Re: [lxc-users] [lxd] autofs
On Mon, Jul 04, 2016 at 12:20:30PM +0200, Rémy Dernat wrote:
> Ok, I will answer to myself, my container was not running priviledged.
>
> It is now working fine in priviledged container.
>
> However, I am quite interesting in doing such a thing in an unpriviledged
> container. I tried:
>
> (my profile is 'vlan' because I also need some NAT stuff).
>
> echo Y | sudo tee /sys/module/fuse/parameters/userns_mounts
> echo Y | sudo tee /sys/module/ext4/parameters/userns_mounts
> lxc profile set vlan raw.lxc lxc.aa_profile=unconfined
> lxc profile device add vlan autofs unix-char path=/dev/autofs
> lxc profile device add vlan fuse unix-char path=/dev/fuse
> lxc profile device add vlan loop0 unix-block path=/dev/loop0
> lxc profile apply my-container vlan
> lxc restart my-container
>
>
> My apparmor from host is:
>
> cat /etc/apparmor.d/lxc/lxc-default-with-mounting
> # Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
> # will source all profiles under /etc/apparmor.d/lxc
>
> profile lxc-container-default-with-mounting
> flags=(attach_disconnected,mediate_deleted) {
> #include
>
> # allow standard blockdevtypes.
> # The concern here is in-kernel superblock parsers bringing down the
> # host with bad data. However, we continue to disallow proc, sys,
> securityfs,
> # etc to nonstandard locations.
> mount fstype=ext*,
> mount fstype=xfs,
> mount fstype=nfs,
> mount fstype=nfs4,
> mount fstype=rpc_pipefs,
> mount fstype=autofs,
> mount fstype=btrfs,
> mount options=(rw, bind),
> }
>
>
> Although I think this is not needed as I already wrote:
> lxc profile set vlan raw.lxc lxc.aa_profile=unconfined
>
> I restarted both lxd and apparmor without success.
>
> It seems that the only way to do it is a nested container or a priviledged
> one.
The kernel refuses to let non-root mount a large majority of
filesystems; ext4 and the proc filesystems and such are special
exceptions, not the rule.
> CHeers,
>
> Rémy
>
> 2016-07-04 10:28 GMT+02:00 Rémy Dernat :
>
> > Hi Tycho,
> >
> > It is launched from root, so, I supposed that is my container is
> > priviledged. Here is the content of my
> > "/etc/apparmor.d/lxc/lxc-default-with-mounting" :
> >
> >
> >
> > # Do not load this file. Rather, load /etc/apparmor.d/lxc-containers,
> > which
> > # will source all profiles under /etc/apparmor.d/lxc
> >
> > profile lxc-container-default-with-mounting
> > flags=(attach_disconnected,mediate_deleted) {
> > #include
> >
> > # allow standard blockdevtypes.
> > # The concern here is in-kernel superblock parsers bringing down the
> > # host with bad data. However, we continue to disallow proc, sys,
> > securityfs,
> > # etc to nonstandard locations.
> > mount fstype=ext*,
> > mount fstype=xfs,
> > mount fstype=btrfs,
> > }
> >
> >
> > I tried to add "mount fstype=nfs,", then restart my lxd service and my
> > container, but that did not changed anything.
> >
> > In fact, I am not able to mount any nfs shared:
> >
> >
> > mount -t nfs nas-0-2:/export/bio /tmp/bio
> > mount.nfs: access denied by server while mounting nas-0-2:/export/bio
> >
> >
> > Although nas-0-2 allows mounts from my client IP.
> >
> >
> > :(
> >
> >
> >
> >
> > 2016-07-01 21:57 GMT+02:00 Tycho Andersen :
> >
> >> On Fri, Jul 01, 2016 at 04:15:57PM +0200, Rémy Dernat wrote:
> >> > Hi,
> >> >
> >> > I tried to install basically autofs in the container and mount
> >> directories
> >> > with automount, but as a newbie, everything failed ;)
> >> >
> >> > automount -f --debug
> >> > automount: test mount forbidden or incorrect kernel protocol version,
> >> > kernel protocol version 5.00 or above required.
> >> >
> >> > I know that in OpenVZ, you need to mount the filesystem on the host and
> >> > then use simfs on the container through a container "mount" file.
> >> > Then, I saw problems with LXC here:
> >> > http://comments.gmane.org/gmane.linux.kernel.containers.lxc.general/894
> >> > And after reading https://github.com/lxc/lxd/issues/714 , I tried:
> >> >
> >> > lxc config device add my-container autofs unix-char path=/dev/autofs
> >> >
> >> > Now on container side:
> >> > #ls -l /dev/autofs
> >> > crw-rw 1 root root 10, 235 Jul 1 14:06 /dev/autofs
> >> >
> >> >
> >> > However, the issue is still here:
> >> > automount -f --debug
> >> > automount: test mount forbidden or incorrect kernel protocol version,
> >> > kernel protocol version 5.00 or above required.
> >> >
> >> > "autofs4" module is loaded in the kernel.
> >> >
> >> > I tried to remove/purge autofs and switch to autofs5 package and I have
> >> > also the same error.
> >>
> >> Is the container privileged? Are you in an apparmor mode which allows
> >> mounts? I don't think unprivileged mounting of autofs is allowed, and
> >> our apparmor profiles by default disallow most kinds of mounts.
> >>
> >> > The container, like the host are ubuntu16.04.
Re: [lxc-users] LXC 2.0.2 & 2.0.3, LXCFS 2.0.2 and LXD 2.0.3 have been released!
On 04/07/16 10:59, McDonagh, Ed wrote: Hello Is there a timeline for LXC/LXD 2.0.3 to be released to xenial-updates? I saw it was released to trusty-backports and yakkety on Thursday or Friday last week, but nothing for xenial. Or do I need to add the PPA to keep up to date? you can see here: https://launchpad.net/ubuntu/+source/lxd that lxd 2.0.3 is in "proposed". We need to wait only a few days to have lxd 2.0.3 in "updates" -- Yonsy Solis ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] LXC 2.0.2 & 2.0.3, LXCFS 2.0.2 and LXD 2.0.3 have been released!
Hello Is there a timeline for LXC/LXD 2.0.3 to be released to xenial-updates? I saw it was released to trusty-backports and yakkety on Thursday or Friday last week, but nothing for xenial. Or do I need to add the PPA to keep up to date? Kind regards Ed -Original Message- From: lxc-users [mailto:lxc-users-boun...@lists.linuxcontainers.org] On Behalf Of Stéphane Graber Sent: 29 June 2016 00:27 To: lxc-de...@lists.linuxcontainers.org; lxc-users@lists.linuxcontainers.org; contain...@lists.linux-foundation.org Subject: [lxc-users] LXC 2.0.2 & 2.0.3, LXCFS 2.0.2 and LXD 2.0.3 have been released! Hello everyone, Today the LXC project is pleased to announce the release of: - LXC 2.0.2 & 2.0.3 - LXD 2.0.3 - LXCFS 2.0.2 We had to release two LXC bugfix releases due to a problem in the apparmor profile which was included in 2.0.2. Fixing the apparmor profile is the only change in 2.0.3. They each contain the accumulated bugfixes since the previous round of bugfix releases a bit over a month ago. The detailed changelogs can be found at: - https://linuxcontainers.org/lxc/news/ - https://linuxcontainers.org/lxcfs/news/ - https://linuxcontainers.org/lxd/news/ As a reminder, the 2.0 series of all of those is supported for bugfix and security updates up until June 2021. Thanks to everyone who contributed to those projects and helped make this possible! Stéphane Graber On behalf of the LXC, LXCFS and LXD development teams # Attention: This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary, confidential and/or privileged information and should not be copied, disclosed, distributed, retained or used by any other party. If you are not an intended recipient please notify the sender immediately and delete this e-mail (including attachments and copies). The statements and opinions expressed in this e-mail are those of the author and do not necessarily reflect those of the Royal Marsden NHS Foundation Trust. The Trust does not take any responsibility for the statements and opinions of the author. Website: http://www.royalmarsden.nhs.uk # ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] Dynamically bind-mounting read-only into container
Hi, I'm working on a software using LXC where we want to be able to, while a container is running, bind mount directories read-only into it. I guess this means I can't use the lxc.mount entry, since that is read when creating/starting the container, not while it is running. I posted on StackOverflow before thinking about asking on this mailing list [1]. Basically, unless I re-mount _inside_ the container, the mount shows up as read-write inside it, even though it is read-only in the host. [1] http://stackoverflow.com/questions/38121765/can-i-mount-a-file-system-read-only-into-an-lxc-container Cheers, --- Tobias Olausson M.Sc C.S. Software Engineer PELAGICORE | Experience Change Ekelundsgatan 4, 6tr, SE-411 18 Gothenburg, Sweden Mobile: +46(0)735-873444 http://www.pelagicore.com/ IRC: wto @ FreeNode Registered Office Gothenburg, Sweden Registration No. 556780-4199 ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] [lxd] autofs
Ok, I will answer to myself, my container was not running priviledged.
It is now working fine in priviledged container.
However, I am quite interesting in doing such a thing in an unpriviledged
container. I tried:
(my profile is 'vlan' because I also need some NAT stuff).
echo Y | sudo tee /sys/module/fuse/parameters/userns_mounts
echo Y | sudo tee /sys/module/ext4/parameters/userns_mounts
lxc profile set vlan raw.lxc lxc.aa_profile=unconfined
lxc profile device add vlan autofs unix-char path=/dev/autofs
lxc profile device add vlan fuse unix-char path=/dev/fuse
lxc profile device add vlan loop0 unix-block path=/dev/loop0
lxc profile apply my-container vlan
lxc restart my-container
My apparmor from host is:
cat /etc/apparmor.d/lxc/lxc-default-with-mounting
# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc
profile lxc-container-default-with-mounting
flags=(attach_disconnected,mediate_deleted) {
#include
# allow standard blockdevtypes.
# The concern here is in-kernel superblock parsers bringing down the
# host with bad data. However, we continue to disallow proc, sys,
securityfs,
# etc to nonstandard locations.
mount fstype=ext*,
mount fstype=xfs,
mount fstype=nfs,
mount fstype=nfs4,
mount fstype=rpc_pipefs,
mount fstype=autofs,
mount fstype=btrfs,
mount options=(rw, bind),
}
Although I think this is not needed as I already wrote:
lxc profile set vlan raw.lxc lxc.aa_profile=unconfined
I restarted both lxd and apparmor without success.
It seems that the only way to do it is a nested container or a priviledged
one.
CHeers,
Rémy
2016-07-04 10:28 GMT+02:00 Rémy Dernat :
> Hi Tycho,
>
> It is launched from root, so, I supposed that is my container is
> priviledged. Here is the content of my
> "/etc/apparmor.d/lxc/lxc-default-with-mounting" :
>
>
>
> # Do not load this file. Rather, load /etc/apparmor.d/lxc-containers,
> which
> # will source all profiles under /etc/apparmor.d/lxc
>
> profile lxc-container-default-with-mounting
> flags=(attach_disconnected,mediate_deleted) {
> #include
>
> # allow standard blockdevtypes.
> # The concern here is in-kernel superblock parsers bringing down the
> # host with bad data. However, we continue to disallow proc, sys,
> securityfs,
> # etc to nonstandard locations.
> mount fstype=ext*,
> mount fstype=xfs,
> mount fstype=btrfs,
> }
>
>
> I tried to add "mount fstype=nfs,", then restart my lxd service and my
> container, but that did not changed anything.
>
> In fact, I am not able to mount any nfs shared:
>
>
> mount -t nfs nas-0-2:/export/bio /tmp/bio
> mount.nfs: access denied by server while mounting nas-0-2:/export/bio
>
>
> Although nas-0-2 allows mounts from my client IP.
>
>
> :(
>
>
>
>
> 2016-07-01 21:57 GMT+02:00 Tycho Andersen :
>
>> On Fri, Jul 01, 2016 at 04:15:57PM +0200, Rémy Dernat wrote:
>> > Hi,
>> >
>> > I tried to install basically autofs in the container and mount
>> directories
>> > with automount, but as a newbie, everything failed ;)
>> >
>> > automount -f --debug
>> > automount: test mount forbidden or incorrect kernel protocol version,
>> > kernel protocol version 5.00 or above required.
>> >
>> > I know that in OpenVZ, you need to mount the filesystem on the host and
>> > then use simfs on the container through a container "mount" file.
>> > Then, I saw problems with LXC here:
>> > http://comments.gmane.org/gmane.linux.kernel.containers.lxc.general/894
>> > And after reading https://github.com/lxc/lxd/issues/714 , I tried:
>> >
>> > lxc config device add my-container autofs unix-char path=/dev/autofs
>> >
>> > Now on container side:
>> > #ls -l /dev/autofs
>> > crw-rw 1 root root 10, 235 Jul 1 14:06 /dev/autofs
>> >
>> >
>> > However, the issue is still here:
>> > automount -f --debug
>> > automount: test mount forbidden or incorrect kernel protocol version,
>> > kernel protocol version 5.00 or above required.
>> >
>> > "autofs4" module is loaded in the kernel.
>> >
>> > I tried to remove/purge autofs and switch to autofs5 package and I have
>> > also the same error.
>>
>> Is the container privileged? Are you in an apparmor mode which allows
>> mounts? I don't think unprivileged mounting of autofs is allowed, and
>> our apparmor profiles by default disallow most kinds of mounts.
>>
>> > The container, like the host are ubuntu16.04.
>> >
>> > Any help would be useful !
>> >
>> > Best regards,
>> > Remy
>>
>> > ___
>> > lxc-users mailing list
>> > lxc-users@lists.linuxcontainers.org
>> > http://lists.linuxcontainers.org/listinfo/lxc-users
>>
>> ___
>> lxc-users mailing list
>> lxc-users@lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users
>
>
>
___
lxc-users mailing
Re: [lxc-users] [lxd] autofs
Hi Tycho,
It is launched from root, so, I supposed that is my container is
priviledged. Here is the content of my
"/etc/apparmor.d/lxc/lxc-default-with-mounting" :
# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers,
which
# will source all profiles under /etc/apparmor.d/lxc
profile lxc-container-default-with-mounting
flags=(attach_disconnected,mediate_deleted) {
#include
# allow standard blockdevtypes.
# The concern here is in-kernel superblock parsers bringing down the
# host with bad data. However, we continue to disallow proc, sys,
securityfs,
# etc to nonstandard locations.
mount fstype=ext*,
mount fstype=xfs,
mount fstype=btrfs,
}
I tried to add "mount fstype=nfs,", then restart my lxd service and my
container, but that did not changed anything.
In fact, I am not able to mount any nfs shared:
mount -t nfs nas-0-2:/export/bio /tmp/bio
mount.nfs: access denied by server while mounting nas-0-2:/export/bio
Although nas-0-2 allows mounts from my client IP.
:(
2016-07-01 21:57 GMT+02:00 Tycho Andersen :
> On Fri, Jul 01, 2016 at 04:15:57PM +0200, Rémy Dernat wrote:
> > Hi,
> >
> > I tried to install basically autofs in the container and mount
> directories
> > with automount, but as a newbie, everything failed ;)
> >
> > automount -f --debug
> > automount: test mount forbidden or incorrect kernel protocol version,
> > kernel protocol version 5.00 or above required.
> >
> > I know that in OpenVZ, you need to mount the filesystem on the host and
> > then use simfs on the container through a container "mount" file.
> > Then, I saw problems with LXC here:
> > http://comments.gmane.org/gmane.linux.kernel.containers.lxc.general/894
> > And after reading https://github.com/lxc/lxd/issues/714 , I tried:
> >
> > lxc config device add my-container autofs unix-char path=/dev/autofs
> >
> > Now on container side:
> > #ls -l /dev/autofs
> > crw-rw 1 root root 10, 235 Jul 1 14:06 /dev/autofs
> >
> >
> > However, the issue is still here:
> > automount -f --debug
> > automount: test mount forbidden or incorrect kernel protocol version,
> > kernel protocol version 5.00 or above required.
> >
> > "autofs4" module is loaded in the kernel.
> >
> > I tried to remove/purge autofs and switch to autofs5 package and I have
> > also the same error.
>
> Is the container privileged? Are you in an apparmor mode which allows
> mounts? I don't think unprivileged mounting of autofs is allowed, and
> our apparmor profiles by default disallow most kinds of mounts.
>
> > The container, like the host are ubuntu16.04.
> >
> > Any help would be useful !
> >
> > Best regards,
> > Remy
>
> > ___
> > lxc-users mailing list
> > lxc-users@lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
>
> ___
> lxc-users mailing list
> lxc-users@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
