Maybe it is a new security feature but I do not find how to access container data from the host… ?
I use to access with :
/var/snap/lxd/common/lxd/containers/mycony/rootfs/
but on a recent install, I have no more access…
Quite literally the topic just under yours on the forum
(Mmm, I am ashamed)
I shall study that tomorrow morning…
But the link is not so clear for me between “mount point” and “container data”. OK, for fresh mind tomorrow.
/var/snap/lxd/common/mntns/var/snap/lxd/common/lxd/storage-pools/default/containers/
Thank you, fine.
But a small mystery for me.
Before asking, I had made an experiment : in my container, I had executed:
ls >trouve.moi
exited from the container , and “updatedb” hoping to find a a path to “trouve.moi” and so the full data path of the container, and… Why it did not work ?
I suppose the answer is my misunderstanding of the structure of the storage-pool…
Specifically because we don’t want things like updatedb
indexing every single file of all containers
All LXD mounts are in a separate mount namespace invisible from the host and so invisible from updatedb
. /var/snap/lxd/common/mntns
is a special symlink which allows you to peak into the alternate user namespace but most tools will not traverse through it.
Ok, I understand a little…
A little only, isolation is fine, but that is to say that you want to protect data from root…
So how do we do ? we use a superoot and a superupdadeb to find trouve.moi ?
That is to say, you think that root is not allowed to find trouve.moi…? Poor root
Pauvre de moi !
It’s mostly an issue of large production systems running containers for customers, possibly on properly secure (encrypted storage) and now a random process running on the unencrypted host disk goes and index every file that’s in all the containers.
This can effectively cause confidential data from within a container to get duplicated onto unsafe storage, possibly exposing the hosting provider to GDPR type issues (say for example an IP address or person’s name is part of a filename in one of the hosted containers).
Soit…
Thank you very much.
For your efficiency. As usual.
But… what shold I do if I REALLY want to be able to execute “locate” on my host… ?
You may be able to force it to run through /var/snap/lxd/common/mntns/var/snap/lxd/storage-pools
ok…