I'm not really conversant with whether the lxc container was unconfined, but https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1575757 shows what I did from start to finish:
sudo apt-get install nfs-kernel-server sudo lxc-create -n nfstest -t download -- -d ubuntu -r xenial -a amd64 Add lxc.mount.auto = cgroup lxc.aa_profile = lxc-container-default-with-nesting to the config file sudo lxc-start -n nfstest sudo lxc-attach -n nfstest apt-get update sudo lxc-attach -n nfstest apt-get install nfs-kernel-server # success! Does that answer the question? On Fri, Apr 29, 2016 at 8:58 AM, Serge Hallyn <[email protected]> wrote: > Quoting Serge Hallyn ([email protected]): >> Quoting Serge Hallyn ([email protected]): >> > Quoting Dan Kegel ([email protected]): >> > > Hi all, >> > > I'm trying to virtualize an app that uses both nfs and docker on >> > > Ubuntu 16.04. (Yes, the app uses docker. Sigh.) >> > > >> > > The lxc profile lxc-container-default-with-nesting allowed installing >> > > nfs-kernel-server, but didn't let me install docker.io. >> > > I figured I was getting into "better use the latest stuff" territory, >> > > so I switched to lxd. >> > > >> > > Following https://www.stgraber.org/2016/04/13/lxd-2-0-docker-in-lxd-712, >> > > I was able to >> > > get docker to run inside lxc: >> > > >> > > sudo apt install lxd lxd-client >> > > sudo usermod -aG lxd $USER >> > > (log out; log in) >> > > lxc launch ubuntu:16.04 docker -p default -p docker >> > > lxc exec docker -- apt update >> > > lxc exec docker -- apt dist-upgrade -u >> > > lxc exec docker -- apt install docker.io -y >> > > lxc exec docker -- docker run ubuntu /bin/echo 'hello, nesty world!' >> > > >> > > Worked great! But >> > > lxc exec docker -- apt install nfs-kernel-server -y >> > > >> > > failed; journalctl says: >> > > nfs-idmapd.service/stat failed with result 'dependency' ... >> > > ... failed to mount RPC Pipe File System... >> > > ... Unit run-rpc_pipefs.mount has failed..." >> > > >> > > Just as with my earlier lxc problem, I'm sure there's some simple answer >> > > that'd >> > > be obvious if I read the docs, but I can't find any lxd doc that >> > > mentions nfs, >> > > nor am I fluent in AppArmor. Can I buy a clue? >> > >> > My guess is you need to add permission to mount type rpc_pipefs >> > run-rpc_pipefs.mount, perhaps by adding it to the raw.apparmor >> > config item using 'lxc config edit docker' >> > >> >> Well this is fascinating. I can't get an allow rule to work for me, >> but setting security.privileged: true does work, so it is apparmor >> preventing the mount. There is no denied rule in syslog, so it >> appears to be a silent denial, but I don't know where. > > Ah, it's not apparmor. You're simply not allowed to mount that unless > you are in the initial usernamespace. You can reproduce using just > > lxc-usernsexec bash > # lxc-unshare -s "MOUNT|PID" > ## mount -t rpc_pipefs sunrpc /mnt > > Was your lxc (non-lxd) container not unconfined? > > -serge > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
