asad
(Asad )
August 27, 2020, 11:45am
1
Hi @stgraber @simos ,
Hope you guys doing well ,
can you please help i want to mount google bucket in my lxc container but when i am running gcsfuse command to mount bucket its giving me following error :
Using mount point: /home/asad/backup
Opening GCS connection…
Opening bucket…
Mounting file system…
daemonize.Run: readFromProcess: sub-process: mountWithArgs: mountWithConn: Mount: mount: running fusermount: exit status 1
stderr:
fusermount: mount failed: Operation not permitted
and this same thing i can achieve outside of my lxc container on my host node
stgraber
(Stéphane Graber)
August 27, 2020, 4:27pm
2
Do you have /dev/fuse available and usable in your container?
asad
(Asad )
August 27, 2020, 4:36pm
3
@stgraber yes installed gcsfuse using below command
apt-get install gcsfuse
root@asad:~# ls -l /dev/fuse
crw-rw-rw- 1 nobody nogroup 10, 229 Aug 27 07:48 /dev/fuse
asad
(Asad )
August 27, 2020, 4:42pm
4
what could be the problem @stgraber ?
stgraber
(Stéphane Graber)
August 27, 2020, 6:14pm
5
What’s your container config?
asad
(Asad )
August 28, 2020, 7:42am
6
Hi @stgraber ,
Following is my container config
lxc.log.file = /var/snap/lxd/common/lxd/logs/integ901/lxc.log
lxc.log.level = warn
lxc.console.buffer.size = auto
lxc.console.size = auto
lxc.console.logfile = /var/snap/lxd/common/lxd/logs/integ901/console.log
lxc.mount.auto = proc:rw sys:rw cgroup:mixed
lxc.autodev = 1
lxc.pty.max = 1024
lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file,optional 0 0
lxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file,optional 0 0
lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none rbind,create=dir,optional 0 0
lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none rbind,create=dir,optional 0 0
lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none rbind,create=dir,optional 0 0
lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none rbind,create=dir,optional 0 0
lxc.mount.entry = /sys/kernel/security sys/kernel/security none rbind,create=dir,optional 0 0
lxc.mount.entry = /sys/kernel/tracing sys/kernel/tracing none rbind,create=dir,optional 0 0
lxc.mount.entry = /dev/mqueue dev/mqueue none rbind,create=dir,optional 0 0
lxc.include = /snap/lxd/current/lxc/config//common.conf.d/
lxc.arch = linux64
lxc.hook.version = 1
lxc.hook.pre-start = /proc/3278/exe callhook /var/snap/lxd/common/lxd 71 start
lxc.hook.stop = /snap/lxd/current/bin/lxd callhook /var/snap/lxd/common/lxd 71 stopns
lxc.hook.post-stop = /snap/lxd/current/bin/lxd callhook /var/snap/lxd/common/lxd 71 stop
lxc.tty.max = 0
lxc.uts.name = integ901
lxc.mount.entry = /var/snap/lxd/common/lxd/devlxd dev/lxd none bind,create=dir 0 0
lxc.seccomp.profile = /var/snap/lxd/common/lxd/security/seccomp/integ901
lxc.idmap = u 0 1000000 1000000000
lxc.idmap = g 0 1000000 1000000000
lxc.cgroup.memory.limit_in_bytes = 512000000
lxc.cgroup.memory.soft_limit_in_bytes = 460800000
lxc.mount.auto = shmounts:/var/snap/lxd/common/lxd/shmounts/integ901:/dev/.lxd-mounts
lxc.net.0.name = eth0
lxc.net.0.type = phys
lxc.net.0.flags = up
lxc.net.0.link = vethcf6d30c6
lxc.rootfs.path = dir:/var/snap/lxd/common/lxd/containers/integ901/rootfs
stgraber
(Stéphane Graber)
August 28, 2020, 1:10pm
7
Ok, so that’s unprivileged LXD with what looks like a pretty standard config.
So this should work just fine. Maybe try with a different FUSE filesystem first to see if it’s just an issue with that Google one?
I’d recommend trying sshfs
as a pretty simple FUSE filesystem which we know works fine in containers.
asad
(Asad )
August 28, 2020, 1:16pm
8
@stgraber can we mount google cloud storage bucket using sshfs ? or is there any way to launch privileged lxc container ??
because the task i want to accomplish is that i want to mount google cloud storage in my lxc container
stgraber
(Stéphane Graber)
August 28, 2020, 1:17pm
9
privileged or unprivileged shouldn’t matter for FUSE.
For now we need to figure out if it’s an issue with the Google binary or with FUSE in the container, that’s why we need you to test with another FUSE filesystem even if that doesn’t solve your problem.
asad
(Asad )
August 28, 2020, 1:29pm
10
@stgraber
crw-rw-rw- 1 nobody nogroup 10, 229 Aug 27 07:48 /dev/fuse
i am asking because as you can see the ownership of /dev/fuse in container is nobody and nogroup
asad
(Asad )
August 28, 2020, 5:35pm
11
@stgraber
Hi as per your instructions i have installed sshfs and tried to mount the remote directory
root@adi:~# sshfs ali@34.70.71.4 :/home/asad/ sshfs-dir
fusermount: mount failed: Operation not permitted
Still got the same error , i think the issue is with FUSE in the container does container need any privileges ?
asad
(Asad )
August 28, 2020, 5:48pm
13
Linux adi 4.9.0-12-amd64 #1 SMP Debian 4.9.210-1+deb9u1 (2020-06-07) x86_64 GNU/Linux
asad
(Asad )
August 28, 2020, 6:00pm
14
@stgraber any thoughts ? sorry for being in too much hurry but i have gone crazy searching on internet for this issue but still not got any solution for this :?
you guys are last hope
stgraber
(Stéphane Graber)
August 28, 2020, 6:14pm
15
That’s an old-ish kernel so I don’t know if Debian has support for unprivileged fuse by default on that one.
stgraber
(Stéphane Graber)
August 28, 2020, 6:16pm
16
Mainline support for FUSE inside user namespace landed in the 4.18 kernel.
Ubuntu has had that in its kernel for quite a while prior to that and I believe so did Debian, but disabled behind a sysctl.
If you can, please switch to a more recent kernel on Debian, if you can’t, look for find /proc/sys | grep fuse
maybe there’s a flag there.
asad
(Asad )
August 28, 2020, 6:17pm
17
@stgraber so what should i do now this is debian 9 stretch container , should i test this on some old versions or what ?
stgraber
(Stéphane Graber)
August 28, 2020, 6:17pm
18
The version of the container doesn’t matter, the version of the host does.
asad
(Asad )
August 28, 2020, 6:19pm
19
@stgraber find /proc/sys | grep fuse
this command showing no results
stgraber
(Stéphane Graber)
August 28, 2020, 6:20pm
20
Ok, so no sysctl that you can flip on.
Then you need to get your host’s kernel on a more modern kernel.
stretch-backports
seems to have a 4.19 kernel, if you can get onto that, things should work.