Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to mount squashfs inside unprivileged container (mount failed: Unknown error -1) #1854

Closed
Degot opened this issue Oct 12, 2017 · 19 comments
Closed

Comments

@Degot
Copy link

@Degot Degot commented Oct 12, 2017

Host:
Ubuntu 17.04 amd64
Linux core 4.10.0-35-generic #39-Ubuntu SMP Wed Sep 13 07:46:59 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

lxc-start --version -> 2.0.8

LXC Containers are unpreviledged.

Steps to reproduce:

 lxc-create -t download -n test -- -d ubuntu -r zesty -a amd64
 lxc-start -n test
 lxc-attach -n test

in container:

apt install squashfs-tools -y
cd /tmp
mkdir foo
mkdir baz
touch foo/bar
mksquashfs foo foo.squash
mount foo.squash baz

output:


Parallel mksquashfs: Using 8 processors
Creating 4.0 filesystem on foo.squash, block size 131072.


Exportable Squashfs 4.0 filesystem, gzip compressed, data block size 131072
        compressed data, compressed metadata, compressed fragments, compressed xattrs
        duplicates are removed
Filesystem size 0.19 Kbytes (0.00 Mbytes)
        89.24% of uncompressed filesystem size (0.22 Kbytes)
Inode table size 44 bytes (0.04 Kbytes)
        66.67% of uncompressed inode table size (66 bytes)
Directory table size 21 bytes (0.02 Kbytes)
        84.00% of uncompressed directory table size (25 bytes)
Number of duplicate files found 1
Number of inodes 2
Number of files 1
Number of fragments 0
Number of symbolic links  0
Number of device nodes 0
Number of fifo nodes 0
Number of socket nodes 0
Number of directories 1
Number of ids (unique uids + gids) 1
Number of uids 1
        root (0)
Number of gids 1
        root (0)
root@test:/tmp# mount foo.squash baz
mount: baz: mount failed: Unknown error -1

container's config:

# Distribution configuration
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
lxc.arch = x86_64

# Container specific configuration
lxc.id_map = u 0 165536 65536
lxc.id_map = g 0 165536 65536
lxc.rootfs = /home/user/lxc/test/rootfs
lxc.rootfs.backend = dir
lxc.utsname = test

# Network configuration
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3d:04:89:40

Host's syslog as well as container's syslog doesnt have any related errors/messages.

snap install (snapd package) can't be used because of that.
Do you have any ideas?

@stgraber
Copy link
Member

@stgraber stgraber commented Oct 12, 2017

You can't mount squashfs as an unprivileged user. To install snaps, just install the "squashfuse" package which will then let you install snaps without actually using the kernel squashfs filesystem.

@stgraber stgraber closed this Oct 12, 2017
@Degot
Copy link
Author

@Degot Degot commented Oct 12, 2017

@stgraber


apt install squashfuse snapd -y

root@test:/# snap install hello
error: cannot perform the following tasks:
- Mount snap "core" (3017) ([start snap-core-3017.mount] failed with exit status 1: Job for snap-core-3017.mount failed.
See "systemctl status snap-core-3017.mount" and "journalctl -xe" for details.
)
root@test:/# systemctl status snap-core-3017.mount
● snap-core-3017.mount - Mount unit for core
   Loaded: loaded (/etc/systemd/system/snap-core-3017.mount; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Thu 2017-10-12 13:21:17 UTC; 5s ago
    Where: /snap/core/3017
     What: /var/lib/snapd/snaps/core_3017.snap
  Process: 314 ExecMount=/bin/mount /var/lib/snapd/snaps/core_3017.snap /snap/core/3017 -t squashfs -o nodev,ro (code=exited, status=32)

Oct 12 13:21:17 test systemd[1]: Mounting Mount unit for core...
Oct 12 13:21:17 test systemd[1]: snap-core-3017.mount: Mount process exited, code=exited status=32
Oct 12 13:21:17 test systemd[1]: Failed to mount Mount unit for core.
Oct 12 13:21:17 test systemd[1]: snap-core-3017.mount: Unit entered failed state.
root@test:/# /bin/mount /var/lib/snapd/snaps/core_3017.snap /snap/core/3017 -t squashfs -o nodev,ro
mount: /snap/core/3017: mount failed: Unknown error -1

Doesnt work.

@stgraber
Copy link
Member

@stgraber stgraber commented Oct 12, 2017

Do you have /dev/fuse in that container?

@stgraber
Copy link
Member

@stgraber stgraber commented Oct 12, 2017

Looking at the snapd code, that seems to be the main check that's in place to decide whether to use squashfuse or not

@Degot
Copy link
Author

@Degot Degot commented Oct 12, 2017

no, /dev/fuse is not there

@stgraber
Copy link
Member

@stgraber stgraber commented Oct 12, 2017

Try adding:

lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file,optional

Then restart your container.

@stgraber
Copy link
Member

@stgraber stgraber commented Oct 12, 2017

That should get you a working /dev/fuse which hopefully will be enough to make squashfuse happy.

@Degot
Copy link
Author

@Degot Degot commented Oct 12, 2017

Yes, /dev/fuse appeared, but mount fails , while squashfuse works. Any ideas?


root@test:/# systemctl status snap-core-3017.mount
● snap-core-3017.mount - Mount unit for core
   Loaded: loaded (/etc/systemd/system/snap-core-3017.mount; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Thu 2017-10-12 15:26:28 UTC; 7s ago
    Where: /snap/core/3017
     What: /var/lib/snapd/snaps/core_3017.snap
  Process: 3952 ExecMount=/bin/mount /var/lib/snapd/snaps/core_3017.snap /snap/core/3017 -t fuse.squashfuse -o nodev,ro,allow_other (code=exited, status=32)

Oct 12 15:26:28 test systemd[1]: Mounting Mount unit for core...
Oct 12 15:26:28 test systemd[1]: snap-core-3017.mount: Mount process exited, code=exited status=32
Oct 12 15:26:28 test systemd[1]: Failed to mount Mount unit for core.
Oct 12 15:26:28 test systemd[1]: snap-core-3017.mount: Unit entered failed state.
root@test:/# /bin/mount /var/lib/snapd/snaps/core_3017.snap /snap/core/3017 -t fuse.squashfuse -o nodev,ro,allow_other
mount: wrong fs type, bad option, bad superblock on /var/lib/snapd/snaps/core_3017.snap,
       missing codepage or helper program, or other error

       In some cases useful info is found in syslog - try
       dmesg | tail or so.
root@test:/# squashfuse  -o nodev,ro,allow_other /var/lib/snapd/snaps/core_3017.snap /snap/core/3017
root@test:/# ls -la /snap/core/3017
total 0
drwxr-xr-x  2 root root 0 Sep 28 02:49 bin
drwxr-xr-x  6 root root 0 Sep 28 02:49 boot
drwxr-xr-x  4 root root 0 Sep 28 02:49 dev
drwxr-xr-x 80 root root 0 Sep 28 02:49 etc
drwxr-xr-x  2 root root 0 Apr 12  2016 home
drwxr-xr-x 20 root root 0 Sep 28 02:49 lib
drwxr-xr-x  2 root root 0 Sep 28 02:49 lib64
drwxr-xr-x  2 root root 0 Sep 28 02:45 media
drwxr-xr-x  3 root root 0 Sep 28 02:50 meta
drwxr-xr-x  2 root root 0 Sep 28 02:45 mnt
drwxr-xr-x  2 root root 0 Sep 28 02:45 opt
drwxr-xr-x  2 root root 0 Apr 12  2016 proc
drwx------  2 root root 0 Sep 28 02:49 root
drwxr-xr-x  8 root root 0 Sep 28 02:49 run
drwxr-xr-x  2 root root 0 Sep 28 02:49 sbin
drwxr-xr-x  2 root root 0 Sep 27 22:13 snap
drwxr-xr-x  2 root root 0 Sep 28 02:45 srv
drwxr-xr-x  2 root root 0 Feb  5  2016 sys
drwxrwxrwt  2 root root 0 Sep 28 02:48 tmp
drwxr-xr-x 11 root root 0 Sep 28 02:49 usr
drwxr-xr-x 12 root root 0 Sep 28 02:49 var
drwxr-xr-x  2 root root 0 Sep 28 02:47 writable
root@test:/#

@stgraber
Copy link
Member

@stgraber stgraber commented Oct 12, 2017

do you see any denial in dmesg output?

@Degot
Copy link
Author

@Degot Degot commented Oct 12, 2017

/var/log/dmesg doesn't exist in container
no messages in /var/log/syslog on host

@stgraber
Copy link
Member

@stgraber stgraber commented Oct 12, 2017

The "dmesg" command.

@Degot
Copy link
Author

@Degot Degot commented Oct 12, 2017

dmesg command shows host's output... nothing related to mount

@stgraber
Copy link
Member

@stgraber stgraber commented Oct 12, 2017

Works fine here. The most likely cause was apparmor doing some kind of denials which would lead to a cryptic dmesg entry.

@Degot
Copy link
Author

@Degot Degot commented Oct 14, 2017

Unfortunately, no errors from apparmor... no errors from anything at all

@benpro
Copy link

@benpro benpro commented Feb 21, 2018

I had the same issue in a Xenial container. If I launch the ExecMount of the unit I have:

# /bin/mount /var/lib/snapd/snaps/core_4017.snap /snap/core/4017 -t fuse.squashfuse -o nodev,ro,allow_other
mount: wrong fs type, bad option, bad superblock on /var/lib/snapd/snaps/core_4017.snap,
       missing codepage or helper program, or other error

       In some cases useful info is found in syslog - try
       dmesg | tail or so.

Nothing in dmesg. It looks like the -t fuse.squashfuse wasn't understood by mount.
Why? Because fuse package was not installed!! It is not a dependency of squashfuse package.

@Zjemm
Copy link

@Zjemm Zjemm commented Jun 3, 2018

same problems here on both a debian container and a ubuntu container

@3v1n0
Copy link

@3v1n0 3v1n0 commented Jun 15, 2018

I had the same in a machine where the host had only LXC (not LXD).

To fix my issues I only had to include these lines in the container config file:

# Mounting fuse (for snap squashfs)
lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file,optional

# Mount cgroup in rw to get snaps working
lxc.mount.auto=cgroup:rw

Then install all these packages (fuse too):
sudo apt install snapd squashfuse fuse

In my case, also:
sudo mkdir /lib/modules

Thus, doing only sudo snap install hello-world && snap run hello-world should work

@jcconnell
Copy link

@jcconnell jcconnell commented Mar 30, 2020

For anyone who may be interested in installing Nextcloud via Snap in a Proxmox LXC container, the following process worked for me. This issue frequently came up while researching a solution, so I'm posting here in the hopes that it helps someone else. Here is what I did from a fresh Ubuntu 18.04 container:

sudo apt update && sudo apt upgrade -y
sudo apt install squashfuse fuse
sudo apt install snapd
sudo mkdir /lib/modules

From the Proxmox host, edit the config file at /etc/pve/lxc/<CTID> and add:

# Mounting fuse (for snap squashfs)
lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file,optional

# Mount cgroup in rw to get snaps working
lxc.mount.auto=cgroup:rw

Then shutdown and start your container. Now, Nextcloud will install:
sudo snap install nextcloud

@IlyaSemenov
Copy link

@IlyaSemenov IlyaSemenov commented Oct 4, 2021

Note: you may want to put the above config into /usr/share/lxc/config/common.conf.d/999-fuse.conf if you want snapd/squashfs fixed in all containers at once.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
7 participants