I am new to LXD and I am experiencing a problem that is too complex for my level of knowledge to even know where to start looking for a solution.
On a Fedora Server host, I run an unprivileged Fedora Server LXD container. Inside that container, I have Docker running. The docker storage (/var/lib/docker
) is encrypted using gocryptfs. The problem that I’m experiencing is that inside Docker containers, root trying to access files that are owned by another user fails with a “Not supported” error.
On the host system I have root:1000000:1001000000
in both /etc/subuid
and /etc/subuid
, in case this has anything to do with it.
To reproduce the problem, create an LXD container running a docker container with encrypted storage like this:
lxc launch images:fedora/35 test
lxc exec test bash
Then inside the container:
# Install docker and gocryptfs
dnf -y install dnf-plugins-core
dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo
dnf -y install docker-ce docker-ce-cli containerd.io gocryptfs
# Set up encrypted docker storage
mkdir -p /var/lib/docker.enc /var/lib/docker
gocryptfs -init /var/lib/docker.enc
gocryptfs -allow_other /var/lib/docker.enc /var/lib/docker
# Run docker container
systemctl start docker
docker run --rm -ti alpine sh
Then inside the Docker container:
touch test
cat test # Works
chown nobody:nobody test
cat test # Fails
There are some things that I find curious about this:
- Doing the same thing outside of the Docker container, but on the encrypted file system, does not yield the error.
- Doing the same thing inside the Docker container, but with the Docker storage not being encrypted, does not yield the error.
- Doing the same thing inside the Docker container, but with the LXD container running in privileged mode, does not yield the error.
- Using encfs instead of gocryptfs yields the same error.
I suspect that this might have to do something with the UID mapping, but I don’t know where to dig further. gocryptfs itself does not show any error messages.
My questions are:
- What is causing this error and how can I fix it?
- Are there any alternative encryption methods that I could use? My requirement is that the password needs to be entered inside the LXD container, rather than on the host system.