Open abitrolly opened 4 years ago
9P2000.L
only
go get -v github.com/hugelgupf/p9/cmd/local_server
mv ~/go/bin/{local_server,9p2000srv}
~/go/bin/9p2000srv -root . -v 192.168.100.20:3333
9P2000
and probably 9P2000.u
go get github.com/rminnich/go9p/ufs
~/go/bin/ufs -debug 9 -root . -addr 192.168.100.20:3333
Servers that didn't work.
9P2000
and probably 9P2000.u
go get -v github.com/docker/go-p9p/cmd/9ps
~/go/bin/9ps -root . -addr 192.168.100.20:3333
Failed to create the file (https://github.com/docker/go-p9p/issues/25#issuecomment-561192007).
9P2000.u
only
fuse9p -d 192.168.100.20:3333 ~/xxx
9P2000
only
git clone https://github.com/aperezdc/9pfuse
cd 9pfuse/
apt install libfuse-dev
make
9pfuse -D 192.168.100.20:3333 ~/xxx
https://github.com/rminnich/go9p server on host was able to provide r/w filesystem to https://github.com/aperezdc/9pfuse client running in LXD. Both projects are about 5-6 years old, and support no fancy 92000.L
.
Now need to create secure network channel from host to LXD.
Automate server and client bootstrap in runin-lxd.sh
.
Using NBD can be more advantageous as it already supports TLS.
https://askubuntu.com/questions/836217/how-to-mount-a-compressed-disk-image
https://github.com/containers/toolbox is a way to work with current project directory with isolation.
HOME=`pwd` toolbox create
HOME=`pwd` toolbox enter
An alternative to research for podman
. http://docker-sync.io/
Problem
lxd-runin.sh
mounts current directory read-only.The official way to share host dirs with containers is to use disk device.
And that makes all files inside container owned by
nobody:nobody
. The issue is described at https://github.com/lxc/lxd/issues/2025 and the solution is to direct kernel to mapuid/gid
of user from host touid/gid
of user from guest (which isroot
in this case).The proposed solution raises a security issue - if container process with mapped
uid/gid
escapes filesystem boundaries, it will be able to steal private keys of host user. Secure solution is to rewrite file owner on filesystem access layer without touching containergid/uid
.Solution 1 - Patch LXD
The logical way is to add another device called
dir-proxy
to LXD that will do the necessary conversion. It requires knowledge of LXD and may not be feasible, because LXD is a wrapper over standard Linux containers and may be limited to what containers are capable of.Solution 2 - Use 9p server on host and access it with FUSE client on guest
While
kernel
has support for9p
filesystem, it won't allow to mount it from unprivileged container. Other FUSE clients don't have this limitation. An additional benefit will be the ability to mount local project dir to remote LXD container (#26) provided that there is a secure channel between guest and host (LXD proxy devices?).I am looking to add these features to
lxd-runin.sh
script. The stumbling block right now is to find a binary for 9p client that will provide FUSE server and could be easily injected in remote container.