Bindfs and fuse

richardh · October 12, 2022, 9:28am

Hi all,

I want to use bindfs to mount my website docroot, with ownership adjustments, into a user’s home directory. This works fine on a normal system, with an fstab line like this:

/srv/wptest-home/doc_root /home/richard/wptest-home/doc_root fuse.bindfs --force-user=richard,--force-group=richard,--create-for-user=wptest-home,--create-for-group=wptest-home 0 0

After various experiments with putting a lxc.mount.entry in the container config, then playing with /etc/fstab in the container, I got it going, after creating /dev/fuse with sudo mknod /dev/fuse c 10 299.

Then I deleted that device node, and tried various methods to create it at boot time. I managed to do that with a hook (lxc.hook.start, IIRC).

… but from then on, I haven’t been able to do the mount. I can create the device node manually, and it looks exactly the same. But I get:

fuse: failed to open /dev/fuse: Operation not permitted.

I can’t figure out what has changed since it worked a few hours ago.

Device file:
crw-r--r-- 1 root root 10, 299 Oct 12 21:05 /dev/fuse

fstab line:
/srv/testsite/doc_root /home/richard/testsite/doc_root fuse.bindfs --force-user=richard,--force-group=richard,--create-for-user=testsite,--create-for-group=testsite 0 0

Any suggestions?

richardh · October 12, 2022, 10:55pm

So it turns out that “lxc-device -n xxx add /dev/fuse” must do more than just running mknod in the container - the created device node looks just the same, but this time it works.

How then do I create it at boot time? lxc.hook.autodev seems a likely candidate, but I can’t find any examples of how it works.

Cheers,
Richard

richardh · October 14, 2022, 3:26am

I finally found an example of using lxc-hook.autodev and added this to my config:

lxc.hook.autodev = sh -c "mknod ${LXC_ROOTFS_MOUNT}/dev/fuse c 10 299"

which successfully created the device node, but I still couldn’t mount.

I had a look at the source for lxc-device - with limited success, since my C is rusty at best and my knowledge of cgroups is almost non-existent.

Anyway, I tried adding
lxc.cgroup.devices.allow = a lxc.cgroup2.devices.allow = a

(since I didn’t know which I should be using),
and it still didn’t work. I also tried

... allow = c 10:299 rw

and that also didn’t work, but with a different message.

Then further reading suggested that apparmor might be involved … to try and get a speedy result, I tried

lxc.apparmor.profile = unconfined

(with a view to learning more and tightening it later) - still no joy.

Here’s my whole container config (on Debian 11, so with whatever other files that includes):

# Template used to create this container: /usr/share/lxc/templates/lxc-debian
# Parameters passed to the template: --release=bullseye
# For additional config options, please look at lxc.container.conf(5)

# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)

lxc.net.0.type = veth
lxc.net.0.hwaddr = 00:16:3e:8a:2f:c0
lxc.net.0.link = br0
lxc.net.0.flags = up
# lxc.apparmor.profile = generated
lxc.apparmor.profile = unconfined
lxc.apparmor.allow_nesting = 1
lxc.rootfs.path = dir:/var/lib/lxc/rh-wptest2/rootfs
lxc.mount.entry = /guestfs/rh-wptest2-srv /var/lib/lxc/rh-wptest2/rootfs/srv/ none bind 0 0

# lxc.cgroup.devices.allow = c 10:299 rw
# lxc.cgroup2.devices.allow = c 10:299 rw
lxc.cgroup.devices.allow = a
lxc.cgroup2.devices.allow = a
lxc.hook.autodev = sh -c "mknod ${LXC_ROOTFS_MOUNT}/dev/fuse c 10 299"

# Common configuration
lxc.include = /usr/share/lxc/config/debian.common.conf

# Container specific configuration
lxc.tty.max = 4
lxc.uts.name = rh-wptest2
lxc.arch = amd64
lxc.pty.max = 1024
lxc.start.auto = 0

Anything else I need to open up?

Cheers,
Richard

richardh · October 15, 2022, 1:17am

Got it going, with a horrible hack.

In the container config:
lxc.hook.start-host = /usr/local/bin/fuse.hook

/usr/local/bin/fuse.hook:


at now + 1 minute <<END 2>>/var/lib/lxc/rh-wptest2/hook.error
/usr/local/bin/fuse.hook.s2
END

/usr/local/bin/fuse.hook.s2:

lxc-device -n rh-wptest2 add /dev/fuse
lxc-attach -n rh-wptest2 mount /home/richard/testsite/doc_root

I hate almost everything about this solution.

But in the absence of

A hook that runs after the container init has started
understanding how lxc-device actually works
understanding how to make lxc.hook.autodev work
Anybody who knows this stuff reading this thread and/or caring

… it seems to be the best I can manage for now.

Cheers,
Richard

amikhalitsyn · April 5, 2023, 11:16am