So lxc is a better choice than lxd when you want to export nfs filesystems from a container, but the real answer is "don't do that"?
I might be able to split the nfs serving part out of this app, but it's not a great sign that right out of the gate I'm hitting a leaky abstraction. The app also needs good OpenGL, and that's probably the next roadblock I'll be running into. On Fri, Apr 29, 2016 at 10:31 AM, Serge Hallyn <[email protected]> wrote: > Quoting Dan Kegel ([email protected]): >> I'm not really conversant with whether the lxc container was unconfined, but >> https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1575757 shows what >> I did from start to finish: >> >> sudo apt-get install nfs-kernel-server >> sudo lxc-create -n nfstest -t download -- -d ubuntu -r xenial -a amd64 > > Yeah this is not in a user namespace unless you've updated > /etc/lxc/default.conf. So root in that container is global > root. > >> Add >> lxc.mount.auto = cgroup >> lxc.aa_profile = lxc-container-default-with-nesting >> to the config file >> sudo lxc-start -n nfstest >> sudo lxc-attach -n nfstest apt-get update >> sudo lxc-attach -n nfstest apt-get install nfs-kernel-server # success! >> >> Does that answer the question? > > yup. > > So my guess is this is an inherent feature of the nfs kernel module, > that it insists the mounter be privileged against the user ns in which > the nfs server is. The other possibility would be that there's an > overmounted rpc_pipefs somewhere so the kernel doesn't want to let you > unmask that. But I don't think that is it. > > Really I never recommend nfs exports from a container, as > far as I know there are still plenty of other bugs in that. > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
