Skip to content

Use shift(fs) in Incus

Jump to bottom
toby63 edited this page May 14, 2024 · 1 revision

Note: The following is work in progress for now.

About Incus:
Incus is a manager for containers and VMs.
More info here: https://linuxcontainers.org/incus/introduction/

Usecases:
shift(fs) is useful for several usecases:

  1. General Use and activation: More speed and security
  2. sharing disk-devices
  3. sharing volumes

Note: All usecases apply to unpriviledged containers (because priviledged containers use no uid/gid-shifting/remapping).

1. General use/activation:
In general shiftfs provides faster uid/gid-shifting (which is used in unpriviledged containers), which will let the containers start faster.
Also with shiftfs the former method of remapping uids/gids can be avoided, which offers a possibly cleaner and more secure option.

Shiftfs or idmapped mounts (see Readme for more info on that) should be enabled in Incus by default.

  • Optional Step: Make old containers use shiftfs:
    (this is a trick shown by stgraber, you set the containers to priviledged and then back to unpriviledged)

incus config set CONTAINERNAME security.privileged true
incus restart CONTAINERNAME
incus config unset CONTAINERNAME security.privileged
incus restart CONTAINERNAME

2. Sharing disk-devices:

If you want to share a disk device (for example a folder) between host/container or between containers, so that both parties can have full access (rwx) to it, shift will make that much easier.

You only need to add this key to your device-configuration in the container/profile-config:
shift: true

For example:

folder1:
path: /home/user1/folder1
source: /home/hostuser1/folder1
shift: true
type: disk

Note:
This will match the hosts uid/gid (of the folder owner) with the container uid/gid.
So if the hosts uid is 1000, the user in the container also needs to have the uid 1000 to be able to access it.
See forum post by stgraber.

3. Sharing volumes:

If you want to share a volume between isolated containers, shift will also make that much easier.

You add this key to your volume-configuration:
security.shifted=true

Then you attach the volume to both containers:
incus storage volume attach POOL-NAME VOLUME-NAME container1 DEVICENAME /PATH
incus storage volume attach POOL-NAME VOLUME-NAME container2 DEVICENAME /PATH

Recommendations:

If you don’t want Incus to remap (the UIDs/GIDs of) your container when shiftfs is not available (for example because of a failed dkms update), you can apply the following config key to your container (profile):
security.protection.shift: "true"
"Prevents the instance's filesystem from being uid/gid shifted on startup" (See also: Instance Options - Incus Documentation )

Related error report: Official Linuxcontainers Forum - Container Error after changing shiftfs

Security Notes:

If you use shiftfs for disk devices it is possible for root- or sudo-users inside the container to set the uid on a file that can be used by unpriviledged users on the host to get root access on the host.
This is only a very specific case, but if the situation applies to you, you can find ways to prevent it below:

Details: Official Linuxcontainers forum - "Trying out shiftfs"

How to prevent:
Add nosuid,nodev to the mount options of your disk device, see comment 54 for details in: Official Linuxcontainers Forum - "Trying out shiftfs"

Sources:

Clone this wiki locally