Hi,
I am trying to create a container with nested idmapped mounts.
For example consider the following paths on the host:
uid gid path drwxr-xr-x 1000 1000 /pathA drwxr-xr-x 1000 1000 /pathA/mypathB -rw-r--r-- 1000 1000 /pathA/fileA drwxr-xr-x 1000 1000 /pathB -rw-r--r-- 1000 1000 /pathB/fileB
Now I’m trying to do the following mounts in the container (/pathA already exists in the rootfs):
lxc.rootfs.options = ro idmap=container lxc.mount.entry = /pathA pathA none bind,ro,idmap=container 0 0 lxc.mount.entry = /pathB pathA/mypathB none bind,ro,idmap=container 0 0
The idmap looks like this:
lxc.init.uid = 1000 lxc.init.gid = 1000 lxc.idmap = u 0 100000 65535 lxc.idmap = g 0 100000 65535
I do get following error:
lxc-start: test: conf.c: __lxc_idmapped_mounts_child: 3037 Invalid cross-device link - Failed to open target mountpoint 19/pathA/mypathB for detached idmapped mount 22:19/pathB
lxc-start: test: conf.c: lxc_idmapped_mounts_child: 3083 Invalid cross-device link - Failed to setup idmapped mount entries
lxc-start: test: conf.c: lxc_setup: 4364 Invalid cross-device link - Failed to attached detached idmapped mounts
If I do only the first mount, then /pathA is correctly mounted.
If I remove the idmap=container option from the lxc.mount.entry settings, then the container starts and both paths are mounted, however the ids are set to nobody.
If I remove the option only on the second entry, then the container fails with the following error:
lxc-start: test: conf.c: mount_entry: 2397 No such file or directory - Failed to mount “/pathB” on “/usr/lib/lxc/rootfs/pathA/mypathB”
Is this a limitation of idmapped mounts or is there a way to make this work?
System: Archlinux
LXC-Version: 1:4.0.11-2