lxcfs - proc uptime
When removing the excess LXC and LXD package from the LXC guest and
working around Ubuntu/Xenial reboot
issues I noticed the lxcfs mounts on
my LXC guest.
(No, you don’t need the lxcfs package on the guest.)
guest# mount | grep lxc
lxcfs on /proc/cpuinfo type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
lxcfs on /proc/diskstats type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
lxcfs on /proc/meminfo type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
lxcfs on /proc/stat type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
lxcfs on /proc/swaps type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
lxcfs on /var/lib/lxcfs type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
Apparently we’re really looking at a subset of proc from inside the LXC guest, but then some files have been patched with bind mounts.
For instance, the uptime file:
guest# cat /proc/uptime
78.0 75.0
guest# uptime
07:57:45 up 1 min, 0 users, load average: 0.22, 0.25, 0.14
guest# mount | grep uptime
lxcfs on /proc/uptime type fuse.lxcfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
guest# umount /proc/uptime
At this point, the host OS uptime is unshadowed again.
guest# cat /proc/uptime
571190.55 8953464.60
guest# uptime
07:57:57 up 6 days, 14:39, 0 users, load average: 0.17, 0.24, 0.13
guest# cat /var/lib/lxcfs/proc/uptime
121.0 118.0
Note that I don’t know how to mount it again though:
guest# mount -n --bind /var/lib/lxcfs/proc/uptime /proc/uptime
mount: mount /var/lib/lxcfs/proc/uptime on /proc/uptime failed: Permission denied
lxd# tail -n1 /var/log/syslog
Mar 23 09:49:24 dev kernel: [574233.745082] audit: type=1400 audit(1458722964.456:246):
apparmor="DENIED" operation="mount" info="failed type match" error=-13
profile="lxd-guest_</var/lib/lxd>" name="/proc/uptime" pid=10938
comm="mount" srcname="/var/lib/lxcfs/proc/uptime" flags="rw, bind"
But it’s back after a reboot; good enough for me, for now.