Can't use Fuse within a container

[creack]

It would be nice to be able to use Fuse within a container.

[jpetazzo]

It should work out of the box, provided that you uncomment the relevant line in lxc-template.go :-)

[creack]

Would you happen to know from the top of your head what capability needs to be enable and if it is safe to do so?

[jpetazzo]

It's a mount, so you need CAP_SYS_ADMIN.
It's safe-ish to do it.
IMHO there should be a flag of some kind to switch between restricted mode
(paranoid, no caps) and trusted mode (enabling some useful caps, allowing
FUSE, docker-in-docker, and other things).

[ebastos]

Hi, Gentlemen.

I'm trying to use gluster from a docker image and getting:

[2013-06-12 08:59:06.191225] E [mount.c:598:gf_fuse_mount] 0-glusterfs-fuse: cannot open /dev/fuse (No such file or directory)

If I understand it correctly, looks like I need to uncomment something on the source code and maybe recompile it? Sorry for the beginner question, but I'm a sysadmin and not a developer. ;)

[shykes]

Hi Eri, yes, by default docker locks down privileges of containers to a minimum - in particular the host's device files are not accessible.

This can be changed by tweaking lxc_template.go and recompiling. We plan on allowing this kind of tweaking dynamically (feel free to make a PR if you're inspired!)
—
@solomonstre
@getdocker

On Wed, Jun 12, 2013 at 6:21 AM, Eri Bastos notifications@github.com
wrote:

Hi, Gentlemen.
I'm trying to use gluster from a docker image and getting:
[2013-06-12 08:59:06.191225] E [mount.c:598:gf_fuse_mount] 0-glusterfs-fuse: cannot open /dev/fuse (No such file or directory)

If I understand it correctly, looks like I need to uncomment something on the source code and maybe recompile it? Sorry for the beginner question, but I'm a sysadmin and not a developer. ;)

Reply to this email directly or view it on GitHub:
#514 (comment)

[jpetazzo]

Specifically,. you need to uncomment lxc.cgroup.devices.allow = c 10:229 rwm[1] to allow access to the FUSE device; and then you need to remove mknod and sys_admin from the lxc.cap.drop line. Then everything should be fine.

[1] https://github.com/dotcloud/docker/blob/master/lxc_template.go#L63
[2] https://github.com/dotcloud/docker/blob/master/lxc_template.go#L89

[neomantra]

I think what I am trying to do in #460 will help in this use case because you can dynamically change the LXC template.... except.... what does LXC do if a directive is listed twice? Use only the last one?

If it is not predictable (or it errors), then the patch in #460 would need to be modified to detect the presence of a JSON-configured lxc.cap.drop (or any other directive) and insert that instead.

[shykes]

This will be possible by manually relaxing the lxc restrictions, either individually, or wholesale with a "privileged mode" as discussed above. In the meantime, the current default behavior is correct for security reasons.

[gregwebs]

I am confused as to whether it is possible to relax restrictions now to use FUSE. I would suggest keeping this ticket open until that is the case.

[henrik-muehe]

As a workaround, in case your packages require fuse to be installed but do not actually use it, it suffices to install fuse without creating its device links. A short snippet to put into your Dockerfile can be found here: https://gist.github.com/henrik-muehe/6155333

I successfully installed basex (which has jdk and therefore fuse as a dependency) this way and it 'works for me'.

[victorhooi]

Hi,

To the Docker team - what's the long-term solution to this problem?

I'm currently hitting this issue when attempting to install openjdk-7-jdk, which pulls in fuse.

Using @henrik-muehe workaround works, however, it'd be nice if there was a more permanent fix, or official solution?

Cheers,
Victor

[jpetazzo]

"docker build" will support the required operations (namely, mknod).
If you want to contribute some code, the easiest path to get there is #2191 :-)

[vincentwoo]

+1

[anthonydahanne]

@jpetazzo , "docker build" suffers form the same problem
Docker version 0.6.7, build cb48ecc

btw, @henrik-muehe workaround works like a charm, thanks Henrik !

[discordianfish]

If you're not actually using the device file (but it's just part of a post-inst script as in the case with the fuse package), you can do:

fakeroot apt-get ... 

or:

dpkg-divert --local --rename --add /sbin/mknod && ln -s /bin/true /sbin/mknod`

[kunthar]

Docker 0.7 quick solution

docker run -i -t -privileged=true your/image /bin/bash

[kiorky]

dpkg-divert is a dangerous thing, seeing it more and more in vagrant files make me very concerned.

You ll have better to fix the offender package to patch it at build time not to access the blocked resource.
Then you tell dpkg not to update it anymore.

Take an exemple for our vagrantfiles eg:
    FROZEN_PACKAGES="fuse"
    for i in $FROZEN_PACKAGES;do\
      echo $i hold | dpkg --set-selections;\
    done&&\
    grep "deb " /etc/apt/sources.list|sed -re "s/^deb /deb-src /g" >> /etc/apt/sources.list &&\
    apt-get -q update && apt-get upgrade -y --force-yes &&\
    apt-get install -y --force-yes libfuse2 apt-utils &&\
    if [ ! -e "/root/debbuild" ];then mkdir -pv /root/debbuild;fi &&\
    mv /root/ntp_postinst /root/debbuild &&\
    cd /root/debbuild;\
    nf=/etc/network/interfaces;
    for i in fuse;do \
      mkdir -p $i && cd $i &&\
      apt-get download -y $i &&\
      dpkg-deb -X $i*deb build &&\
      dpkg-deb -e $i*deb build/DEBIAN && \
      rm *deb && cd ..;done &&\
    cp /root/debbuild/ntp_postinst /root/debbuild/ntp/build/DEBIAN/postinst &&\
    echo "#!/bin/bash"   >/root/debbuild/resolvconf/build/DEBIAN/postinst &&\
    echo "exit 0"       >>/root/debbuild/resolvconf/build/DEBIAN/postinst &&\
    echo ""             >>/root/debbuild/resolvconf/build/DEBIAN/postinst &&\
    echo "#!/bin/bash"   >/root/debbuild/fuse/build/DEBIAN/postinst &&\
    echo "#exit 0"      >>/root/debbuild/fuse/build/DEBIAN/postinst &&\
    echo ""             >>/root/debbuild/fuse/build/DEBIAN/postinst &&\
    for i in fuse;do\
      cd /root/debbuild/$i/build&&\
      dpkg-deb -b . /root/debbuild/$i.deb;\
    done&&\
    for i in fuse;do\
      dpkg -i /root/debbuild/$i.deb&&\
      echo $i hold | dpkg --set-selections;\
    done

Real exemple here : ps://github.com/makinacorpus/vms/blob/master/docker/makinacorpus/ubuntu_template/

[yinonby]

I keep getting this error. this is my ~/.config/lxc/default.conf:
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:xx:xx:xx
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536

I added:
lxc.cgroup.devices.allow = c 10:229 rwm

created a new lxc container, but keep getting this error:

root@my-container:/# apt-get -y install fuse
Reading package lists... Done
Building dependency tree
Reading state information... Done
fuse is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Setting up fuse (2.9.4-1ubuntu1) ...
Creating fuse device...
mknod: ‘fuse-’: Operation not permitted
makedev fuse c 10 229 root root 0660: failed
chmod: cannot access ‘/dev/fuse’: No such file or directory
dpkg: error processing package fuse (--configure):
subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
fuse
E: Sub-process /usr/bin/dpkg returned an error code (1)

I disabled apparmor but kept getting it.

Any help would be appreciated.

[thaJeztah]

@yinonby docker no longer uses lxc, so probably best to post your question there. If you want to run fuse in a docker container, this works (see the documentation);

$ docker run --rm -it --cap-add SYS_ADMIN --device /dev/fuse ubuntu

Then, inside the container

apt-get update && apt-get install -y sshfs

mkdir -p /mnt/droplet
sshfs -o allow_other user@host:/ /mnt/droplet

[justincormack]

You need --cap-add MKNOD as well, or add the fuse device.

On 12 Aug 2016 1:40 a.m., "Sebastiaan van Stijn" notifications@github.com
wrote:

@yinonby https://github.com/yinonby docker no longer uses lxc, so
probably best to post your question there. If you want to run fuse in a
docker container, this works (see the documentation
https://docs.docker.com/engine/reference/run/#/runtime-privilege-and-linux-capabilities
);

$ docker run --rm -it --cap-add SYS_ADMIN --device /dev/fuse ubuntu

Then, inside the container

apt-get update && apt-get install -y sshfs

mkdir -p /mnt/droplet
sshfs -o allow_other user@host:/ /mnt/droplet

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#514 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/AAdcPJnT5dszDVd2d66Ju1lx5x8GuWobks5qe8ERgaJpZM4AoQJ6
.