Mount home directory read only permission denied

LXD
1

Hi,

I am trying to mount my home directory to the /home/ubuntu directory in my LXD container.

I want it to be read only i.e. I want to read the data inside the container but not write or modify it. But when I do try to even access a file for example with cat command, I get permission denied error.

This is how I am doing it right now:

lxc init ubuntu classifier
lxc config device add  classifier homedir disk source=$HOME path=/home/ubuntu
lxc start classifier

Then I go inside the container to let’s say read a file as follows:

cat /home/ubuntu/sample.txt

It gives permission denied. Due to the fact that all the files are owned by nogroup nobody. Is there any way that I can read them but not modify them from within the container?

2

Try setting shift=true on the disk device you’re attaching.

3

Thanks @tomp, I tried but it returns β€œshiftfs is required by disk entry but isn’t supported on system”. Is there any workaround for this?

4

What OS is your host and are you using the snap?

5

Ubuntu 18.04 and yes, using snap lxd

6

Try doing:

sudo snap set lxd shiftfs.enable=true
sudo systemctl reload snap.lxd.daemon
7

Thanks @tomp for the suggestion. I tried and I am able to access/read the contents of home directory that was mounted. But I am also able to modify the contents from within my container and they are getting modified on host directory too.

I believe this is enabling read and write method. Where as I am exploring read only method.

8

You should be able to use the readonly=true disk device setting to mount readonly.

See https://linuxcontainers.org/lxd/docs/master/instances#type-disk

9

I added readonly=true option to the mount command and launched a new container. But still I was able to modify the files inside the container and thus the files were eventually modified on the host as well.

10

Interesting. I’ve tried disabling the shift mode by setting shift=false, and then created a directory which is owned by the container’s UID, and then shared that using a readonly=true disk device and it behaves as expected, I can see the files, but I cannot create or modify them.

But with shift=true I can modify the files, and create new files, although they do appear to have the read-only property set on them (there is a warning when I come to delete them on the host).

@stgraber @brauner could this be a shiftfs behavior/issue?

11

In the meantime, if all you’re trying to do is read files in your home directory, if you’re comfortable making your home directory globally readable then disabling the shift mode will allow you to access files (albeit they’ll appear to be owned by nobody inside the container).

1 Like
12

That would be a bug yes. I’ll try and reproduce.

13

What’s your output of findmnt from inside the container for that directory?

14 
mkdir /home/user/test
lxc config device add ctest mydisk disk source=/home/user/test path=/mnt/test shift=true readonly=true

lxc shell ctest
root@ctest:/mnt/test# findmnt
TARGET                                SOURCE         FSTYPE    OPTIONS
/                                     /var/lib/lxd/storage-pools/zfs/containers/ctest/rootfs
β”‚                                                    shiftfs   rw,relatime,passthrough=3
β”œβ”€/run                                tmpfs          tmpfs     rw,nosuid,nodev,size=802760k,mode=755,uid=
β”‚ β”œβ”€/run/lock                         tmpfs          tmpfs     rw,nosuid,nodev,noexec,relatime,size=5120k
β”‚ └─/run/user/0                       tmpfs          tmpfs     rw,nosuid,nodev,relatime,size=802756k,mode
β”œβ”€/dev                                none           tmpfs     rw,relatime,size=492k,mode=755,uid=1000000
β”‚ β”œβ”€/dev/shm                          tmpfs          tmpfs     rw,nosuid,nodev,uid=1000000,gid=1000000
β”‚ β”œβ”€/dev/fuse                         udev[/fuse]    devtmpfs  rw,nosuid,noexec,relatime,size=3981636k,nr
β”‚ β”œβ”€/dev/net/tun                      udev[/net/tun] devtmpfs  rw,nosuid,noexec,relatime,size=3981636k,nr
β”‚ β”œβ”€/dev/pts                          devpts         devpts    rw,nosuid,noexec,relatime,gid=1000005,mode
β”‚ β”œβ”€/dev/mqueue                       mqueue         mqueue    rw,nosuid,nodev,noexec,relatime
β”‚ β”œβ”€/dev/lxd                          tmpfs          tmpfs     rw,relatime,size=100k,mode=755
β”‚ β”œβ”€/dev/.lxd-mounts                  tmpfs[/ctest]  tmpfs     rw,relatime,size=100k,mode=711
β”‚ β”œβ”€/dev/full                         udev[/full]    devtmpfs  rw,nosuid,noexec,relatime,size=3981636k,nr
β”‚ β”œβ”€/dev/null                         udev[/null]    devtmpfs  rw,nosuid,noexec,relatime,size=3981636k,nr
β”‚ β”œβ”€/dev/random                       udev[/random]  devtmpfs  rw,nosuid,noexec,relatime,size=3981636k,nr
β”‚ β”œβ”€/dev/tty                          udev[/tty]     devtmpfs  rw,nosuid,noexec,relatime,size=3981636k,nr
β”‚ β”œβ”€/dev/urandom                      udev[/urandom] devtmpfs  rw,nosuid,noexec,relatime,size=3981636k,nr
β”‚ β”œβ”€/dev/zero                         udev[/zero]    devtmpfs  rw,nosuid,noexec,relatime,size=3981636k,nr
β”‚ β”œβ”€/dev/console                      devpts[/3]     devpts    rw,nosuid,noexec,relatime,gid=5,mode=620,p
β”‚ └─/dev/ptmx                         devpts[/ptmx]  devpts    rw,nosuid,noexec,relatime,gid=1000005,mode
β”œβ”€/proc                               proc           proc      rw,nosuid,nodev,noexec,relatime
β”‚ β”œβ”€/proc/sys/kernel/random/boot_id   none[/.lxc-boot-id]
β”‚ β”‚                                                  tmpfs     ro,nosuid,nodev,noexec,relatime,size=492k,
β”‚ └─/proc/sys/fs/binfmt_misc          binfmt_misc    binfmt_mi rw,nosuid,nodev,noexec,relatime
β”œβ”€/sys                                sysfs          sysfs     rw,relatime
β”‚ β”œβ”€/sys/fs/cgroup                    tmpfs          tmpfs     ro,nosuid,nodev,noexec,mode=755,uid=100000
β”‚ β”‚ β”œβ”€/sys/fs/cgroup/unified          cgroup2        cgroup2   rw,nosuid,nodev,noexec,relatime,nsdelegate
β”‚ β”‚ β”œβ”€/sys/fs/cgroup/systemd          cgroup         cgroup    rw,nosuid,nodev,noexec,relatime,xattr,name
β”‚ β”‚ β”œβ”€/sys/fs/cgroup/pids             cgroup         cgroup    rw,nosuid,nodev,noexec,relatime,pids
β”‚ β”‚ β”œβ”€/sys/fs/cgroup/cpu,cpuacct      cgroup         cgroup    rw,nosuid,nodev,noexec,relatime,cpu,cpuacc
β”‚ β”‚ β”œβ”€/sys/fs/cgroup/devices          cgroup         cgroup    rw,nosuid,nodev,noexec,relatime,devices
β”‚ β”‚ β”œβ”€/sys/fs/cgroup/blkio            cgroup         cgroup    rw,nosuid,nodev,noexec,relatime,blkio
β”‚ β”‚ β”œβ”€/sys/fs/cgroup/freezer          cgroup         cgroup    rw,nosuid,nodev,noexec,relatime,freezer
β”‚ β”‚ β”œβ”€/sys/fs/cgroup/net_cls,net_prio cgroup         cgroup    rw,nosuid,nodev,noexec,relatime,net_cls,ne
β”‚ β”‚ β”œβ”€/sys/fs/cgroup/cpuset           cgroup         cgroup    rw,nosuid,nodev,noexec,relatime,cpuset
β”‚ β”‚ β”œβ”€/sys/fs/cgroup/memory           cgroup         cgroup    rw,nosuid,nodev,noexec,relatime,memory
β”‚ β”‚ β”œβ”€/sys/fs/cgroup/rdma             cgroup         cgroup    rw,nosuid,nodev,noexec,relatime,rdma
β”‚ β”‚ β”œβ”€/sys/fs/cgroup/hugetlb          cgroup         cgroup    rw,nosuid,nodev,noexec,relatime,hugetlb
β”‚ β”‚ └─/sys/fs/cgroup/perf_event       cgroup         cgroup    rw,nosuid,nodev,noexec,relatime,perf_event
β”‚ β”œβ”€/sys/firmware/efi/efivars         efivarfs       efivarfs  rw,nosuid,nodev,noexec,relatime
β”‚ β”œβ”€/sys/fs/fuse/connections          fusectl        fusectl   rw,nosuid,nodev,noexec,relatime
β”‚ β”œβ”€/sys/fs/pstore                    pstore         pstore    rw,nosuid,nodev,noexec,relatime
β”‚ β”œβ”€/sys/kernel/config                configfs       configfs  rw,nosuid,nodev,noexec,relatime
β”‚ β”œβ”€/sys/kernel/debug                 debugfs        debugfs   rw,nosuid,nodev,noexec,relatime
β”‚ β”œβ”€/sys/kernel/security              securityfs     securityf rw,nosuid,nodev,noexec,relatime
β”‚ └─/sys/kernel/tracing               tracefs        tracefs   rw,nosuid,nodev,noexec,relatime
└─/mnt/test                           /dev/.lxd-mounts/lxdmount_369224129
                                                     shiftfs   rw,relatime,passthrough=3

Looks like the mount is still rw in the container.

Also I would like to clarify that with shift=true and readonly=true it appears that I can create, rename and delete files, but I cannot actually edit the contents.

touch /mnt/test/hello.txt
ls -la /mnt/test/
total 5
drwxrwxr-x 2 ubuntu ubuntu 4096 Feb 17 10:03 .
drwxr-xr-x 3 root   root      3 Feb 17 09:56 ..
-rw-r--r-- 1 root   root      0 Feb 17 10:03 hello.txt
echo "hello" > /mnt/test/hello.txt
-bash: /mnt/test/hello.txt: Read-only file system

And on the host directory:

user@user-MS-7821:~$ ls -la /home/user/test/
total 8
drwxrwxr-x  2 user user 4096 Feb 17 10:03 .
drwxr-xr-x 31 user user 4096 Feb 17 09:56 ..
-rw-r--r--  1 root root    0 Feb 17 10:03 hello.txt
15

I didn’t make it globally readable, removed shift=true and just added readonly=true. This works.

1 Like
16

Fix is here:

1 Like
17

Look at the β€œ/mnt/test” mount entry in your mount table, it hasn’t been turned readonly.

18

Yeah I noticed that. Is that something that root inside the container can remount back to rw (once it is being passed as ro) or is that prevented?

19

They don’t own the original mount so container root shouldn’t be able to remount rw.

1 Like