How to mount FUSE (mergerfs) file system via "lxc.mount.entry"

zerocool · November 30, 2023, 7:39pm

Hello,

I want to mount directories into my unpriviledged LXC containers that are provided by mergerfs (FUSE) but I get the following error message:

lxc-start: test: ../src/lxc/utils.c: safe_mount: 1220 Permission denied - Failed to mount "/mnt/mergerfs/dir01" onto "/usr/lib/x86_64-linux-gnu/lxc/rootfs/mnt/dir01"
lxc-start: test: ../src/lxc/conf.c: mount_entry: 2439 Permission denied - Failed to mount "/mnt/mergerfs/dir01" on "/usr/lib/x86_64-linux-gnu/lxc/rootfs/mnt/dir01"

The mount entry in lxc config files look like:
lxc.mount.entry = /mnt/mergerfs/dir01 mnt/dir01 none rw,bind,create=dir 0 0

I have read in #706 that mounting FUSE file systems may fail due to different internal permission handling. Unfortunately, I couldn’t find a solution.

Is it possible to mount directories from FUSE file systems into unpriviledged LXC containers and if so, how can this be done?

I am using lxc v5.0.2 on Debian 12 (bookworm) with kernel 6.1.0-13-amd64.

stgraber · November 30, 2023, 8:07pm

You probably need allow_other as a mount option and need to make sure that a nobody user can get to /mnt/mergerfs/dir01 without encountering a permission issue (for example restrictive permissions on /mnt/mergerfs or /mnt/mergerfs/dir01 itself).

zerocool · December 1, 2023, 5:26pm

Thank you very much @stgraber for your hint. Adding allow_other in /etc/fstab did the trick.

I was relying on the statement on https://github.com/trapexit/mergerfs where the following is written:

allow_other: deprecated - mergerfs always sets this FUSE option as normal permissions can be used to limit access.

This however is only true for mergerfs v2.35.0 and newer, but Debian bookworm is currently on v2.33.5.