I have a host system running Fedora Server. On the host system I create an unprivileged LXD container (that uses UID mapping). When using encfs inside the container, I get "Operation not supported" errors when trying to use ACLs. However, when using a privileged container (without UID mapping), I don't get these errors, also when not running as root.
I am not actually interested in using ACLs, but my use case is to run a Docker daemon with encrypted storage inside an LXD container. The /var/lib/docker directory should be encrypted with encfs. Docker uses the fuse-overlayfs driver for its storage, and that driver tries to access the ACLs and fails. This results in strange behaviour inside Docker containers, where root cannot access files owned by other users, even if the permissions are right.
I am not sure, but I believe that normally even on file systems that don't support ACLs, chacl -l can be used to show the current file permissions without failing.
The problem can be reproduced inside an unprivileged LXD container or in a Docker Rootless container. In case it is interesting, using gocryptfs leads to the same problem (see rfjakob/gocryptfs#640). My detailed investigation of this problem is documented in the LXD forum.
Steps to reproduce (LXD)
- Install LXD
- Start LXD:
systemctl start lxd
- Set up LXD:
lxd init – the default settings should work
echo root:1000000:1001000000 >> /etc/subuidecho root:1000000:1001000000 >> /etc/subgidlxc launch images:fedora/35 testlxc exec test bash
Now you are running a shell inside the LXD container. There, run the following commands:
dnf -y install encfs acl
encfs --public --standard /mnt.enc /mnt
touch /mnt/test
chacl -l /mnt/test
Steps to reproduce (Docker Rootless)
When Docker is running in rootless mode, you can reproduce the problem by starting a Docker container using docker run -ti --device /dev/fuse --cap-add SYS_ADMIN --rm fedora bash and then running the same commands as in the LXD container above.
I have a host system running Fedora Server. On the host system I create an unprivileged LXD container (that uses UID mapping). When using encfs inside the container, I get "Operation not supported" errors when trying to use ACLs. However, when using a privileged container (without UID mapping), I don't get these errors, also when not running as root.
I am not actually interested in using ACLs, but my use case is to run a Docker daemon with encrypted storage inside an LXD container. The
/var/lib/dockerdirectory should be encrypted with encfs. Docker uses the fuse-overlayfs driver for its storage, and that driver tries to access the ACLs and fails. This results in strange behaviour inside Docker containers, where root cannot access files owned by other users, even if the permissions are right.I am not sure, but I believe that normally even on file systems that don't support ACLs,
chacl -lcan be used to show the current file permissions without failing.The problem can be reproduced inside an unprivileged LXD container or in a Docker Rootless container. In case it is interesting, using gocryptfs leads to the same problem (see rfjakob/gocryptfs#640). My detailed investigation of this problem is documented in the LXD forum.
Steps to reproduce (LXD)
systemctl start lxdlxd init– the default settings should workecho root:1000000:1001000000 >> /etc/subuidecho root:1000000:1001000000 >> /etc/subgidlxc launch images:fedora/35 testlxc exec test bashNow you are running a shell inside the LXD container. There, run the following commands:
Steps to reproduce (Docker Rootless)
When Docker is running in rootless mode, you can reproduce the problem by starting a Docker container using
docker run -ti --device /dev/fuse --cap-add SYS_ADMIN --rm fedora bashand then running the same commands as in the LXD container above.