I use bind mounts to make some folders viewable but not deletable by users.
I did it via /etc/fstab
before this way:
/var/log/USER/user /home/USER/logs/error none bind,ro 0 0
It works perfect on bare metal servers and OpenVZ, but inside LXD it’s became
tank/lxd/containers/c1 on /home/USER/logs/error type zfs (rw,relatime,xattr,posixacl)
after container start.
This looks like a bug, should I create an issue on GitHub?
When I do manually bind it also act not as expected:
mount --bind -o ro /var/log/error/USER /home/USER/logs/error
mount: warning: /home/USER/logs/error seems to be mounted read-write.
Latest LXD 3.18 from SNAP
Ubuntu 18.04 on host
Ubuntu 14.04 inside container
ZFS 0.8.2
stgraber
(Stéphane Graber)
December 20, 2019, 9:27pm
2
This either feels like a zfs bug or something odd happening with apparmor.
Can you look in dmesg
for any related denial message?
All I have in dmesg
are about remounting /proc
with hidepid=2
:
dmesg | grep $ct
[ 1061.376353] audit: type=1400 audit(1576871783.373:62): apparmor="STATUS" operation="profile_remove" profile="unconfined" name="lxd-c2035_</var/snap/lxd/common/lxd>" pid=22144 comm="apparmor_parser"
[ 1061.406009] audit: type=1400 audit(1576871783.401:63): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxd-c2035_</var/snap/lxd/common/lxd>" pid=22184 comm="apparmor_parser"
[ 1061.502622] IPv6: ADDRCONF(NETDEV_CHANGE): veth0c2035: link becomes ready
[ 1066.155045] audit: type=1400 audit(1576871788.149:64): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxd-c2035_</var/snap/lxd/common/lxd>" name="/proc/" pid=25742 comm="mount" flags="rw, remount"
[ 1076.488371] audit: type=1400 audit(1576871798.485:65): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxd-c2035_</var/snap/lxd/common/lxd>" name="/proc/" pid=26037 comm="mount" flags="rw, remount"
[ 1229.850924] audit: type=1400 audit(1576871951.845:66): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxd-c2035_</var/snap/lxd/common/lxd>" name="/proc/" pid=30414 comm="mount" flags="rw, nosuid, nodev, noexec, remount"
[ 1254.568473] audit: type=1400 audit(1576871976.565:67): apparmor="STATUS" operation="profile_remove" profile="unconfined" name="lxd-c2035_</var/snap/lxd/common/lxd>" pid=31550 comm="apparmor_parser"
[ 1277.907180] audit: type=1400 audit(1576871999.901:68): apparmor="STATUS" operation="profile_load" profile="unconfined" name="lxd-c2035_</var/snap/lxd/common/lxd>" pid=31759 comm="apparmor_parser"
This is priveleged container without apparmor restrictions now:
lxc config set $ct security.privileged true
lxc config set $ct raw.lxc 'lxc.apparmor.profile=unconfined'
I’m not sure it’ becouse of zfs - I got desired with (and only in this combination):
umount /home/USER/logs/error
mount --bind -o ro /var/log/error/USER /home/USER/logs/error
# mount: warning: /home/USER/logs/error seems to be mounted read-write.
mount -o ro,bind,remount /var/log/error/USER /home/USER/logs/error
# mount | grep USER
/var/log/error/USER on /home/USER/logs/error type none (ro,bind)
stgraber
(Stéphane Graber)
December 21, 2019, 2:38am
4
Right, that part is expected bind-mount behavior.
Making a read-only bind-mount always involves:
mount -o bind src dst
mount -o remount,ro dst dst
But usually the tools abstract that from you, doing the right thing automatically.