Fusermount: mount failed: Operation not permitted

Do you have /dev/fuse available and usable in your container?

@stgraber yes installed gcsfuse using below command
apt-get install gcsfuse

root@asad:~# ls -l /dev/fuse
crw-rw-rw- 1 nobody nogroup 10, 229 Aug 27 07:48 /dev/fuse

what could be the problem @stgraber ?

What’s your container config?

Hi @stgraber ,

Following is my container config

lxc.log.file = /var/snap/lxd/common/lxd/logs/integ901/lxc.log
lxc.log.level = warn
lxc.console.buffer.size = auto
lxc.console.size = auto
lxc.console.logfile = /var/snap/lxd/common/lxd/logs/integ901/console.log
lxc.mount.auto = proc:rw sys:rw cgroup:mixed
lxc.autodev = 1
lxc.pty.max = 1024
lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file,optional 0 0
lxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file,optional 0 0
lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none rbind,create=dir,optional 0 0
lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none rbind,create=dir,optional 0 0
lxc.mount.entry = /sys/fs/pstore sys/fs/pstore none rbind,create=dir,optional 0 0
lxc.mount.entry = /sys/kernel/debug sys/kernel/debug none rbind,create=dir,optional 0 0
lxc.mount.entry = /sys/kernel/security sys/kernel/security none rbind,create=dir,optional 0 0
lxc.mount.entry = /sys/kernel/tracing sys/kernel/tracing none rbind,create=dir,optional 0 0
lxc.mount.entry = /dev/mqueue dev/mqueue none rbind,create=dir,optional 0 0
lxc.include = /snap/lxd/current/lxc/config//common.conf.d/
lxc.arch = linux64
lxc.hook.version = 1
lxc.hook.pre-start = /proc/3278/exe callhook /var/snap/lxd/common/lxd 71 start
lxc.hook.stop = /snap/lxd/current/bin/lxd callhook /var/snap/lxd/common/lxd 71 stopns
lxc.hook.post-stop = /snap/lxd/current/bin/lxd callhook /var/snap/lxd/common/lxd 71 stop
lxc.tty.max = 0
lxc.uts.name = integ901
lxc.mount.entry = /var/snap/lxd/common/lxd/devlxd dev/lxd none bind,create=dir 0 0
lxc.seccomp.profile = /var/snap/lxd/common/lxd/security/seccomp/integ901
lxc.idmap = u 0 1000000 1000000000
lxc.idmap = g 0 1000000 1000000000
lxc.cgroup.memory.limit_in_bytes = 512000000
lxc.cgroup.memory.soft_limit_in_bytes = 460800000
lxc.mount.auto = shmounts:/var/snap/lxd/common/lxd/shmounts/integ901:/dev/.lxd-mounts
lxc.net.0.name = eth0
lxc.net.0.type = phys
lxc.net.0.flags = up
lxc.net.0.link = vethcf6d30c6
lxc.rootfs.path = dir:/var/snap/lxd/common/lxd/containers/integ901/rootfs

Ok, so that’s unprivileged LXD with what looks like a pretty standard config.

So this should work just fine. Maybe try with a different FUSE filesystem first to see if it’s just an issue with that Google one?

I’d recommend trying sshfs as a pretty simple FUSE filesystem which we know works fine in containers.

@stgraber can we mount google cloud storage bucket using sshfs ? or is there any way to launch privileged lxc container ??

because the task i want to accomplish is that i want to mount google cloud storage in my lxc container

privileged or unprivileged shouldn’t matter for FUSE.

For now we need to figure out if it’s an issue with the Google binary or with FUSE in the container, that’s why we need you to test with another FUSE filesystem even if that doesn’t solve your problem.

@stgraber
crw-rw-rw- 1 nobody nogroup 10, 229 Aug 27 07:48 /dev/fuse

i am asking because as you can see the ownership of /dev/fuse in container is nobody and nogroup

@stgraber
Hi as per your instructions i have installed sshfs and tried to mount the remote directory

root@adi:~# sshfs ali@34.70.71.4:/home/asad/ sshfs-dir
fusermount: mount failed: Operation not permitted

Still got the same error :confused: , i think the issue is with FUSE in the container does container need any privileges ?

Can you show uname -a?

Linux adi 4.9.0-12-amd64 #1 SMP Debian 4.9.210-1+deb9u1 (2020-06-07) x86_64 GNU/Linux

@stgraber any thoughts ? sorry for being in too much hurry but i have gone crazy searching on internet for this issue but still not got any solution for this :?

you guys are last hope :slight_smile:

That’s an old-ish kernel so I don’t know if Debian has support for unprivileged fuse by default on that one.

Mainline support for FUSE inside user namespace landed in the 4.18 kernel.
Ubuntu has had that in its kernel for quite a while prior to that and I believe so did Debian, but disabled behind a sysctl.

If you can, please switch to a more recent kernel on Debian, if you can’t, look for find /proc/sys | grep fuse maybe there’s a flag there.

@stgraber so what should i do now this is debian 9 stretch container , should i test this on some old versions or what ?

The version of the container doesn’t matter, the version of the host does.

@stgraber find /proc/sys | grep fuse

this command showing no results

Ok, so no sysctl that you can flip on.

Then you need to get your host’s kernel on a more modern kernel.

stretch-backports seems to have a 4.19 kernel, if you can get onto that, things should work.

@stgraber thanks a lot for the help its work after kernal upgrade