Bindmount for .X11-unix only works when done if container is running

[eraserix]

Required information

• Distribution: Ubuntu
• Distribution version: 14.04.5
• The output of "lxc info" or if that fails:
  • Kernel version: 4.4.0-121-generic
  • LXC version: 3.0.0
  • LXD version: 3.0.0
  • Storage backend in use: btrfs

Issue description

Forwarding the X11-socket only works when I add the device after the container has been started. It does not work when the device is configured while the container is not running or if the container is restarted.

Steps to reproduce

$ lxc init images:debian/8 c -c security.privileged=true
Creating c
$ lxc start c
# make sure the .X11-unix does not get cleaned by systemd
$ lxc exec c -- ln -s /dev/null /etc/tmpfiles.d/tmp.conf
$ lxc config device add c x11 disk path=/tmp/.X11-unix source=/tmp/.X11-unix
$ lxc exec c ls /tmp/.X11-unix 
X0
$ lxc restart c
$ lxc exec c ls /tmp/.X11-unix
<empty dir listing>
$ lxc config device remove c x11                                            
Error: Error unmounting the device: Failed to run: /snap/lxd/current/bin/lxd forkmount umount 11374 /tmp/.X11-unix: Error unmounting /tmp/.X11-unix: Invalid argument

[brauner]

Yes, I think I know why. This usually happens when systemd mounts a new tmpfs over your mount. One way to fix this that should work is to tell LXC to mount the tmpfs for you which systemd will respect:

lxc config add c raw.lxc "lxc.mount.entry = /tmp tmp tmpfs bind,none,create=dir 0 0"

[eraserix]

Thanks for the suggestion, I'm sure it is the right direction. I don't get while using bind option when mounting a tmpfs?

Anyway, I tried and it fails in other funny ways. Just to be sure, I also masked tmp.mount in systemd, which is responsible for mounting tmp as tmpfs. (documented here)

# configure as above
$ lxc exec c systemctl mask tmp.mount
$ lxc stop c
$ lxc config set c raw.lxc "lxc.mount.entry = tmp tmp tmpfs create=dir 0 0"
$ lxc start c
$ lxc exec c systemctl | grep tmp
  tmp-.X11\x2dunix.mount            loaded active mounted   /tmp/.X11-unix
● tmp.mount                         masked active mounted   tmp.mount
  ...

I have the following theory:

• For some reason, systemd shows a mount unit for every mount that is done by lxd. So that is why there is a "masked" tmp.mount
• lxd itself overmounts the other bindmount.
• When I remove the tmpfs mount configured above, I see X0 as expected. But my /tmp is no longer on a tmpfs (no lxc.mount.entry and no systemd tmp.mount unit)

Is it possible that lxd itself overmounts bindmounts? Or is there some logic that avoids this?

I also found lxc/lxc#434, which seems to tackle the same problem.

[stgraber]

Nothing that we can do here. Those mounts inside the container aren't going to be there when LXD sets up its own.

My usual approach for things like that (/tmp or /run paths), is to have LXD mount them somewhere else, then doing another bind-mount or move mount inside the container.

So something like this:

lxc config device add c x11 disk source=/tmp/.X11-unix path=/mnt/x11

And then in the container, have an init script (or more hackish, use /etc/rc.local) to:

mkdir -p /tmp/.X11-unix
mount --bind /mnt/x11 /tmp/.X11-unix

This will avoid the two main issues with /tmp:

• Over-mounting
• Init systems wiping it clean on boot

[stgraber]

Closing the issue as there's nothing particularly good that LXD can do when the container alters the mount table. Once we get abstract unix socket support to the proxy device, there'll be a much nicer way to forward X11 access to a container, without having to deal with any of that.

That's tracked in #4167

[eraserix]

Thanks for the help!

After some fiddling with systemd I ended up with the script below to bindmount /mnt/x11 to /tmp/.X11-unix. It runs after systemd has mounted and cleaned /tmp. The filename is important, it needs to match the target mountpoint after systemd escaping.

lxc file push - c/etc/systemd/system/tmp-.X11\\x2dunix.mount <<EOF
[Unit]
Description=Bindmount /mnt/x11 to /tmp/.X11-unix
After=sysinit.target

[Mount]
What=/mnt/x11
Where=/tmp/.X11-unix
Type=none
Options=bind

[Install]
WantedBy=multi-user.target
EOF

lxc exec c systemctl daemon-reload
lxc exec c systemctl enable tmp-.X11\\x2dunix.mount

[Seas0]

Direct mounting /tmp/.X11-unix should be possible, with commenting out the .X11-unix creation in systemd-tmpfiles config.
First copy the config in /usr/lib/tmpfiles.d/ to /etc/tmpfiles.d/, which would shadow the former one.
# cp /usr/lib/tmpfiles.d/x11.conf /etc/tmpfiles.d/
Next comment out the creation of /tmp/.X11-unix in /etc/tmpfiles.d/x11.conf
# vim /etc/tmpfiles.d/x11.conf

#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it
#  under the terms of the GNU Lesser General Public License as published by
#  the Free Software Foundation; either version 2.1 of the License, or
#  (at your option) any later version.

# See tmpfiles.d(5) for details

# Make sure these are created by default so that nobody else can
# or empty them at startup
# D! /tmp/.X11-unix 1777 root root 10d
D! /tmp/.ICE-unix 1777 root root 10d
D! /tmp/.XIM-unix 1777 root root 10d
D! /tmp/.font-unix 1777 root root 10d
D! /tmp/.Test-unix 1777 root root 10d

# Unlink the X11 lock files
# r! /tmp/.X[0-9]*-lock

Then shutdown your container && change your container configuration accordingly.