Multipass can't mount ecryptfs folders on the host

[davigar15]

Hello,

I was trying to build a snap with snapcraft, and it could mount local files to multipass. I replicated the error by creating a vm in multipass, and trying to mount a folder. It works if the folder is /tmp, but not if the folder is under $HOME/

My computer has encryption in the home folder.

I attach the steps I executed in the terminal, the output of journal -f and the output of mount in my $HOME directory

Steps:

# Inside $HOME
multipass mount  . test1804:/home/ubuntu/test
multipass exec test1804 bash
> ls -alh /home/ubuntu/test
# Empty

journal_f.txt
mount_homedir.txt

[townsend2010]

Hi @davigar15,

I'm wondering if the . for your current directory isn't being handled correctly. In the meantime, you could use $HOME or ~/ instead. Let me know if that works for you and we'll investigate the use of ..

[cjp256]

@townsend2010 It looked like the data for his project was not correctly surfacing in the multipass VM.

Of interest to me was that @davigar15 is using ecryptfs on his home directory, which prompted me to ask him to try using /tmp instead. The project built as expected in /tmp.

/home/.ecryptfs/davigar15/.Private on /home/davigar15 type ecryptfs

[townsend2010]

Ok, I'm not sure I follow, but I'll explain what I think is the issue 😁

So if the current directory on the host is $HOME and multipass mount . test1804:/home/ubuntu/test is issued, there is nothing in the mount in the instance and if the current directory is /tmp on the host and multipass mount . test1804:/home/ubuntu/test is issued, then there are files in the mount in the instance?

[townsend2010]

Looking at the log provided, it looks like the mount process for test1804 crashed at exactly the same time as an instance named snapcraft-organize-command powered off. That seems quite suspicious 🤔

[cjp256]

Yeah you nailed it @townsend2010. I did repro independently:

sudo apt install ecryptfs-utils
sudo modprobe ecryptfs

# Will create ~/.Private and ~/Private, requires login password and mount password.
ecryptfs-setup-private --nopwcheck --noautomount

# Mount it.
ecryptfs-mount-private

cd ~/Private

# Option A: Broken snapcraft example.
git clone git://github.com/cjp256/snap-tests
cd snap-test/organize-command
snapcraft

# Option B: Manual mount.
multipass mount /home/chris/Private/snap-tests/organize-command test1804:/home/ubuntu/organize-command

# Directory is empty... :(
multipass exec test1804 find /home/ubuntu/organize-command

[townsend2010]

Hey @cjp256,

Thanks for the repro steps. We'll have to investigate how to handle this, but we'll take note that ecryptfs based mounts are not supported right now.

[afreiberger]

Here's my kernel log message showing the denial from apparmor for this issue.

[2002724.952378] audit: type=1400 audit(1625850818.490:593675): apparmor="DENIED" operation="open" profile="multipass.charm-dev.00d118a6.sshfs_server" name="/home/.ecryptfs/drew/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZHTIEXtURfi-R4NszmOfJTGYEh0fYSk3tZuRwgehxEMpgbh9sD376YG---/" pid=1562686 comm="sshfs_server" requested_mask="r" denied_mask="r" fsuid=0 ouid=1000

My guess is that multipass's home and all-homes snap plugins don't allow access beyond the containment field to read /home/.ecryptfs since it's not technically any user's homedir.