Quoting Mittelsdorf, Bjoern ([email protected]): > Hi all, > hi Serge, > > I was not able to create a seccomp config which works as intended. > Admittedly I found no useful example and tried understanding the parser which > I probably did not :-)
The reject_force_unmount is a special keyword, put it between blacklist and [all], so 2 blacklist reject_force_unmount might work, or at least 2 blacklist reject_force_unmount [all] really so long as you're doing this, filtering outkexec_load, init_module, finit_module, and open_by_handle_at are worth your while. > Here is my config: > > 2 > blacklist > [all] > reject_force_unmount > > > lxc-start --version > 1.0.7 > > The containers are unprivileged. > > Best regards > > Björn > > -----Ursprüngliche Nachricht----- > Von: Serge Hallyn [mailto:[email protected]] > Gesendet: Freitag, 19. Februar 2016 02:47 > An: LXC users mailing-list > Betreff: Re: [lxc-users] lxc and encfs > > Quoting Mittelsdorf, Bjoern ([email protected]): > > Hi all, > > > > I face a problem with encfs encrypted folders mounted into lxc containers. > > > > I have a public encfs folder, which is controlled and provided by the > > host, > > encrypted: /var/lxc-crypt > > public: /var/lxc-data > > > > containing one directory for each container, e.g.: > > /var/lxc-data/xyz > > > > Each container mounts his directory via its config: > > > > lxc.mount.entry = /var/lxc-data/xyz > > /var/vm/xyz/rootfs/var/encryptedData none bind 0 0 > > > > Each time I shutdown one of the containers the host mount point for the > > unencrypted data goes to waste, dragging the other container mount points > > down with it: > > > > ls -ltr /var/ > > ls: cannot access /var/lxc-data: Transport endpoint is not connected > > total 56 > > d????????? ? ? ? ? ? lxc-data > > > > I am aware of the fact that encfs is not the best choice but I would really > > happily stick with it for the moment. > > > > As you can see, I have no clue what is going on. > > Do you have reject_force_umount in your seccomp policy? This is a known bug > in fuse, and really all you can do is not allow your containers to > force-umount fuse (and therefore sadly, all) filesystems. > > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
