERROR    lxc_start -
start.c:do_start:811 - Failed to setup container "spawn_squashfs_rootfs".

      lxc-start 20180817025351.739 ERROR    lxc_sync -
sync.c:__sync_wait:57 - An error occurred in another process (expected
sequence number 3)

      lxc-start 20180817025351.739 ERROR    lxc_start -
start.c:__lxc_start:1358 - Failed to spawn container
"spawn_squashfs_rootfs".

      lxc-start 20180817025356.796 ERROR    lxc_start_ui -
tools/lxc_start.c:main:366 - The container failed to start.

      lxc-start 20180817025356.796 ERROR    lxc_start_ui -
tools/lxc_start.c:main:368 - To get more details, run the container in
foreground mode.

      lxc-start 20180817025356.796 ERROR    lxc_start_ui -
tools/lxc_start.c:main:370 - Additional information can be obtained by
setting the --logfile and --logpriority options.

Since lxc was not able to mount squashed rootfs filetype, I tried the
following steps



   1. Created empty rootfs directory
   2. Mounted rootfs.squashfs to rootfs directory created in step# 1  ( *sudo
   mount -o loop -t squashfs rootfs.squashfs rootfs *)
   3. Verified the new rootfs directory is read-only
   4. Started container with this new rootfs read-only directory  and it
   worked fine
   5. Verified that rootfs inside the container also is read-only.



* is it the right way of doing ?? or if there is any other way in which LXC
can directly work with squashfs filetype, please provide help*


*Thanks & Regards,*

*Yasoda*

*HP Inc*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20180817/77284a40/attachment.html>
-------------- next part --------------
# Template used to create this container: /usr/share/lxc/templates/lxc-busybox
# Parameters passed to the template:
# Template script checksum (SHA-1): 584d8e8193ed3425cc9c3f62917cc9921cd5c846
# For additional config options, please look at lxc.container.conf(5)

# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)

lxc.aa_profile = unconfined
lxc.network.type = veth
                lxc.network.link = lxcbr0
                lxc.network.flags = up
                lxc.network.hwaddr = 00:16:3e:98:be:2d
                lxc.id_map = u 0 100000 65536
                lxc.id_map = g 0 100000 65536
lxc.rootfs = /home/oxpd/.local/share/lxc/spawn_squashfs_rootfs/rootfs.squashfs
lxc.rootfs.backend = dir
lxc.mount.entry = /dev/tty dev/tty    none bind,optional,create=file 0 0
lxc.mount.entry = /dev/console dev/console    none bind,optional,create=file 0 0
lxc.mount.entry = /dev/tty0 dev/tty0    none bind,optional,create=file 0 0
lxc.mount.entry = /dev/tty1 dev/tty1    none bind,optional,create=file 0 0
lxc.mount.entry = /dev/ram0 dev/ram0    none bind,optional,create=file 0 0
lxc.mount.entry = /dev/null dev/null    none bind,optional,create=file 0 0
lxc.mount.entry = /dev/urandom dev/urandom    none bind,optional,create=file 0 0
lxc.haltsignal = SIGUSR1
lxc.rebootsignal = SIGTERM
lxc.utsname = spawn_squashfs_rootfs
lxc.tty = 1
lxc.pts = 1
lxc.cap.drop = sys_module mac_admin mac_override sys_time

# When using LXC with apparmor, uncomment the next line to run unconfined:
#lxc.aa_profile = unconfined

lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
lxc.mount.entry = shm /dev/shm tmpfs defaults 0 0
lxc.mount.entry = /lib lib none ro,bind 0 0
lxc.mount.entry = /usr/lib usr/lib none ro,bind 0 0
lxc.mount.entry = /lib64 lib64 none ro,bind 0 0
lxc.mount.entry = /sys/kernel/security sys/kernel/security none ro,bind,optional 0 0

More information about the lxc-users mailing list