On 17/01/2023 04:06, Richard Hector wrote:
I'm using bindfs in my web LXC containers to allow particular users to
write to their site docroot as the correct user.
I am not familiar with bindfs, so I may miss something important for
your use case.
First of all I am unsure why you prefer bindfs instead of mapping some
container users to host users using namespaces. With the following
configuration 1000 inside a container and on the host is the same UID:
lxc.idmap = u 0 100000 1000
lxc.idmap = u 1000 1000 1
lxc.idmap = u 1001 101001 64535
lxc.idmap = g 0 100000 1000
lxc.idmap = g 1000 1000 1
lxc.idmap = g 1001 101001 64535
lxc.mount.entry = /home/richard/sitename/doc_root /srv/sitename/doc_root
none bind,optional,create=dir
In /usr/local/bin/fuse.hook:
I would look into lxcfs hook for inspiration
In /usr/local/bin/fuse.hook.s2:
========================================================================
lxc-device -n ${LXC_NAME} add /dev/fuse
Is there any reason why it can not be done using lxc.mount.entry in the
container config?
lxc-attach -n ${LXC_NAME} /usr/local/bin/bindfs_mount
I would consider adding a systemd unit inside container. Unsure if could
be done using an udev rule.
If I don't use the at job, but run those commands manually after boot,
it works fine with no error messages.
Unsure if it is relevant, but it is better to run lxc-start and
lxc-attach as a systemd unit with Delegate=yes configuration, either a
temporary one (systemd-run) or configured as a service. It ensures
proper cgroup and scope. Otherwise some cryptic errors may happen.
