Selinux
needs to be running in your physical host, because Selinux
runs in the kernel side and your container share the kernel with physical host.
Container is a normal process that run in other namespace
I've experienced the same. The reason, in my case, is that the filesystem to be bind-mounted is owned by UID:GID in the range of the host machine.
An unprivileged container, by definition, uses UIDs outside the normal range, and a user namespace to give the appearance of normality in the container.
Note that everything below the container's init
belongs to numeric UID 1000000, as seen from the host machine. Within the container, PID1 is UID root, as expected.
What does that mean? If, in the host machine, you have a filesystem owned by a normal user (maybe root, maybe regular user), and then bind-mount it in the container, the UIDs (which are stored as integers) make no sense within the container.
Further, because the UIDs the container sees don't even belong to its user namespace, not even root inside the container can chown
those files.
Solution: In the host machine, chown
the files so that they belong to root inside the container. In my case, as pictured above, I had to:
- Mount
tank/mydataset
at /tank/mydataset
in the host machine
chown 1000000:1000000 /tank/mydataset
- (In the container config file)
lxc.mount.entry = /tank/mydataset path/in/container/ none bind 0 0
Best Answer
You can use
fstab
to declare mount points using:This is an extension to LXC's
config
file. I usually put them together, outside the container'srootfs
. Then, inside thatfstab
, you put entries like the normal/etc/fstab
but the mount point is relative to the container'srootfs
. For example:See you!