Lxc with NFS storage pool fail bootstrap and deploy

matthewacooper · 14 July 2019 23:03

Setup lxc with both local dir storage pool and an NFS dir storage pool.

When bootstrapping a controller all OK when using the local storage pool but errors when using the nfs storage pool with the error

/etc/sudoers.d/90-cloud-init-users is owned by uid 65534, should be 0

So using the controller using the local storage pool I deployed charm (postgresql) with the same error and looking at the /etc/sudoers.d/ folder I see

local storage pool

root@juju-594876-10:/etc/sudoers.d# ls -la
total 16
drwxr-x---  2 root root 4096 Jul 14 21:04 .
drwxr-xr-x 95 root root 4096 Jul 14 21:08 ..
-r--r-----  1 root root  151 Jul 14 21:04 90-cloud-init-users
-r--r-----  1 root root  958 Jan 18  2018 README

nfs Storage pool

root@juju-894f71-9:/var# ls -la /etc/sudoers.d/
total 49
drwxr-x---  2 root   root   4 Jul 14 15:47 .
drwxr-xr-x 91 root   root 181 Jul 14 15:49 ..
-r--r-----  1 nobody root 151 Jul 14 15:47 90-cloud-init-users
-r--r-----  1 root   root 958 Jan 18  2018 README

As you can see why does the file 90-cloud-init-users get owned by nobody when on the nfs share?

Thank you

dvnt · 15 July 2019 01:11

Haha, I drove into a brick wall with containers and remote NFS mounts. I even wrote a bit of a disjointed article about this on my site. But essentially (I think) “it all boils down to the fact that a containerised OS doesn’t have the same privileges as a non containerised OS. This probably some security restriction imposed by the host OS because the container shares the same kernel as the parent.”

Long story short I also had trouble interacting with remote NFS shares from inside lxc containers.

I look forward to hearing other opinions on this

jameinel · 15 July 2019 06:41

If this is reproducible without Juju in the mix (which it sounds like it is), it might be better to report an issue with LXD itself?
https://github.com/lxc/lxd/

manadart · 15 July 2019 06:43

Stéphane Graber’s blog post about user/group mappings sheds some light on how UIDs/GIDs are mapped into containers.

In the case of the NFS mount, it looks like the file is written such that it gets a UID on the share that is unmapped for the container.

matthewacooper · 15 July 2019 21:44

Thank you for the help and the information and it does look like it is an LXD problem and I have posted the issue over at https://github.com/lxc/lxd/

https://github.com/lxc/lxd/issues/5962

timClicks · 15 July 2019 23:18

Thanks for taking the time to report this upstream.

matthewacooper · 15 July 2019 23:31

For info it looks like a kernel problem so I am trying ubuntu 19.10