New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't use Fuse within a container #514
Comments
It should work out of the box, provided that you uncomment the relevant line in lxc-template.go :-) |
Would you happen to know from the top of your head what capability needs to be enable and if it is safe to do so? |
It's a mount, so you need CAP_SYS_ADMIN. |
Hi, Gentlemen. I'm trying to use gluster from a docker image and getting: [2013-06-12 08:59:06.191225] E [mount.c:598:gf_fuse_mount] 0-glusterfs-fuse: cannot open /dev/fuse (No such file or directory) If I understand it correctly, looks like I need to uncomment something on the source code and maybe recompile it? Sorry for the beginner question, but I'm a sysadmin and not a developer. ;) |
Hi Eri, yes, by default docker locks down privileges of containers to a minimum - in particular the host's device files are not accessible. This can be changed by tweaking lxc_template.go and recompiling. We plan on allowing this kind of tweaking dynamically (feel free to make a PR if you're inspired!) On Wed, Jun 12, 2013 at 6:21 AM, Eri Bastos notifications@github.com
|
Specifically,. you need to uncomment [1] https://github.com/dotcloud/docker/blob/master/lxc_template.go#L63 |
I think what I am trying to do in #460 will help in this use case because you can dynamically change the LXC template.... except.... what does LXC do if a directive is listed twice? Use only the last one? If it is not predictable (or it errors), then the patch in #460 would need to be modified to detect the presence of a JSON-configured |
This will be possible by manually relaxing the lxc restrictions, either individually, or wholesale with a "privileged mode" as discussed above. In the meantime, the current default behavior is correct for security reasons. |
I am confused as to whether it is possible to relax restrictions now to use FUSE. I would suggest keeping this ticket open until that is the case. |
As a workaround, in case your packages require fuse to be installed but do not actually use it, it suffices to install fuse without creating its device links. A short snippet to put into your Dockerfile can be found here: https://gist.github.com/henrik-muehe/6155333 I successfully installed basex (which has jdk and therefore fuse as a dependency) this way and it 'works for me'. |
Hi, To the Docker team - what's the long-term solution to this problem? I'm currently hitting this issue when attempting to install openjdk-7-jdk, which pulls in fuse. Using @henrik-muehe workaround works, however, it'd be nice if there was a more permanent fix, or official solution? Cheers, |
"docker build" will support the required operations (namely, mknod). |
+1 |
@jpetazzo , "docker build" suffers form the same problem btw, @henrik-muehe workaround works like a charm, thanks Henrik ! |
If you're not actually using the device file (but it's just part of a post-inst script as in the case with the fuse package), you can do:
or:
|
Docker 0.7 quick solution docker run -i -t -privileged=true your/image /bin/bash |
dpkg-divert is a dangerous thing, seeing it more and more in vagrant files make me very concerned. You ll have better to fix the offender package to patch it at build time not to access the blocked resource.
Real exemple here : ps://github.com/makinacorpus/vms/blob/master/docker/makinacorpus/ubuntu_template/ |
… install recommends for openjdk7 moby/moby#514 and http://blog.backupify.com/2014/01/31/deploying-open-source-platform-docker-part-one/ Former-commit-id: 42d3681e6b576153d63bc644fadb03d74bdc1472
This is also a workaround for: moby/moby#514 moby/moby#963
This is also a workaround for: moby/moby#514 moby/moby#963
This is also a workaround for: moby/moby#514 moby/moby#963
This is also a workaround for: moby/moby#514 moby/moby#963
This is also a workaround for: moby/moby#514 moby/moby#963
This is also a workaround for: moby/moby#514 moby/moby#963
This is also a workaround for: moby/moby#514 moby/moby#963
I keep getting this error. this is my ~/.config/lxc/default.conf: I added: created a new lxc container, but keep getting this error: root@my-container:/# apt-get -y install fuse I disabled apparmor but kept getting it. Any help would be appreciated. |
@yinonby docker no longer uses lxc, so probably best to post your question there. If you want to run fuse in a docker container, this works (see the documentation); $ docker run --rm -it --cap-add SYS_ADMIN --device /dev/fuse ubuntu Then, inside the container
|
You need --cap-add MKNOD as well, or add the fuse device. On 12 Aug 2016 1:40 a.m., "Sebastiaan van Stijn" notifications@github.com
|
Revert "systemd: add multi-user.target to After list"
It would be nice to be able to use Fuse within a container.
The text was updated successfully, but these errors were encountered: