Wolfgang Bumiller
2018-11-28 12:55:06 UTC
That should be enough for snapd on unprivileged containers.
For privileged containers we'd also need a way to not drop
the mac_admin capability - not sure we'd want that.
Signed-off-by: Wolfgang Bumiller <***@proxmox.com>
---
With this patch you can run snaps in unprivileged ubuntu containers via:
pct set $vmid --features nesting=1,fuse=1
For privileged containers you also need to allow mac_admin for the
container to be able to create apparmor profiles. (They do stay stacked
with the lxc profile, but I'd still not recommend it...)
lxc.cap.drop =
lxc.cap.drop = mac_override sys_time sys_module sys_rawio
(The list above is from common.conf with just mac_admin removed)
To test:
apt install squashfuse
apt install snapd
snapd install --beta mysql
src/PVE/LXC.pm | 9 +++++++++
src/PVE/LXC/Config.pm | 7 +++++++
2 files changed, 16 insertions(+)
diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index d1b5fcc..787d34f 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -465,6 +465,11 @@ sub make_apparmor_config {
my $raw = "lxc.apparmor.profile = generated\n";
my @profile_uses;
+ if ($features->{fuse}) {
+ # For the informational warning:
+ push @profile_uses, 'features:fuse';
+ }
+
# There's lxc.apparmor.allow_nesting now, which will add the necessary
# apparmor lines, create an apparmor namespace for the container, but also
# adds proc and sysfs mounts to /dev/.lxc/{proc,sys}. These do not have
@@ -539,6 +544,10 @@ sub update_lxc_config {
$raw .= make_seccomp_config($conf, $unprivileged, $features);
$raw .= make_apparmor_config($conf, $unprivileged, $features);
+ if ($features->{fuse}) {
+ $raw .= "lxc.apparmor.raw = mount fstype=fuse,\n";
+ $raw .= "lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file 0 0\n";
+ }
# WARNING: DO NOT REMOVE this without making sure that loop device nodes
# cannot be exposed to the container with r/w access (cgroup perms).
diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm
index cde2445..9987f50 100644
--- a/src/PVE/LXC/Config.pm
+++ b/src/PVE/LXC/Config.pm
@@ -305,6 +305,13 @@ my $features_desc = {
." error when some keyctl() operations are denied by the kernel due to lacking permissions."
." Essentially, you can choose between running systemd-networkd or docker.",
},
+ fuse => {
+ optional => 1,
+ type => 'boolean',
+ default => 0,
+ description => "Allow using 'fuse' file systems in a container."
+ ." Note that interactions between fuse and the freezer cgroup can potentially cause I/O deadlocks.",
+ },
};
my $confdesc = {
For privileged containers we'd also need a way to not drop
the mac_admin capability - not sure we'd want that.
Signed-off-by: Wolfgang Bumiller <***@proxmox.com>
---
With this patch you can run snaps in unprivileged ubuntu containers via:
pct set $vmid --features nesting=1,fuse=1
For privileged containers you also need to allow mac_admin for the
container to be able to create apparmor profiles. (They do stay stacked
with the lxc profile, but I'd still not recommend it...)
lxc.cap.drop =
lxc.cap.drop = mac_override sys_time sys_module sys_rawio
(The list above is from common.conf with just mac_admin removed)
To test:
apt install squashfuse
apt install snapd
snapd install --beta mysql
src/PVE/LXC.pm | 9 +++++++++
src/PVE/LXC/Config.pm | 7 +++++++
2 files changed, 16 insertions(+)
diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index d1b5fcc..787d34f 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -465,6 +465,11 @@ sub make_apparmor_config {
my $raw = "lxc.apparmor.profile = generated\n";
my @profile_uses;
+ if ($features->{fuse}) {
+ # For the informational warning:
+ push @profile_uses, 'features:fuse';
+ }
+
# There's lxc.apparmor.allow_nesting now, which will add the necessary
# apparmor lines, create an apparmor namespace for the container, but also
# adds proc and sysfs mounts to /dev/.lxc/{proc,sys}. These do not have
@@ -539,6 +544,10 @@ sub update_lxc_config {
$raw .= make_seccomp_config($conf, $unprivileged, $features);
$raw .= make_apparmor_config($conf, $unprivileged, $features);
+ if ($features->{fuse}) {
+ $raw .= "lxc.apparmor.raw = mount fstype=fuse,\n";
+ $raw .= "lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file 0 0\n";
+ }
# WARNING: DO NOT REMOVE this without making sure that loop device nodes
# cannot be exposed to the container with r/w access (cgroup perms).
diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm
index cde2445..9987f50 100644
--- a/src/PVE/LXC/Config.pm
+++ b/src/PVE/LXC/Config.pm
@@ -305,6 +305,13 @@ my $features_desc = {
." error when some keyctl() operations are denied by the kernel due to lacking permissions."
." Essentially, you can choose between running systemd-networkd or docker.",
},
+ fuse => {
+ optional => 1,
+ type => 'boolean',
+ default => 0,
+ description => "Allow using 'fuse' file systems in a container."
+ ." Note that interactions between fuse and the freezer cgroup can potentially cause I/O deadlocks.",
+ },
};
my $confdesc = {
--
2.11.0
2.11.0