No more mount since an update

Hi,
Since I updated lxc (4.0.12 to 5.0.0), I launch my unprivileged lxc anymore. It seems to stumble on the mounts operations.

lxc-start steam2 20220727182425.770 DEBUG    conf - ../src/lxc/conf.c:mount_entry:2479 - Mounted "tmpfs" on "/usr/lib/lxc/rootfs/tmp" with filesystem type "tmpfs"
lxc-start steam2 20220727182425.770 DEBUG    conf - ../src/lxc/conf.c:mount_entry:2416 - Remounting "/dev/input" on "/usr/lib/lxc/rootfs/dev/input" to respect bind or remount options
lxc-start steam2 20220727182425.770 ERROR    conf - ../src/lxc/conf.c:mount_entry:2459 - Operation not permitted - Failed to mount "/dev/input" on "/usr/lib/lxc/rootfs/dev/input"
lxc-start steam2 20220727182425.770 ERROR    conf - ../src/lxc/conf.c:lxc_setup:4375 - Failed to setup mount entries

The config entry is :

lxc.cgroup2.devices.allow = c 13:* rwm
lxc.mount.entry = /dev/input	 dev/input	none bind,create=dir

Maybe some capabilities adjustments are needed ?

[th@mecanic ~]capsh --print
Current: =
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
Ambient set =
Current IAB: 
Securebits: 00/0x0/1'b0 (no-new-privs=0)
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
 secure-no-ambient-raise: no (unlocked)
uid=1000(th) euid=1000(th)
gid=1000(th)
groups=150(wireshark),957(libvirt-qemu),964(postgres),973(minidlna),979(libvirt),986(video),992(kvm),993(input),1000(th),1004(dialout)
Guessed mode: HYBRID (4)

Thank you for your help and checking ideas.

I still don’t know if this can be an idea but here is the difference I note between version 4 and 5.

V4.0.12

DEBUG    conf - conf.c:mount_entry:2412 - Remounting "/dev/input" on "/usr/lib/lxc/rootfs/dev/input" to respect bind or remount options
DEBUG    conf - conf.c:mount_entry:2431 - Flags for "/dev/input" were 4098, required extra flags are 2
DEBUG    conf - conf.c:mount_entry:2475 - Mounted "/dev/input" on "/usr/lib/lxc/rootfs/dev/input" with filesystem type "none"

V5.0.0

DEBUG    conf - ../src/lxc/conf.c:mount_entry:2416 - Remounting "/dev/input" on "/usr/lib/lxc/rootfs/dev/input" to respect bind or remount options
ERROR    conf - ../src/lxc/conf.c:mount_entry:2459 - Operation not permitted - Failed to mount "/dev/input" on "/usr/lib/lxc/rootfs/dev/input"
ERROR    conf - ../src/lxc/conf.c:lxc_setup:4375 - Failed to setup mount entries

Maybe V4 messages were warnings which become errors…

Please can you see if LXD 5.0.1 fixes this?

Very happy to refind my unprivileged container with this version 5.0.1.
Thanks Thomas, thanks to all the maintainers.
thierry

1 Like