[pve-devel] [PATCH container] add features:fuse

Wed Nov 28 14:08:08 CET 2018

On 11/28/18 1:55 PM, Wolfgang Bumiller wrote:
> That should be enough for snapd on unprivileged containers.
> For privileged containers we'd also need a way to not drop
> the mac_admin capability - not sure we'd want that.
> 
> Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
> ---
> With this patch you can run snaps in unprivileged ubuntu containers via:
>   pct set $vmid --features nesting=1,fuse=1
> 
> For privileged containers you also need to allow mac_admin for the
> container to be able to create apparmor profiles. (They do stay stacked
> with the lxc profile, but I'd still not recommend it...)
>   lxc.cap.drop =
>   lxc.cap.drop = mac_override sys_time sys_module sys_rawio
> 
> (The list above is from common.conf with just mac_admin removed)
> 
> To test:
>   apt install squashfuse
>   apt install snapd
>   snapd install --beta mysql
> 

tested and applied, as of low breakage risk, thanks!

>  src/PVE/LXC.pm        | 9 +++++++++
>  src/PVE/LXC/Config.pm | 7 +++++++
>  2 files changed, 16 insertions(+)
> 
> diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
> index d1b5fcc..787d34f 100644
> --- a/src/PVE/LXC.pm
> +++ b/src/PVE/LXC.pm
> @@ -465,6 +465,11 @@ sub make_apparmor_config {
>      my $raw = "lxc.apparmor.profile = generated\n";
>      my @profile_uses;
>  
> +    if ($features->{fuse}) {
> +	# For the informational warning:
> +	push @profile_uses, 'features:fuse';
> +    }
> +
>      # There's lxc.apparmor.allow_nesting now, which will add the necessary
>      # apparmor lines, create an apparmor namespace for the container, but also
>      # adds proc and sysfs mounts to /dev/.lxc/{proc,sys}. These do not have
> @@ -539,6 +544,10 @@ sub update_lxc_config {
>  
>      $raw .= make_seccomp_config($conf, $unprivileged, $features);
>      $raw .= make_apparmor_config($conf, $unprivileged, $features);
> +    if ($features->{fuse}) {
> +	$raw .= "lxc.apparmor.raw = mount fstype=fuse,\n";
> +	$raw .= "lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file 0 0\n";
> +    }
>  
>      # WARNING: DO NOT REMOVE this without making sure that loop device nodes
>      # cannot be exposed to the container with r/w access (cgroup perms).
> diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm
> index cde2445..9987f50 100644
> --- a/src/PVE/LXC/Config.pm
> +++ b/src/PVE/LXC/Config.pm
> @@ -305,6 +305,13 @@ my $features_desc = {
>  	    ." error when some keyctl() operations are denied by the kernel due to lacking permissions."
>  	    ." Essentially, you can choose between running systemd-networkd or docker.",
>      },
> +    fuse => {
> +	optional => 1,
> +	type => 'boolean',
> +	default => 0,
> +	description => "Allow using 'fuse' file systems in a container."
> +	    ." Note that interactions between fuse and the freezer cgroup can potentially cause I/O deadlocks.",
> +    },
>  };
>  
>  my $confdesc = {
> 