How to access container data from the host?

pcouderc · November 30, 2020, 9:22pm

Maybe it is a new security feature but I do not find how to access container data from the host… ?
I use to access with :
/var/snap/lxd/common/lxd/containers/mycony/rootfs/
but on a recent install, I have no more access…

stgraber · November 30, 2020, 9:43pm

Quite literally the topic just under yours on the forum

pcouderc · November 30, 2020, 10:01pm

(Mmm, I am ashamed)

I shall study that tomorrow morning…
But the link is not so clear for me between “mount point” and “container data”. OK, for fresh mind tomorrow.

stgraber · November 30, 2020, 10:01pm

/var/snap/lxd/common/mntns/var/snap/lxd/common/lxd/storage-pools/default/containers/

pcouderc · December 1, 2020, 6:26am

Thank you, fine.
But a small mystery for me.
Before asking, I had made an experiment : in my container, I had executed:
ls >trouve.moi
exited from the container , and “updatedb” hoping to find a a path to “trouve.moi” and so the full data path of the container, and… Why it did not work ?
I suppose the answer is my misunderstanding of the structure of the storage-pool…

stgraber · December 1, 2020, 6:48am

Specifically because we don’t want things like updatedb indexing every single file of all containers

All LXD mounts are in a separate mount namespace invisible from the host and so invisible from updatedb. /var/snap/lxd/common/mntns is a special symlink which allows you to peak into the alternate user namespace but most tools will not traverse through it.

pcouderc · December 1, 2020, 9:33am

Ok, I understand a little…
A little only, isolation is fine, but that is to say that you want to protect data from root…
So how do we do ? we use a superoot and a superupdadeb to find trouve.moi ?
That is to say, you think that root is not allowed to find trouve.moi…? Poor root
Pauvre de moi !

stgraber · December 1, 2020, 3:08pm

It’s mostly an issue of large production systems running containers for customers, possibly on properly secure (encrypted storage) and now a random process running on the unencrypted host disk goes and index every file that’s in all the containers.

This can effectively cause confidential data from within a container to get duplicated onto unsafe storage, possibly exposing the hosting provider to GDPR type issues (say for example an IP address or person’s name is part of a filename in one of the hosted containers).

pcouderc · December 1, 2020, 4:11pm

Soit…
Thank you very much.
For your efficiency. As usual.

pcouderc · December 16, 2020, 10:36am

But… what shold I do if I REALLY want to be able to execute “locate” on my host… ?

stgraber · December 16, 2020, 2:01pm

You may be able to force it to run through /var/snap/lxd/common/mntns/var/snap/lxd/storage-pools

pcouderc · December 22, 2020, 1:26pm

ok…