Hi, I have a use case where my media files are shared with multiple LXD containers. Most containers do not require write access to these shares. Therefore I share the data read-only.
See my example below how it is configured.
Adding multimedia shares to MS2 on host (in /etc/rc.local):
mount --bind “/storage0/NAS1/user/Mijn bestanden/Mijn muziek” /storage0/MS2/music-ro
mount -o remount,ro,bind /storage0/MS2/music-ro
Add shares to MS2 (LXD minidlna container):
lxc config device add MS2 md2 disk source=/storage0/MS2/music-ro path=/storage0/music
This worked on Ubuntu 16.04-LTS with LXD version 2.x and 3.x
Now migrated to Ubuntu 20.04-LTS:
$ lxd version
4.0.7
$ snap version
snap 2.51.3
snapd 2.51.3
series 16
ubuntu 20.04
kernel 5.4.0-81-generic
Sharing folders this way does not work anymore. The shared folder is empty from within the container due to the nouser/nogroup attributes of the files and folders, probably because my lxd-host and container are no member of my domain. I enabled shiftfs to make the content of the share visible.
Add shares to MS2 (LXD minidlna container):
lxc config device add MS2 md2 disk source=/storage0/MS2/music-ro path=/storage0/music shift=true
This way the container has access to the content of the share, great.
Sadly I noted that now it is possible to write to the share! It does not make sense to me because from the host it is not possible to write to /storage0/MS2/music-ro. Even root is not allowed to write to this folder. But from within the container root has complete write access on the source files in “/storage0/NAS1/user/Mijn bestanden/Mijn muziek”.
I do not understand what is going on here. It might be an bug or not, but I do not like it. Is this normal?
It may depend on how the host is setup. shiftfs can’t bypass a read-only superblock bit, but it may get past a read-only bind-mount flag as it will effectively itself become a new mount of the underlying superblock.