[lxc-users] How to spawn an unprivileged LXC container with squashfs rootfs ?

Serge E. Hallyn serge at hallyn.com
Fri Aug 17 06:24:39 UTC 2018 

Quoting Yasoda Padala (padala.yasoda at gmail.com):
> Hi All,
> I want to spawn an unprivileged LXC container with container rootfs as
> squashfs filetype.
> (goal is to have container rootfs as compressed and read-only)
> 
> 1. Created a squashfs file out of container's rootfs using the below
> command:
> *mksquashfs rootfs rootfs.squashfs*
>  2. Changed the rootfs path in the container config to refer to this newly
> created rootfs.squashfs file
> please find attached container config file
> 
> LXC is giving the below error while starting the unprivileged container
> 
> lxc-start 20180817025351.739 ERROR    lxc_conf - conf.c:setup_rootfs:1220 -
> Failed to mount rootfs
> "/home/oxpd/.local/share/lxc/spawn_squashfs_rootfs/rootfs.squashfs" onto
> "/usr/lib/x86_64-linux-gnu/lxc" with options "(null)".
> 
>       lxc-start 20180817025351.739 ERROR    lxc_conf -
> conf.c:do_rootfs_setup:3899 - failed to setup rootfs for
> 'spawn_squashfs_rootfs'
> 
>       lxc-start 20180817025351.739 ERROR    lxc_conf -
> conf.c:lxc_setup:3981 - Error setting up rootfs mount after spawn
> 
>       lxc-start 20180817025351.739 ERROR    lxc_start -
> start.c:do_start:811 - Failed to setup container "spawn_squashfs_rootfs".
> 
>       lxc-start 20180817025351.739 ERROR    lxc_sync -
> sync.c:__sync_wait:57 - An error occurred in another process (expected
> sequence number 3)
> 
>       lxc-start 20180817025351.739 ERROR    lxc_start -
> start.c:__lxc_start:1358 - Failed to spawn container
> "spawn_squashfs_rootfs".
> 
>       lxc-start 20180817025356.796 ERROR    lxc_start_ui -
> tools/lxc_start.c:main:366 - The container failed to start.
> 
>       lxc-start 20180817025356.796 ERROR    lxc_start_ui -
> tools/lxc_start.c:main:368 - To get more details, run the container in
> foreground mode.
> 
>       lxc-start 20180817025356.796 ERROR    lxc_start_ui -
> tools/lxc_start.c:main:370 - Additional information can be obtained by
> setting the --logfile and --logpriority options.
> 
> Since lxc was not able to mount squashed rootfs filetype, I tried the
> following steps
> 
> 
> 
>    1. Created empty rootfs directory
>    2. Mounted rootfs.squashfs to rootfs directory created in step# 1  ( *sudo
>    mount -o loop -t squashfs rootfs.squashfs rootfs *)

Note that you can do this using squashfuse with the allow_other option, to do it
without sudo.

>    3. Verified the new rootfs directory is read-only
>    4. Started container with this new rootfs read-only directory  and it
>    worked fine
>    5. Verified that rootfs inside the container also is read-only.
> 
> 
> 
> * is it the right way of doing ?? or if there is any other way in which LXC

Yes, I think so.  For the moment (and foreseeable future) you can't
mount squashfs as unpriv user because you could feed garbage into the
in-kernel superblock parser and potentially wreak havoc.

More information about the lxc-users mailing list