Quoting Serge Hallyn ([email protected]): > Quoting Serge Hallyn ([email protected]): > > Quoting Dan Kegel ([email protected]): > > > Hi all, > > > I'm trying to virtualize an app that uses both nfs and docker on > > > Ubuntu 16.04. (Yes, the app uses docker. Sigh.) > > > > > > The lxc profile lxc-container-default-with-nesting allowed installing > > > nfs-kernel-server, but didn't let me install docker.io. > > > I figured I was getting into "better use the latest stuff" territory, > > > so I switched to lxd. > > > > > > Following https://www.stgraber.org/2016/04/13/lxd-2-0-docker-in-lxd-712, > > > I was able to > > > get docker to run inside lxc: > > > > > > sudo apt install lxd lxd-client > > > sudo usermod -aG lxd $USER > > > (log out; log in) > > > lxc launch ubuntu:16.04 docker -p default -p docker > > > lxc exec docker -- apt update > > > lxc exec docker -- apt dist-upgrade -u > > > lxc exec docker -- apt install docker.io -y > > > lxc exec docker -- docker run ubuntu /bin/echo 'hello, nesty world!' > > > > > > Worked great! But > > > lxc exec docker -- apt install nfs-kernel-server -y > > > > > > failed; journalctl says: > > > nfs-idmapd.service/stat failed with result 'dependency' ... > > > ... failed to mount RPC Pipe File System... > > > ... Unit run-rpc_pipefs.mount has failed..." > > > > > > Just as with my earlier lxc problem, I'm sure there's some simple answer > > > that'd > > > be obvious if I read the docs, but I can't find any lxd doc that mentions > > > nfs, > > > nor am I fluent in AppArmor. Can I buy a clue? > > > > My guess is you need to add permission to mount type rpc_pipefs > > run-rpc_pipefs.mount, perhaps by adding it to the raw.apparmor > > config item using 'lxc config edit docker' > > > > Well this is fascinating. I can't get an allow rule to work for me, > but setting security.privileged: true does work, so it is apparmor > preventing the mount. There is no denied rule in syslog, so it > appears to be a silent denial, but I don't know where.
Ah, it's not apparmor. You're simply not allowed to mount that unless you are in the initial usernamespace. You can reproduce using just lxc-usernsexec bash # lxc-unshare -s "MOUNT|PID" ## mount -t rpc_pipefs sunrpc /mnt Was your lxc (non-lxd) container not unconfined? -serge _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
