-
Notifications
You must be signed in to change notification settings - Fork 10
Use shiftfs in LXD
About LXD:
LXD is a manager for containers.
More info here: https://linuxcontainers.org/lxd/introduction/
Usecases:
shiftfs is useful for several usecases:
- General Use: More speed and security
- sharing disk-devices
- sharing volumes
Note: All usecases apply to unpriviledged containers (because priviledged containers use no uid/gid-shifting/remapping).
1. General use:
In general shiftfs provides faster uid/gid-shifting (which is used in unpriviledged containers), which will let the containers start faster.
Also with shiftfs the former method of remapping uids/gids can be avoided, which offers a possibly cleaner and more secure option.
Note: In some packages (for example the arch package) shiftfs is enabled by default,
you can check whether it is enabled with lxc info
(look for shiftfs: "true"
).
To enable shiftfs in LXD (in case you use the snap
package), follow these steps:
-
Stop all running containers.
-
Run with sudo or root:
snap set lxd shiftfs.enable=true
systemctl reload snap.lxd.daemon
You can check if it is enabled, with:
lxc info
shiftfs: "true"
Now all new containers will use shiftfs.
- Extra Step:
Make existing containers use shiftfs:
(this is a trick shown by stgraber, you set the containers to priviledged and then back to unpriviledged)
lxc config set CONTAINERNAME security.privileged true
lxc restart CONTAINERNAME
lxc config unset CONTAINERNAME security.privileged
lxc restart CONTAINERNAME
2. Sharing disk-devices:
If you want to share a disk device (for example a folder) between host/container or between containers, so that both parties can have full access (rwx) to it, shiftfs will make that much easier.
You only need to add this key to your device-configuration in the container/profile-config:
shift: true
For example:
folder1:
path: /home/user1/folder1
source: /home/hostuser1/folder1
shift: true
type: disk
Note:
This will match the hosts uid/gid (of the folder owner) with the container uid/gid.
So if the hosts uid is 1000, the user in the container also needs to have the uid 1000 to be able to access it.
See forum post by stgraber.
3. Sharing volumes:
If you want to share a volume between isolated containers, shiftfs will also make that much easier.
You add this key to your volume-configuration:
security.shifted=true
Then you attach the volume to both containers:
lxc storage volume attach POOL-NAME VOLUME-NAME container1 DEVICENAME /PATH
lxc storage volume attach POOL-NAME VOLUME-NAME container2 DEVICENAME /PATH
Recommendations:
If you don’t want LXD to remap (the UIDs/GIDs of) your container when shiftfs is not available (for example because of a failed dkms update), you can apply the following config key to your container (profile):
security.protection.shift: "true"
"Prevents the instance's filesystem from being uid/gid shifted on startup" (See also: Instances - LXD Documentation )
Related error report: Github Issue - Container Error after changing shiftfs
Security Notes:
If you use shiftfs for disk devices it is possible for root- or sudo-users inside the container to set the uid on a file that can be used by unpriviledged users on the host to get root access on the host!
This is only a very specific case, but if the situation applies to you, you can find ways to prevent it below:
Details: Official LXD forum - "Trying out shiftfs"
How to prevent:
Add nosuid,nodev
to the mount options of your disk device, see comment 54 for details in: Official LXD Forum - "Trying out shiftfs"
Sources: