New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mounting block device fails when CLONE_NEWUSER #221
Comments
The constraints are: (1) an unprivileged user must unshare userns before he can unshare mntns. (2) when the container goes away - even uncleanly - the mount must go away. I think the cleanest way to do this in the code (which is still not as clean as I'd like) would be to handle this right after src/lxc/start.c's call to attach_block_device(). Check whether getuid() == 0 and lxc.id_map is not empty. If that is the case, then unshare a mnt_ns right there, mount the block device to $lxcpath/$lxc_name/rootfs, and update the lxc_conf->rootfs.path to be $lxcpath/$lxc_name/rootfs. Based on your last paragraph, I gather you're interested in coding up a patch for this, so I'll wait for that. (If that's not the case please let me know) |
I'd be tempted to keep the mounts where they are currently and, if I will submit a patch next week. |
I don't believe it is possible to do this and have it work for |
This is needed for another driver to create qcow2-based unprivileged containers, so I am going to post a patch tonight for this. If you come up with a cleaner patch later on we'll happily take a look. |
It is not possible to mount a block device from a non-init user namespace. Therefore if root on the host is starting a container with a uid mapping, and the rootfs is a block device, then mount the rootfs before we spawn the container init task. This addresses #221 Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>
I have a proof of concept on my side that works for both |
It is not possible to mount a block device from a non-init user namespace. Therefore if root on the host is starting a container with a uid mapping, and the rootfs is a block device, then mount the rootfs before we spawn the container init task. This addresses #221 Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>
It is not possible to mount a block device from a non-init user namespace. Therefore if root on the host is starting a container with a uid mapping, and the rootfs is a block device, then mount the rootfs before we spawn the container init task. This addresses lxc#221 Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>
When using an
lxc.id_map
anylxc.mount.entry
entry involving a block device will fail.tmpfs
,procfs
,bind
mounts work as expected.A workaround is to:
I suspect this is caused by
CLONE_NEWUSER
being used inclone
too early (before mount). An option I see could be tounshare(CLONE_NEWUSER)
after mounts are all done then signal parent process to setup requiredid_map
or splitlxc_setup
in 2 distinct parts, the first running outside this namespace. What do think of this approach ?For the time being, I use the workaround but I hope to have some time to hack something into LXC itself in the coming weeks.
The text was updated successfully, but these errors were encountered: