Re: [Vserver] fuse ( sshfs ) in guests

From: Philippe Teuwen <>
Date: Fri 25 May 2007 - 09:02:18 BST
Message-ID: <>

> You will need to see /dev/fuse and be able to write to it. You may copy the file from the host, but have to make it so that it is owned by owner root and group fuse inside the client (this is the standard set up SFAIK).
> I order to get a fuse program working in a recent LTSP set up I also needed to add to the ccapabilities that guest. I needed to add both SECURE_MOUNT and BINARY_MOUNT.

I tried the following:

Then I can use mount but not fuse, strace shows:

mount -t proc null ~/mnt:
mount("null", "/root/mnt", "proc", MS_MGC_VAL, NULL) = 0

mount --bind /home ~/mnt:
mount("/home", "/root/mnt", 0x40fde2, MS_MGC_VAL|MS_BIND, 0) = 0

but sshfs:
mount("sshfs#root@", "/root/mnt", "fuse",
"max_read=65536,fd=4,rootmode=40000,user_id=0,group_id=0") = -1 EPERM
(Operation not permitted)

or with CompFused (compression fuse fs)
mount("fuse", "/root/mnt", "fuse", MS_NOSUID|MS_NODEV,
"fd=4,rootmode=40000,user_id=0,group_id=0") = -1 EPERM (Operation not

But if I give extra

then it works:
mount("fuse", "/root/mnt", "fuse", MS_NOSUID|MS_NODEV,
"fd=3,rootmode=40000,user_id=0,group_id=0") = 0

So there is apparently some extra capability required by fuse but I
don't want to give plain CAP_SYS_ADMIN
Any idea?

Note that to strace mount() call into a libfuse fork, you can try sth like
_FUSE_COMMFD=1 strace -s256 /usr/bin/fusermount -o fsname=fuse -- /root/mnt
It's a broken fuse call as there is no unix socket associated but it's
enough to hit the mount() call.

VS-API: 0x00020002
util-vserver: 0.30.212; Dec 9 2006, 20:37:54

Please don't tell me to try a very new kernel/patch "just to see" unless
you know something was indeed fixed, it's on a production vserver...


Vserver mailing list
Received on Fri May 25 09:34:59 2007

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Fri 25 May 2007 - 09:35:04 BST by hypermail 2.1.8