Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to mount squashfs inside unprivileged container (mount failed: Unknown error -1) #1854

Closed
Degot opened this Issue Oct 12, 2017 · 17 comments

Comments

5 participants
@Degot
Copy link

Degot commented Oct 12, 2017

Host:
Ubuntu 17.04 amd64
Linux core 4.10.0-35-generic #39-Ubuntu SMP Wed Sep 13 07:46:59 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

lxc-start --version -> 2.0.8

LXC Containers are unpreviledged.

Steps to reproduce:

 lxc-create -t download -n test -- -d ubuntu -r zesty -a amd64
 lxc-start -n test
 lxc-attach -n test

in container:

apt install squashfs-tools -y
cd /tmp
mkdir foo
mkdir baz
touch foo/bar
mksquashfs foo foo.squash
mount foo.squash baz

output:


Parallel mksquashfs: Using 8 processors
Creating 4.0 filesystem on foo.squash, block size 131072.


Exportable Squashfs 4.0 filesystem, gzip compressed, data block size 131072
        compressed data, compressed metadata, compressed fragments, compressed xattrs
        duplicates are removed
Filesystem size 0.19 Kbytes (0.00 Mbytes)
        89.24% of uncompressed filesystem size (0.22 Kbytes)
Inode table size 44 bytes (0.04 Kbytes)
        66.67% of uncompressed inode table size (66 bytes)
Directory table size 21 bytes (0.02 Kbytes)
        84.00% of uncompressed directory table size (25 bytes)
Number of duplicate files found 1
Number of inodes 2
Number of files 1
Number of fragments 0
Number of symbolic links  0
Number of device nodes 0
Number of fifo nodes 0
Number of socket nodes 0
Number of directories 1
Number of ids (unique uids + gids) 1
Number of uids 1
        root (0)
Number of gids 1
        root (0)
root@test:/tmp# mount foo.squash baz
mount: baz: mount failed: Unknown error -1

container's config:

# Distribution configuration
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
lxc.arch = x86_64

# Container specific configuration
lxc.id_map = u 0 165536 65536
lxc.id_map = g 0 165536 65536
lxc.rootfs = /home/user/lxc/test/rootfs
lxc.rootfs.backend = dir
lxc.utsname = test

# Network configuration
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3d:04:89:40

Host's syslog as well as container's syslog doesnt have any related errors/messages.

snap install (snapd package) can't be used because of that.
Do you have any ideas?

@stgraber

This comment has been minimized.

Copy link
Member

stgraber commented Oct 12, 2017

You can't mount squashfs as an unprivileged user. To install snaps, just install the "squashfuse" package which will then let you install snaps without actually using the kernel squashfs filesystem.

@stgraber stgraber closed this Oct 12, 2017

@Degot

This comment has been minimized.

Copy link
Author

Degot commented Oct 12, 2017

@stgraber


apt install squashfuse snapd -y

root@test:/# snap install hello
error: cannot perform the following tasks:
- Mount snap "core" (3017) ([start snap-core-3017.mount] failed with exit status 1: Job for snap-core-3017.mount failed.
See "systemctl status snap-core-3017.mount" and "journalctl -xe" for details.
)
root@test:/# systemctl status snap-core-3017.mount
● snap-core-3017.mount - Mount unit for core
   Loaded: loaded (/etc/systemd/system/snap-core-3017.mount; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Thu 2017-10-12 13:21:17 UTC; 5s ago
    Where: /snap/core/3017
     What: /var/lib/snapd/snaps/core_3017.snap
  Process: 314 ExecMount=/bin/mount /var/lib/snapd/snaps/core_3017.snap /snap/core/3017 -t squashfs -o nodev,ro (code=exited, status=32)

Oct 12 13:21:17 test systemd[1]: Mounting Mount unit for core...
Oct 12 13:21:17 test systemd[1]: snap-core-3017.mount: Mount process exited, code=exited status=32
Oct 12 13:21:17 test systemd[1]: Failed to mount Mount unit for core.
Oct 12 13:21:17 test systemd[1]: snap-core-3017.mount: Unit entered failed state.
root@test:/# /bin/mount /var/lib/snapd/snaps/core_3017.snap /snap/core/3017 -t squashfs -o nodev,ro
mount: /snap/core/3017: mount failed: Unknown error -1

Doesnt work.

@stgraber

This comment has been minimized.

Copy link
Member

stgraber commented Oct 12, 2017

Do you have /dev/fuse in that container?

@stgraber

This comment has been minimized.

Copy link
Member

stgraber commented Oct 12, 2017

Looking at the snapd code, that seems to be the main check that's in place to decide whether to use squashfuse or not

@Degot

This comment has been minimized.

Copy link
Author

Degot commented Oct 12, 2017

no, /dev/fuse is not there

@stgraber

This comment has been minimized.

Copy link
Member

stgraber commented Oct 12, 2017

Try adding:

lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file,optional

Then restart your container.

@stgraber

This comment has been minimized.

Copy link
Member

stgraber commented Oct 12, 2017

That should get you a working /dev/fuse which hopefully will be enough to make squashfuse happy.

@Degot

This comment has been minimized.

Copy link
Author

Degot commented Oct 12, 2017

Yes, /dev/fuse appeared, but mount fails , while squashfuse works. Any ideas?


root@test:/# systemctl status snap-core-3017.mount
● snap-core-3017.mount - Mount unit for core
   Loaded: loaded (/etc/systemd/system/snap-core-3017.mount; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Thu 2017-10-12 15:26:28 UTC; 7s ago
    Where: /snap/core/3017
     What: /var/lib/snapd/snaps/core_3017.snap
  Process: 3952 ExecMount=/bin/mount /var/lib/snapd/snaps/core_3017.snap /snap/core/3017 -t fuse.squashfuse -o nodev,ro,allow_other (code=exited, status=32)

Oct 12 15:26:28 test systemd[1]: Mounting Mount unit for core...
Oct 12 15:26:28 test systemd[1]: snap-core-3017.mount: Mount process exited, code=exited status=32
Oct 12 15:26:28 test systemd[1]: Failed to mount Mount unit for core.
Oct 12 15:26:28 test systemd[1]: snap-core-3017.mount: Unit entered failed state.
root@test:/# /bin/mount /var/lib/snapd/snaps/core_3017.snap /snap/core/3017 -t fuse.squashfuse -o nodev,ro,allow_other
mount: wrong fs type, bad option, bad superblock on /var/lib/snapd/snaps/core_3017.snap,
       missing codepage or helper program, or other error

       In some cases useful info is found in syslog - try
       dmesg | tail or so.
root@test:/# squashfuse  -o nodev,ro,allow_other /var/lib/snapd/snaps/core_3017.snap /snap/core/3017
root@test:/# ls -la /snap/core/3017
total 0
drwxr-xr-x  2 root root 0 Sep 28 02:49 bin
drwxr-xr-x  6 root root 0 Sep 28 02:49 boot
drwxr-xr-x  4 root root 0 Sep 28 02:49 dev
drwxr-xr-x 80 root root 0 Sep 28 02:49 etc
drwxr-xr-x  2 root root 0 Apr 12  2016 home
drwxr-xr-x 20 root root 0 Sep 28 02:49 lib
drwxr-xr-x  2 root root 0 Sep 28 02:49 lib64
drwxr-xr-x  2 root root 0 Sep 28 02:45 media
drwxr-xr-x  3 root root 0 Sep 28 02:50 meta
drwxr-xr-x  2 root root 0 Sep 28 02:45 mnt
drwxr-xr-x  2 root root 0 Sep 28 02:45 opt
drwxr-xr-x  2 root root 0 Apr 12  2016 proc
drwx------  2 root root 0 Sep 28 02:49 root
drwxr-xr-x  8 root root 0 Sep 28 02:49 run
drwxr-xr-x  2 root root 0 Sep 28 02:49 sbin
drwxr-xr-x  2 root root 0 Sep 27 22:13 snap
drwxr-xr-x  2 root root 0 Sep 28 02:45 srv
drwxr-xr-x  2 root root 0 Feb  5  2016 sys
drwxrwxrwt  2 root root 0 Sep 28 02:48 tmp
drwxr-xr-x 11 root root 0 Sep 28 02:49 usr
drwxr-xr-x 12 root root 0 Sep 28 02:49 var
drwxr-xr-x  2 root root 0 Sep 28 02:47 writable
root@test:/#

@stgraber

This comment has been minimized.

Copy link
Member

stgraber commented Oct 12, 2017

do you see any denial in dmesg output?

@Degot

This comment has been minimized.

Copy link
Author

Degot commented Oct 12, 2017

/var/log/dmesg doesn't exist in container
no messages in /var/log/syslog on host

@stgraber

This comment has been minimized.

Copy link
Member

stgraber commented Oct 12, 2017

The "dmesg" command.

@Degot

This comment has been minimized.

Copy link
Author

Degot commented Oct 12, 2017

dmesg command shows host's output... nothing related to mount

@stgraber

This comment has been minimized.

Copy link
Member

stgraber commented Oct 12, 2017

Works fine here. The most likely cause was apparmor doing some kind of denials which would lead to a cryptic dmesg entry.

@Degot

This comment has been minimized.

Copy link
Author

Degot commented Oct 14, 2017

Unfortunately, no errors from apparmor... no errors from anything at all

@benpro

This comment has been minimized.

Copy link

benpro commented Feb 21, 2018

I had the same issue in a Xenial container. If I launch the ExecMount of the unit I have:

# /bin/mount /var/lib/snapd/snaps/core_4017.snap /snap/core/4017 -t fuse.squashfuse -o nodev,ro,allow_other
mount: wrong fs type, bad option, bad superblock on /var/lib/snapd/snaps/core_4017.snap,
       missing codepage or helper program, or other error

       In some cases useful info is found in syslog - try
       dmesg | tail or so.

Nothing in dmesg. It looks like the -t fuse.squashfuse wasn't understood by mount.
Why? Because fuse package was not installed!! It is not a dependency of squashfuse package.

@Zjemm

This comment has been minimized.

Copy link

Zjemm commented Jun 3, 2018

same problems here on both a debian container and a ubuntu container

@3v1n0

This comment has been minimized.

Copy link

3v1n0 commented Jun 15, 2018

I had the same in a machine where the host had only LXC (not LXD).

To fix my issues I only had to include these lines in the container config file:

# Mounting fuse (for snap squashfs)
lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file,optional

# Mount cgroup in rw to get snaps working
lxc.mount.auto=cgroup:rw

Then install all these packages (fuse too):
sudo apt install snapd squashfuse fuse

In my case, also:
sudo mkdir /lib/modules

Thus, doing only sudo snap install hello-world && snap run hello-world should work

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.