Awesome.
Hmmm…I tried this, but ran into an error while trying to have USER nobody in the Dockerfile. Normally, I would say that this is missing some sys capabilities, but this is firecracker, not docker. Or this needs to have some udev rules, but there is no udev in the container. Does litefs still need to run as root and then the child process needs to change users?
Logs:
2023-04-16T23:06:58Z app[e2865551b73148] ewr [info]wal-sync: short wal file exists on "main.sqlite", skipping sync with ltx
2023-04-16T23:06:59Z app[e2865551b73148] ewr [info]mount helper error: fusermount3: failed to open /dev/fuse: Permission denied
Dockerfile:
USER nobody
CMD ["/app/bin/run"] # sets up litefs env and runs mount
fuse.conf
sh-5.1# cat /etc/fuse.conf |head -n10
# The file /etc/fuse.conf allows for the following parameters:
#
# user_allow_other - Using the allow_other mount option works fine as root, in
# order to have it work as user you need user_allow_other in /etc/fuse.conf as
# well. (This option allows users to use the allow_other option.) You need
# allow_other if you want users other than the owner to access a mounted fuse.
# This option must appear on a line by itself. There is no value, just the
# presence of the option.
user_allow_other
litefs.yml
sh-5.1# cat /etc/litefs.yml |grep fuse -A5
fuse:
# Required. This is the mount directory that applications will
# use to access their SQLite databases.
dir: "/litefs"
# Enable mounting of the file system by non-root users.
# You must enable the 'user_allow_other' option in /etc/fuse.conf as well.
allow-other: true
# The debug flag enables debug logging of all FUSE API calls.
# This will produce a lot of logging. Not for general use.
debug: false