Milan Zamazal <p...@zamazal.org> writes: > I tried to use FUSE/EncFS in a container on a Debian 6.0 machine and > I've found I have to enable CAP_SYS_ADMIN in order to make it work. > Without it, permission error is reported on encfs invocation (and yes, > I've got /dev/fuse enabled in lxc.cgroup.devices.allow, it wouldn't work > without it even with CAP_SYS_ADMIN set). > > Do I have to enable CAP_SYS_ADMIN to allow any mount in a container or > is there a way to allow user mounts (such as FUSE or USB flash mounts) > without giving such a wide permission to the container?
I think current best practice is not to give the container mount privileges; for static mounts you can create lxc.mount entries in the lxc .conf; for dynamic mounts there isn't any sane solution AFAICT. I suppose if I had to support desktop wank, I would set up a udev rule on the host to mount removable devices in /media/<VOL ID>, and then rbind-mount /media into the container(s). I can't think of a way to handle mounting offhand, so I'd mount them -osync to reduce data loss. ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
