How to access container data from the host?

Maybe it is a new security feature but I do not find how to access container data from the host… ?
I use to access with :
but on a recent install, I have no more access…

Quite literally the topic just under yours on the forum :wink:

(Mmm, I am ashamed)

I shall study that tomorrow morning…
But the link is not so clear for me between “mount point” and “container data”. OK, for fresh mind tomorrow.


Thank you, fine.
But a small mystery for me.
Before asking, I had made an experiment : in my container, I had executed:
ls >
exited from the container , and “updatedb” hoping to find a a path to “” and so the full data path of the container, and… Why it did not work ?
I suppose the answer is my misunderstanding of the structure of the storage-pool…

Specifically because we don’t want things like updatedb indexing every single file of all containers :slight_smile:

All LXD mounts are in a separate mount namespace invisible from the host and so invisible from updatedb. /var/snap/lxd/common/mntns is a special symlink which allows you to peak into the alternate user namespace but most tools will not traverse through it.

Ok, I understand a little…
A little only, isolation is fine, but that is to say that you want to protect data from root…
So how do we do ? we use a superoot and a superupdadeb to find ?
That is to say, you think that root is not allowed to find…? Poor root :wink:
Pauvre de moi !

It’s mostly an issue of large production systems running containers for customers, possibly on properly secure (encrypted storage) and now a random process running on the unencrypted host disk goes and index every file that’s in all the containers.

This can effectively cause confidential data from within a container to get duplicated onto unsafe storage, possibly exposing the hosting provider to GDPR type issues (say for example an IP address or person’s name is part of a filename in one of the hosted containers).

Thank you very much.
For your efficiency. As usual.

But… what shold I do if I REALLY want to be able to execute “locate” on my host… ?


You may be able to force it to run through /var/snap/lxd/common/mntns/var/snap/lxd/storage-pools

ok… :wink: