Securely share project directory with LXD guest for write

[abitrolly]

Problem

lxd-runin.sh mounts current directory read-only.

The official way to share host dirs with containers is to use disk device.

$ lxc config device add <container> <sharename> disk source="$PWD" \
 path="/root/$(basename "$PWD")"

And that makes all files inside container owned by nobody:nobody. The issue is described at https://github.com/lxc/lxd/issues/2025 and the solution is to direct kernel to map uid/gid of user from host to uid/gid of user from guest (which is root in this case).

The proposed solution raises a security issue - if container process with mapped uid/gid escapes filesystem boundaries, it will be able to steal private keys of host user. Secure solution is to rewrite file owner on filesystem access layer without touching container gid/uid.

Solution 1 - Patch LXD

The logical way is to add another device called dir-proxy to LXD that will do the necessary conversion. It requires knowledge of LXD and may not be feasible, because LXD is a wrapper over standard Linux containers and may be limited to what containers are capable of.

Solution 2 - Use 9p server on host and access it with FUSE client on guest

While kernel has support for 9p filesystem, it won't allow to mount it from unprivileged container. Other FUSE clients don't have this limitation. An additional benefit will be the ability to mount local project dir to remote LXD container (#26) provided that there is a secure channel between guest and host (LXD proxy devices?).

I am looking to add these features to lxd-runin.sh script. The stumbling block right now is to find a binary for 9p client that will provide FUSE server and could be easily injected in remote container.

[abitrolly]

9p servers

• https://github.com/hugelgupf/p9 - Go - 9P2000.L only

go get -v github.com/hugelgupf/p9/cmd/local_server
mv ~/go/bin/{local_server,9p2000srv}
~/go/bin/9p2000srv -root . -v 192.168.100.20:3333

• https://github.com/rminnich/go9p - Go - 9P2000 and probably 9P2000.u

go get github.com/rminnich/go9p/ufs
~/go/bin/ufs -debug 9 -root . -addr 192.168.100.20:3333

Servers that didn't work.

• https://github.com/docker/go-p9p - Go - 9P2000 and probably 9P2000.u

go get -v github.com/docker/go-p9p/cmd/9ps
~/go/bin/9ps -root . -addr 192.168.100.20:3333

Failed to create the file (docker-archive/go-p9p#25 (comment)).

9p FUSE clients

• https://github.com/svinota/py9p - Python - 9P2000.u only

fuse9p -d 192.168.100.20:3333 ~/xxx

• https://github.com/aperezdc/9pfuse - C - 9P2000 only

git clone https://github.com/aperezdc/9pfuse
cd 9pfuse/
apt install libfuse-dev
make
9pfuse -D 192.168.100.20:3333 ~/xxx

[abitrolly]

https://github.com/rminnich/go9p server on host was able to provide r/w filesystem to https://github.com/aperezdc/9pfuse client running in LXD. Both projects are about 5-6 years old, and support no fancy 92000.L.

Now need to create secure network channel from host to LXD.

1. localhost -> container
2. host -> LAN/Internet -> remote:container

Automate server and client bootstrap in runin-lxd.sh.

[abitrolly]

Using NBD can be more advantageous as it already supports TLS.

https://askubuntu.com/questions/836217/how-to-mount-a-compressed-disk-image

https://github.com/libguestfs/nbdkit

[abitrolly]

https://github.com/containers/toolbox is a way to work with current project directory with isolation.

HOME=`pwd` toolbox create
HOME=`pwd` toolbox enter

[abitrolly]

An alternative to research for podman. http://docker-sync.io/