Hi all,
I'm using bindfs in my web LXC containers to allow particular users to
write to their site docroot as the correct user.
Getting this to work has been really hacky, and while it does seem to
work, I get log messages saying it didn't ...
In /var/lib/lxc/<containername>/config:
========================================================================
lxc.hook.start-host = /usr/local/bin/fuse.hook
========================================================================
In /usr/local/bin/fuse.hook:
========================================================================
#!/bin/bash
at now + 1 minute <<END 2>>/var/log/lxc/${LXC_NAME}-hook-error.log
/usr/local/bin/fuse.hook.s2
END
========================================================================
In /usr/local/bin/fuse.hook.s2:
========================================================================
lxc-device -n ${LXC_NAME} add /dev/fuse
lxc-attach -n ${LXC_NAME} /usr/local/bin/bindfs_mount
========================================================================
In /usr/local/bin/bindfs_mount (in the container):
========================================================================
#!/bin/bash
file='/usr/local/etc/bindfs_mounts'
while read line; do
mount "${line}"
done < "${file}"
========================================================================
In /usr/local/etc/bindfs_mounts (in the container):
========================================================================
/home/richard/<sitename>/doc_root
========================================================================
In /etc/fstab (in the container) (single line wrapped by MUA):
========================================================================
/srv/<sitename>/doc_root /home/richard/<sitename>/doc_root fuse.bindfs
noauto,--force-user=richard,--force-group=richard,--create-for-user=<sitename>,--create-for-group=<sitename>
0 0
========================================================================
I'm sure shell experts (or LXC experts) will tell me this 2-stage
process is unnecessary, or that there is a better way to do it, but IIRC
it doesn't work if lxc is waiting for the hook to finish; other stuff
needs to happen before the device creation works.
At boot, however, I get these messages emailed from the at job (3 lines,
wrapped by MUA):
========================================================================
lxc-device: <containername>: commands.c: lxc_cmd_add_bpf_device_cgroup:
1185 Message too long - Failed to add new bpf device cgroup rule
lxc-device: <containername>: lxccontainer.c: add_remove_device_node:
4657 set_cgroup_item failed while adding the device node
lxc-device: <containername>: tools/lxc_device.c: main: 153 Failed to add
/dev/fuse to <containername>
========================================================================
The device file is created correctly, and the mount work.
Oh - and interestingly, this only seems to happen when the host boots.
If I just reboot (or shutdown and start) the container, it works fine.
It doesn't matter if I increase the delay on the at job.
If I don't use the at job, but run those commands manually after boot,
it works fine with no error messages.
Any hints?
I suspect my limited understanding of cgroups is contributing to my
problems ...
Cheers,
Richard
