Issues with autofs in a migrated container

donovanm21 · December 15, 2022, 12:56am

Hi There,

Having a strange issue with a container on my LXD host.

Environment:

Host - Ubuntu 20.04
Kernel - 5.4.0-135-generic
LXD - 5.8

Container:

CentOS 7.8

Issue:

autofs.service fails to start with the below error when you try to run automount -f -v

automount: test mount forbidden or incorrect kernel protocol version, kernel protocol version 5.00 or above required.

Have not been able to find much info on this online and tried most of the suggested checks.

donovanm21 · December 15, 2022, 12:58am

I suspect I am missing something in terms of access for the container to the host.

Output from a bare metal host that works fine:

Starting automounter version 5.0.7-109.el7, master map auto.master using kernel protocol version 5.05

amikhalitsyn · December 15, 2022, 1:19pm

You wrote about “migrated container”. What kind of “migration” do you mean?

amikhalitsyn · December 15, 2022, 1:53pm

As far as I can see autofs is still not containerized in Linux kernel (it has no FS_USERNS_MOUNT flag), which means that you can’t mount autofs inside the container. That’s why you are getting this error.

Required here:

github.com

Distrotech/autofs/blob/97b24d8dfdca51503ca37b5b199dc9ce5b687858/lib/mounts.c#L119

      
        
            
            
	len = snprintf(options, MAX_OPTIONS_LEN,
            		       kver_options_template, pipefd[1], (unsigned) pgrp);
            	if (len < 0) {
            		close(pipefd[0]);
            		close(pipefd[1]);
            		rmdir(t_dir);
            		return 0;
            	}
            
            
	if (mount("automount", t_dir, "autofs", MS_MGC_VAL, options)) {
            		close(pipefd[0]);
            		close(pipefd[1]);
            		rmdir(t_dir);
            		return 0;
            	}
            
            
	close(pipefd[1]);
            
            
	if (stat(t_dir, &st) == -1) {
            		umount(t_dir);

donovanm21 · December 15, 2022, 7:28pm

Thanks for the reply and insights.

I used the migration binary and did a live migration of a physical host to LXD and changed it into a container.

Makes more sense now why it won’t work and there is very little info about it online. Any plans to add this or any work arounds for the time being?

stgraber · December 16, 2022, 3:20pm

It will need kernel work. I don’t see a fundamental reason why it would be unsafe to allow it, so it’s likely just a case of nobody having gotten around to implementing it.

A workaround could be to use a privileged container (security.privileged=true) but that comes with some very serious security implications and should only ever be considered if you’re effectively happy with whoever gets root inside of that container to be able to break out and get root on your host system.

The alternative otherwise would be to use a LXD VM instead. Unfortunately there’s no automated way to go from a container to a VM due to containers lacking a full partition table, kernel, bootloader, …

donovanm21 · December 16, 2022, 4:57pm

Hi Stephane,

Thanks for the insights. Going to try and do the same with a VM. This seems to be the solution, at least for now.