[Bug 1657437] [NEW] Unprivileged containers run by non-root fail to start if trying to bind-mount a directory that contains a mounted ecryptfs

Florian Haas Wed, 18 Jan 2017 04:11:13 -0800

Public bug reported:

Not sure if this is an lxc bug or an ecryptfs bug. Please reassign if
necessary.


I have an unprivileged container that is defined in the default
location, ~/.share/local/lxc. It bind-mounts the host's /home directory
to /home inside the container, like so:

lxc.mount.entry = /home home none bind 0 0

My /home directory contains an ecryptfs at ~/.Private, which is mounted
to ~/Private with default options, at login, via pam_ecryptfs.

lxc-start then results in the following error showing up in the log
file:

      lxc-start 20170118124950.117 ERROR    lxc_utils - utils.c:safe_mount:1746 
- Invalid argument - Failed to mount /home onto 
/usr/lib/x86_64-linux-gnu/lxc/home
      lxc-start 20170118124950.117 ERROR    lxc_conf - conf.c:mount_entry:1650 
- Invalid argument - failed to mount '/home' on 
'/usr/lib/x86_64-linux-gnu/lxc/home'
      lxc-start 20170118124950.117 ERROR    lxc_conf - conf.c:lxc_setup:3790 - 
failed to setup the mount entries for 'trusty-edx-devstack'
      lxc-start 20170118124950.117 ERROR    lxc_start - start.c:do_start:826 - 
Failed to setup container "trusty-edx-devstack".
      lxc-start 20170118124950.117 ERROR    lxc_sync - sync.c:__sync_wait:57 - 
An error occurred in another process (expected sequence number 3)
      lxc-start 20170118124950.118 ERROR    lxc_start - 
start.c:__lxc_start:1338 - Failed to spawn container "trusty-edx-devstack".
      lxc-start 20170118124955.668 ERROR    lxc_start_ui - 
tools/lxc_start.c:main:360 - The container failed to start.

Unmounting the ecryptfs allows the container to start normally. After
the container has been started, the ecryptfs can be remounted with
ecryptfs-mount-private, which appears to have no ill effect on the
container.

I don't quite see why the mounted ecryptfs would prevent /home from
being bind-mounted into the container. After all, bind-mounting /home to
some other mount point in the host works just fine — with the Private
directory simply being empty, save for the Access-Your-Private-
Data.desktop and README.txt symlinks, in the bind mount location. This
is also what happens in privileged containers whose configuration has
the same lxc.mount.entry.

** Affects: lxc (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1657437

Title:
  Unprivileged containers run by non-root fail to start if trying to
  bind-mount a directory that contains a mounted ecryptfs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1657437/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1657437] [NEW] Unprivileged containers run by non-root fail to start if trying to bind-mount a directory that contains a mounted ecryptfs

Reply via email to