-
Notifications
You must be signed in to change notification settings - Fork 97
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Question] [lxc] possible to use fscrypt inside a Linux Container (lxc) #211
Comments
Filesystem encryption certainly should work inside of containers. What are the contents of This might be a bug in fscrypt, but I'm not sure. |
Within the container:
I also tried on the host moving
But I get the same error as you see. |
Yes this is a bug. Since v0.2.6, in order to handle bind mounts better, Since you have:
... the root of the filesystem isn't mounted, so I think the expected behavior is that the metadata for this filesystem be stored at Earlier we had considered selecting a mountpoint whose subtree contains all the other subtrees, but that wouldn't for you anyway since |
Yes, this is outside of the container albeit on a different partition (I have I am thinking it would be better in the case of containers to store the metadata within the rootfs of the container rather than on the host system. So in the container's "/" rather than on the host's "/" as this this should be part of the container not the host. This is how Is this possible or could this be possible using fscrypt? |
I'm not sure what you mean here, since your
That's basically what I suggested in my comment above. If we permitted non-root subtrees and if we selected the "main" mountpoint of a filesystem to be the one that contains the other mountpoints of that filesystem, then the metadata for Note, however, that encrypted directories created from within the container wouldn't be easily unlockable from outside the container, as the container and host system would disagree about where the fscrypt metadata is stored. Maybe that is okay though. |
@ebiggers - Sorry, I have been experimenting with this on several machines. The output from my original entry above was indeed in
To me, that is the best way to containerize the encryption such that it is independent from the host (with the exception of residing on a shared filesystems). I would be grateful if you can modify the code to do it 😄 Please let me know if you would like some help in testing this. |
I patched against 0.2.7 and installed it within the container. If I ssh into the container, I can:
On the host (ie outside of the container), I am able to see the contents of EDIT: I guess it would be since |
Yes, that's expected. When encrypted files are unlocked (or locked), they are unlocked (or locked) for everyone. Encryption is orthogonal to access control. Like any other files, standard mechanisms like UNIX mode bits can be used to restrict access. Note that while access control mechanisms typically don't restrict access by |
I figured that 😄 Your patch seem to be working just fine in the LXCs. As an aside, I added a simple systemd user service unit to lock the target directory when the LXC is shutdown which also seems to be working. There might be a more elegant method to achieve this.
|
Update the /proc/self/mountinfo parsing code to allow selecting a Mount with Subtree != "/", i.e. a Mount not of the full filesystem. This is needed to allow fscrypt to work in containers, where the root of the filesystem may not be mounted. See findMainMount() for details about the algorithm used. Resolves #211
Me and my friend were very excited seeing this issue closed but we are still having one issue to it working properly. We can't tell if this is LXC inside-the-container specific or issue with fscrypt.
And seems using Here are our application versions. fscrypt is compiled from source, go is binary from go website:
If I am doing drop-caches wrong, sorry to disrupt. |
With v1 encryption policies, We already fixed this by introducing v2 encryption policies, but you need to update your kernel to a version that supports them (v5.4 or later). Then re-run |
Thank you for letting me know. I knew I was missing something simple! I will check my repos for available 5.4+ kernels, or compile one from source. |
I'd like to use
fscrypt
within a Linux Container (LXC) to encrypt a directory therein. I'm finding that the user space util,fscrypt
does not like the fact that it is containerized. For example, I start the container and ssh into it:Is there something I can modify with my config or via passing a switch upon setup or is this something that needs to be handled within my LXC config?
The text was updated successfully, but these errors were encountered: