Discussion:
How to spawn an unprivileged LXC container with squashfs rootfs ?
(too old to reply)
Yasoda Padala
2018-08-17 03:08:50 UTC
Permalink
Hi All,
I want to spawn an unprivileged LXC container with container rootfs as
squashfs filetype.
(goal is to have container rootfs as compressed and read-only)

1. Created a squashfs file out of container's rootfs using the below
command:
*mksquashfs rootfs rootfs.squashfs*
2. Changed the rootfs path in the container config to refer to this newly
created rootfs.squashfs file
please find attached container config file

LXC is giving the below error while starting the unprivileged container

lxc-start 20180817025351.739 ERROR lxc_conf - conf.c:setup_rootfs:1220 -
Failed to mount rootfs
"/home/oxpd/.local/share/lxc/spawn_squashfs_rootfs/rootfs.squashfs" onto
"/usr/lib/x86_64-linux-gnu/lxc" with options "(null)".

lxc-start 20180817025351.739 ERROR lxc_conf -
conf.c:do_rootfs_setup:3899 - failed to setup rootfs for
'spawn_squashfs_rootfs'

lxc-start 20180817025351.739 ERROR lxc_conf -
conf.c:lxc_setup:3981 - Error setting up rootfs mount after spawn

lxc-start 20180817025351.739 ERROR lxc_start -
start.c:do_start:811 - Failed to setup container "spawn_squashfs_rootfs".

lxc-start 20180817025351.739 ERROR lxc_sync -
sync.c:__sync_wait:57 - An error occurred in another process (expected
sequence number 3)

lxc-start 20180817025351.739 ERROR lxc_start -
start.c:__lxc_start:1358 - Failed to spawn container
"spawn_squashfs_rootfs".

lxc-start 20180817025356.796 ERROR lxc_start_ui -
tools/lxc_start.c:main:366 - The container failed to start.

lxc-start 20180817025356.796 ERROR lxc_start_ui -
tools/lxc_start.c:main:368 - To get more details, run the container in
foreground mode.

lxc-start 20180817025356.796 ERROR lxc_start_ui -
tools/lxc_start.c:main:370 - Additional information can be obtained by
setting the --logfile and --logpriority options.

Since lxc was not able to mount squashed rootfs filetype, I tried the
following steps



1. Created empty rootfs directory
2. Mounted rootfs.squashfs to rootfs directory created in step# 1 ( *sudo
mount -o loop -t squashfs rootfs.squashfs rootfs *)
3. Verified the new rootfs directory is read-only
4. Started container with this new rootfs read-only directory and it
worked fine
5. Verified that rootfs inside the container also is read-only.



* is it the right way of doing ?? or if there is any other way in which LXC
can directly work with squashfs filetype, please provide help*


*Thanks & Regards,*

*Yasoda*

*HP Inc*
Serge E. Hallyn
2018-08-17 06:24:39 UTC
Permalink
Post by Yasoda Padala
Hi All,
I want to spawn an unprivileged LXC container with container rootfs as
squashfs filetype.
(goal is to have container rootfs as compressed and read-only)
1. Created a squashfs file out of container's rootfs using the below
*mksquashfs rootfs rootfs.squashfs*
2. Changed the rootfs path in the container config to refer to this newly
created rootfs.squashfs file
please find attached container config file
LXC is giving the below error while starting the unprivileged container
lxc-start 20180817025351.739 ERROR lxc_conf - conf.c:setup_rootfs:1220 -
Failed to mount rootfs
"/home/oxpd/.local/share/lxc/spawn_squashfs_rootfs/rootfs.squashfs" onto
"/usr/lib/x86_64-linux-gnu/lxc" with options "(null)".
lxc-start 20180817025351.739 ERROR lxc_conf -
conf.c:do_rootfs_setup:3899 - failed to setup rootfs for
'spawn_squashfs_rootfs'
lxc-start 20180817025351.739 ERROR lxc_conf -
conf.c:lxc_setup:3981 - Error setting up rootfs mount after spawn
lxc-start 20180817025351.739 ERROR lxc_start -
start.c:do_start:811 - Failed to setup container "spawn_squashfs_rootfs".
lxc-start 20180817025351.739 ERROR lxc_sync -
sync.c:__sync_wait:57 - An error occurred in another process (expected
sequence number 3)
lxc-start 20180817025351.739 ERROR lxc_start -
start.c:__lxc_start:1358 - Failed to spawn container
"spawn_squashfs_rootfs".
lxc-start 20180817025356.796 ERROR lxc_start_ui -
tools/lxc_start.c:main:366 - The container failed to start.
lxc-start 20180817025356.796 ERROR lxc_start_ui -
tools/lxc_start.c:main:368 - To get more details, run the container in
foreground mode.
lxc-start 20180817025356.796 ERROR lxc_start_ui -
tools/lxc_start.c:main:370 - Additional information can be obtained by
setting the --logfile and --logpriority options.
Since lxc was not able to mount squashed rootfs filetype, I tried the
following steps
1. Created empty rootfs directory
2. Mounted rootfs.squashfs to rootfs directory created in step# 1 ( *sudo
mount -o loop -t squashfs rootfs.squashfs rootfs *)
Note that you can do this using squashfuse with the allow_other option, to do it
without sudo.
Post by Yasoda Padala
3. Verified the new rootfs directory is read-only
4. Started container with this new rootfs read-only directory and it
worked fine
5. Verified that rootfs inside the container also is read-only.
* is it the right way of doing ?? or if there is any other way in which LXC
Yes, I think so. For the moment (and foreseeable future) you can't
mount squashfs as unpriv user because you could feed garbage into the
in-kernel superblock parser and potentially wreak havoc.

Continue reading on narkive:
Loading...