Due to some insane security requirements, I was wondering if it is possible to hide the rootfs directory of a running incus container from the host OS. I am running incus on debian 12, ubuntu 20.04, ubuntu 22.04, and ubuntu 24.04 servers.
Without getting into too many specifics, I have security personnel come in as root and scan my systems. When they see the rootfs directory of a running container, they get upset. Any ideas on how to isolate this directory from the host OS while still having the ability to access the container from the host? Thanks.
Hmm, that’s going to be pretty annoying to sort out. It’s possible to in theory run Incus inside of its own mount namespace so none of those mounts would be visible on the host.
This is effectively what LXD does when run as a snap. The problem is that making this work somewhat reliably was a massive amount of pain and something I’m very glad not to have to deal with now with Incus
The main issue with that approach is that while Incus would then run inside its own mount namespace and correctly hide everything from the host, it would also severely affect its ability to access mounts that appear on the host. Some filesystems (ZFS mostly) also have that annoying tendency of expecting things in the main mount table and not liking the separate mount namespace set up all that much.
Depending on how much control you have, one option may be to actually run the security scanner inside of a mount namespace, effectively doing the equivalent of:
unshare -m
mount -t tmpfs tmpfs /var/lib/incus
run-scanner
So creating a temporary mount namespace in which /var/lib/incus is completely hidden, then running the scanner from that point.
Thank you for your response. As I have absolutely no control over when and how often the security scanner runs, this is a little disappointing. I knew that was how LXD worked and it saved us from having to deal with the security issues however after I moved our 30+ LXD containers over 4 servers to incus I realized that this changed. I will now have to do some serious consideration of what to do as the security stance is heavy and completely inflexible for us.
