stgraber
July 3, 2022, 7:02pm
11
Looks like this already got fixed in LXC which is why I couldn’t see here.
opened 08:56AM - 02 Jul 22 UTC
closed 01:56PM - 02 Jul 22 UTC
Updating from 4.0.12 to 5.0.0 broke one of my bind mounts.
I have this setup … to share a specific socket file between the host and one of the containers:
```
lxc.mount.entry = tmpfs run tmpfs rw,nosuid,nodev,mode=755
lxc.mount.entry = /run/takeover run/takeover none ro,bind,create=dir
```
This works fine in 4.0.12 but with 5.0.0 the container refuses to start:
```
lxc-start: share: ../src/lxc/conf.c: mount_entry: 2459 Operation not permitted - Failed to mount "/run/takeover" on "/usr/lib/lxc/rootfs/run/takeover"
lxc-start: share: ../src/lxc/conf.c: lxc_setup: 4375 Failed to setup mount entries
```
I looked at the `strace` log, and it shows a spurious `EPERM` on the second `mount` call (the one with the `MS_REMOUNT` flag):
```
openat(AT_FDCWD, "/usr/lib/lxc/rootfs", O_RDONLY) = 17
openat(17, "run", O_RDONLY|O_NOFOLLOW) = 18
close(17) = 0
mount("tmpfs", "/proc/self/fd/18", "tmpfs", MS_NOSUID|MS_NODEV, "mode=755") = 0
close(18) = 0
access("/usr/lib/lxc/rootfs/run/takeover", F_OK) = -1 ENOENT (No such file or directory)
mkdir("/", 0755) = -1 EEXIST (File exists)
mkdir("/usr/", 0755) = -1 EEXIST (File exists)
mkdir("/usr/lib/", 0755) = -1 EEXIST (File exists)
mkdir("/usr/lib/lxc/", 0755) = -1 EEXIST (File exists)
mkdir("/usr/lib/lxc/rootfs/", 0755) = -1 EEXIST (File exists)
mkdir("/usr/lib/lxc/rootfs/run/", 0755) = -1 EEXIST (File exists)
mkdir("/usr/lib/lxc/rootfs/run/takeover", 0755) = 0
openat(AT_FDCWD, "/usr/lib/lxc/rootfs", O_RDONLY) = 17
openat(17, "run", O_RDONLY|O_NOFOLLOW) = 18
close(17) = 0
openat(18, "takeover", O_RDONLY|O_NOFOLLOW) = 17
close(18) = 0
mount("/run/takeover", "/proc/self/fd/17", 0x7ffd73735c4b, MS_RDONLY|MS_BIND, NULL) = 0
close(17) = 0
mount("/run/takeover", "/usr/lib/lxc/rootfs/run/takeover", 0x7ffd73735c4b, MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) = -1 EPERM (Operation not permitted)
```
Running on Arch Linux, kernel `5.15.50-1-lts`.
I’ve now pushed cherry-picks to latest/candidate which should be available in 2-3 hours.
2 Likes