First a word of warning: this feature is experimental. As far as I know it should be stable, but there are known security concerns, specifically with mounting ext2/3/4 volumes.
It should only be enabled in trusted environments where potentially malicious users do not have shell access to your system.
A lxc container will not have the device nodes needed for mounting (/dev/fuse for fuse and some block device for ext4, e.g. /dev/loop0) and will not be permitted to mount by AppArmor.
This how to shows how to create a lxc config which will run the container without AppArmor confinement and will allow you to mount the devices.
Requirements
In order to use this feature, you will need a 4.4.0-6.21 or later kernel in Ubuntu xenial. To follow these instructions you will also need to have lxc installed on the host machine
Setup:
in the HOST
You need to flip the module parameters to enable user namespace mounts for ext4.
$ echo Y | sudo tee /sys/module/ext4/parameters/userns_mounts
$ dd if=/dev/zero of=ext4.img bs=1M count=8
$ mkfs.ext4 ext4.img
$ sudo losetup /dev/loop0 ext4.img
$ mkdir -p mount
$ mount /dev/loop0 mount
In the LXC
add the following to the /etc/rc.local
for i in `seq 0 7`; do /bin/mknod /dev/loop$i b 7 0; done
to create the needed loop devices (they are needed by MAAS top manage the tftp images)
run it or reboot the LXC
$ /etc/rc.local
check for /dev/loopNN devices and you are done
Test
$ mkfs.ext4 ext4.img
$ sudo losetup /dev/loop0 ext4.img
$ mkdir -p mount
$ mount /dev/loop0 mount
$ df
This filesystem can be unmounted in the usual way.
Now you have to follow the MAAS install guide and you are free to move the MAAS LXC wherever you want.
Dear Alex,
ReplyDeletedon't forget in the config of the lxc:
lxc.cgroup.devices.allow = b 7:* rwm
lxc.cgroup.devices.allow = c 10:237 rwm
your friends John and Peanut ;)