Quoting Yasoda Padala ([email protected]): > Hi All, > I want to spawn an unprivileged LXC container with container rootfs as > squashfs filetype. > (goal is to have container rootfs as compressed and read-only) > > 1. Created a squashfs file out of container's rootfs using the below > command: > *mksquashfs rootfs rootfs.squashfs* > 2. Changed the rootfs path in the container config to refer to this newly > created rootfs.squashfs file > please find attached container config file > > LXC is giving the below error while starting the unprivileged container > > lxc-start 20180817025351.739 ERROR lxc_conf - conf.c:setup_rootfs:1220 - > Failed to mount rootfs > "/home/oxpd/.local/share/lxc/spawn_squashfs_rootfs/rootfs.squashfs" onto > "/usr/lib/x86_64-linux-gnu/lxc" with options "(null)". > > lxc-start 20180817025351.739 ERROR lxc_conf - > conf.c:do_rootfs_setup:3899 - failed to setup rootfs for > 'spawn_squashfs_rootfs' > > lxc-start 20180817025351.739 ERROR lxc_conf - > conf.c:lxc_setup:3981 - Error setting up rootfs mount after spawn > > lxc-start 20180817025351.739 ERROR lxc_start - > start.c:do_start:811 - Failed to setup container "spawn_squashfs_rootfs". > > lxc-start 20180817025351.739 ERROR lxc_sync - > sync.c:__sync_wait:57 - An error occurred in another process (expected > sequence number 3) > > lxc-start 20180817025351.739 ERROR lxc_start - > start.c:__lxc_start:1358 - Failed to spawn container > "spawn_squashfs_rootfs". > > lxc-start 20180817025356.796 ERROR lxc_start_ui - > tools/lxc_start.c:main:366 - The container failed to start. > > lxc-start 20180817025356.796 ERROR lxc_start_ui - > tools/lxc_start.c:main:368 - To get more details, run the container in > foreground mode. > > lxc-start 20180817025356.796 ERROR lxc_start_ui - > tools/lxc_start.c:main:370 - Additional information can be obtained by > setting the --logfile and --logpriority options. > > Since lxc was not able to mount squashed rootfs filetype, I tried the > following steps > > > > 1. Created empty rootfs directory > 2. Mounted rootfs.squashfs to rootfs directory created in step# 1 ( *sudo > mount -o loop -t squashfs rootfs.squashfs rootfs *)
Note that you can do this using squashfuse with the allow_other option, to do it without sudo. > 3. Verified the new rootfs directory is read-only > 4. Started container with this new rootfs read-only directory and it > worked fine > 5. Verified that rootfs inside the container also is read-only. > > > > * is it the right way of doing ?? or if there is any other way in which LXC Yes, I think so. For the moment (and foreseeable future) you can't mount squashfs as unpriv user because you could feed garbage into the in-kernel superblock parser and potentially wreak havoc. _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
