FUSE mounts in unprivileged containers

[narcisgarcia]

• Distribution: Debian (amd64)
• Distribution version: 9
• The output of
  • lxc-start --version 2.0.7
  • lxc-checkconfig (all green = enabled)
  • uname -a Linux system 4.9.0-4-amd64 Prefix tests with lxc-test- #1 SMP Debian 4.9.51-1 (2017-09-28) x86_64 GNU/Linux

containerpath/config includes:

lxc.include = /etc/lxc/default.conf
lxc.id_map = u 0 165536 65536
lxc.id_map = g 0 165536 65536
lxc.mount.auto = proc:mixed sys:ro cgroup:mixed
lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file,rw,uid=165536,gid=165536 0 0

guest$ ls -l /dev/fuse
crw-rw-rw-  1 nobody nogroup  10, 229 Oct 20 09:18 fuse
guest$ apt update
guest$ apt install sshfs
guest$ mkdir /tmp/point
guest$ sshfs user@example.net:/tmp /tmp/point
fusermount: mount failed: Operation not permitted

Same result when preceding container start with this:
host$ sudo chgrp 165536 /dev/fuse

[brauner]

@narcisgarcia, unprivileged fuse mounts is a feature available in the Ubuntu kernel only atm. We are actively working on pushing this into the upstream kernel though.