Freezing when trying to map a volume

[mkopinsky]

Using the default configuration, lima/nerdctl/containerd is freezing when I run a container with -v. Running the container without mapping a volume works fine, but as soon as I add the -v flag, nerdctl freezes when trying to start it.

To reproduce

• brew install lima
• limactl start (using default configuration)
• lima nerdctl run --rm -it -v $PWD:/app alpine
• At this point, lima freezes entirely - does not respond to ^C, ^Z, or the like. Only way to exit out of it is with the SSH escape (~.).

Full logs

╭─ ~/code/lima-testing
╰─❯ cat index.html 
This is a test!

╭─ ~/code/lima-testing
╰─❯ lima                            
kopinsky@lima-default:/Users/kopinsky/code/lima-testing$ cat index.html 
This is a test!
kopinsky@lima-default:/Users/kopinsky/code/lima-testing$ nerdctl run --rm -it alpine
/ # uname -a
Linux ec71a982be17 5.11.0-31-generic #33-Ubuntu SMP Wed Aug 11 13:19:04 UTC 2021 x86_64 Linux
/ # 
kopinsky@lima-default:/Users/kopinsky/code/lima-testing$ nerdctl --debug-full run --rm -it alpine
DEBU[0000] rootless parent main: executing "/usr/bin/nsenter" with [-r/ -w/Users/kopinsky/code/lima-testing --preserve-credentials -m -n -U -t 798 -F nerdctl --debug-full run --rm -it alpine] 
DEBU[0000] found CNI isolation plugin                   
/ # uname -a
Linux f761dc56f016 5.11.0-31-generic #33-Ubuntu SMP Wed Aug 11 13:19:04 UTC 2021 x86_64 Linux
/ # 
kopinsky@lima-default:/Users/kopinsky/code/lima-testing$ nerdctl --debug-full run --rm -it -v $PWD:/app alpine
DEBU[0000] rootless parent main: executing "/usr/bin/nsenter" with [-r/ -w/Users/kopinsky/code/lima-testing --preserve-credentials -m -n -U -t 798 -F nerdctl --debug-full run --rm -it -v /Users/kopinsky/code/lima-testing:/app alpine] 

Relevant output from lima ps auxf:

root         711  0.0  0.1  13288  7104 ?        Ss   21:14   0:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
root        1552  0.0  0.2  14856  9152 ?        Ss   21:14   0:00  \_ sshd: kopinsky [priv]
kopinsky    1679  0.0  0.1  15016  6300 ?        S    21:14   0:00      \_ sshd: kopinsky@pts/0,pts/1
kopinsky    1693  0.0  0.0 301552  3336 ?        Ssl  21:14   0:00          \_ sshfs :/Users/kopinsky /Users/kopinsky -o slave -o ro -o allow_root
kopinsky    1708  0.0  0.0 162148  3116 ?        Ssl  21:14   0:00          \_ sshfs :/tmp/lima /tmp/lima -o slave -o allow_root
kopinsky    1939  0.0  0.1  10460  5392 pts/0    Ss   21:16   0:00          \_ bash --login
kopinsky    2351  0.2  0.5 724624 23612 pts/0    Sl+  21:17   0:00          |   \_ nerdctl --debug-full run --rm -it -v /Users/kopinsky/code/lima-testing:/app alpine
kopinsky    2362  0.0  0.0  11864  3688 pts/1    Rs+  21:19   0:00          \_ ps auxf

[jandubois]

See containerd/nerdctl#338

[geowa4]

I'm experiencing the same thing with Podman.

[AkihiroSuda]

Thanks for reporting.

Workaround

nerdctl run -v /Users:/mnt, not nerdctl run -v /Users/foo/bar:/mnt

[AkihiroSuda]

Will be fixed in PR #188 (Replace reverse SSHFS with Samba)

[mkopinsky]

@AkihiroSuda I don't understand that workaround. By default, isn't the VM only able to access $HOME aka /Users/foo?

[AkihiroSuda]

The point is to let the container mount the parent directory of the home.

This workaround avoids calling broken syscalls against the home.

[adarobin]

@AkihiroSuda Any particular reason you're not just using NFS instead of Samba?

[AkihiroSuda]

NFS

Explained in docs/internal.md in the PR.
(TLDR: security)

[AkihiroSuda]

This issue was a regression in Lima v0.6.1.
Fix will be included in Lima v0.6.3, without migrating from reverse SSHFS to Samba.
#203