multipass icon indicating copy to clipboard operation
multipass copied to clipboard
verified publisher icon canonical

Multipass can't mount ecryptfs folders on the host

Open davigar15 opened this issue 5 years ago • 8 comments

Hello,

I was trying to build a snap with snapcraft, and it could mount local files to multipass. I replicated the error by creating a vm in multipass, and trying to mount a folder. It works if the folder is /tmp, but not if the folder is under $HOME/

My computer has encryption in the home folder.

I attach the steps I executed in the terminal, the output of journal -f and the output of mount in my $HOME directory

Steps:

# Inside $HOME
multipass mount  . test1804:/home/ubuntu/test
multipass exec test1804 bash
> ls -alh /home/ubuntu/test
# Empty

journal_f.txt mount_homedir.txt

davigar15 avatar Jan 29 '20 16:01 davigar15

Hi @davigar15,

I'm wondering if the . for your current directory isn't being handled correctly. In the meantime, you could use $HOME or ~/ instead. Let me know if that works for you and we'll investigate the use of ..

townsend2010 avatar Jan 29 '20 16:01 townsend2010

@townsend2010 It looked like the data for his project was not correctly surfacing in the multipass VM.

Of interest to me was that @davigar15 is using ecryptfs on his home directory, which prompted me to ask him to try using /tmp instead. The project built as expected in /tmp.

/home/.ecryptfs/davigar15/.Private on /home/davigar15 type ecryptfs

cjp256 avatar Jan 29 '20 16:01 cjp256

Ok, I'm not sure I follow, but I'll explain what I think is the issue :grin:

So if the current directory on the host is $HOME and multipass mount . test1804:/home/ubuntu/test is issued, there is nothing in the mount in the instance and if the current directory is /tmp on the host and multipass mount . test1804:/home/ubuntu/test is issued, then there are files in the mount in the instance?

townsend2010 avatar Jan 29 '20 16:01 townsend2010

Looking at the log provided, it looks like the mount process for test1804 crashed at exactly the same time as an instance named snapcraft-organize-command powered off. That seems quite suspicious :thinking:

townsend2010 avatar Jan 29 '20 17:01 townsend2010

Yeah you nailed it @townsend2010. I did repro independently:

sudo apt install ecryptfs-utils
sudo modprobe ecryptfs

# Will create ~/.Private and ~/Private, requires login password and mount password.
ecryptfs-setup-private --nopwcheck --noautomount

# Mount it.
ecryptfs-mount-private

cd ~/Private

# Option A: Broken snapcraft example.
git clone git://github.com/cjp256/snap-tests
cd snap-test/organize-command
snapcraft

# Option B: Manual mount.
multipass mount /home/chris/Private/snap-tests/organize-command test1804:/home/ubuntu/organize-command

# Directory is empty... :(
multipass exec test1804 find /home/ubuntu/organize-command

cjp256 avatar Jan 29 '20 22:01 cjp256

Hey @cjp256,

Thanks for the repro steps. We'll have to investigate how to handle this, but we'll take note that ecryptfs based mounts are not supported right now.

townsend2010 avatar Jan 30 '20 13:01 townsend2010

Here's my kernel log message showing the denial from apparmor for this issue.

[2002724.952378] audit: type=1400 audit(1625850818.490:593675): apparmor="DENIED" operation="open" profile="multipass.charm-dev.00d118a6.sshfs_server" name="/home/.ecryptfs/drew/.Private/ECRYPTFS_FNEK_ENCRYPTED.FWZHTIEXtURfi-R4NszmOfJTGYEh0fYSk3tZuRwgehxEMpgbh9sD376YG---/" pid=1562686 comm="sshfs_server" requested_mask="r" denied_mask="r" fsuid=0 ouid=1000

My guess is that multipass's home and all-homes snap plugins don't allow access beyond the containment field to read /home/.ecryptfs since it's not technically any user's homedir.

afreiberger avatar Jul 09 '21 17:07 afreiberger

For reference: https://documentation.ubuntu.com/multipass/en/latest/how-to-guides/troubleshoot/mount-an-encrypted-home-folder/

ricab avatar Jul 07 '25 10:07 ricab