How to Access LXC Container’s Full Filesystem (Including Mounts) from Host Machine


5 views

When working with LXC containers, you'll quickly discover that simply accessing the rootfs directory (specified in lxc.rootfs) doesn't give you the complete container filesystem view. The mounted filesystems (/proc, /sys, /dev etc.) appear as empty directories from the host perspective. This makes administration and debugging more challenging.

LXC uses Linux namespaces to isolate container processes. The mount namespace is what prevents you from seeing the container's complete filesystem hierarchy. When you look at the container's rootfs from the host, you're seeing it through the host's mount namespace.

1. Using nsenter

The most reliable method is to use nsenter to enter the container's mount namespace:

# First find the container's PID
CT_PID=$(lxc-info -pHn container_name)

# Then enter its mount namespace
sudo nsenter -m -t $CT_PID

Now you'll see the complete filesystem as the container sees it, including all mounts.

2. Mounting the Container's procfs

For quick access to process information:

sudo mount --bind /proc/$CT_PID/root /mnt/container_view

This gives you read-only access to the container's root filesystem.

3. Using lxc-attach with Custom Commands

You can execute commands that expose the filesystem:

lxc-attach -n container_name -- tar -c / | tar -x -C /host/target/directory

For regular access, consider creating a helper script:

#!/bin/bash
CT_NAME=$1
CT_PID=$(lxc-info -pHn $CT_NAME)
sudo nsenter -m -t $CT_PID -- /bin/bash

Save this as lxc-fs-access and make it executable.

Remember that accessing a container's filesystem from the host is a privileged operation. Always:

  • Use sudo judiciously
  • Avoid modifying critical container files directly
  • Consider read-only mounts where possible

When working with LXC containers, you might need to access the container's complete filesystem from the host, including all mounted filesystems. While the lxc.rootfs directory provides the base filesystem, it doesn't include the mounted filesystems that exist within the running container.

LXC containers use several Linux kernel features for filesystem isolation:

# Typical LXC container mounts visible from inside the container:
/dev/sda1 on / type ext4 (rw,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)

The most reliable method is to enter the container's mount namespace:

# First find the container's process ID
CONTAINER_PID=$(lxc-info -p -n mycontainer | awk '{print $2}')

# Then access the filesystem through nsenter
sudo nsenter -m -t $CONTAINER_PID

For quick access without entering the namespace:

# Method 1: Using lxc-attach
sudo lxc-attach -n mycontainer -- /bin/bash -c "cd / && tar -cf - ." | tar -xf - -C /path/on/host

# Method 2: Direct bind mount (requires privileged container)
sudo lxc-device -n mycontainer add /path/on/host /mnt/in/container

Here's how to examine a container's complete filesystem when debugging:

# Enter mount namespace and examine processes
sudo nsenter -m -t $(lxc-info -p -n mycontainer | awk '{print $2}') ps aux

# Check mounted filesystems
sudo nsenter -m -t $(lxc-info -p -n mycontainer | awk '{print $2}') mount | grep /var

When accessing container filesystems:

  • Always use minimal privileges (avoid root when possible)
  • Be aware of SELinux/AppArmor policies
  • Never modify production containers directly from host

Create a helper script for frequent access:

#!/bin/bash
# lxc-fs-access.sh
CONTAINER=$1
TARGET_DIR=$2

PID=$(lxc-info -p -n $CONTAINER | awk '{print $2}')
if [ -z "$PID" ]; then
    echo "Container not running"
    exit 1
fi

mkdir -p "$TARGET_DIR"
sudo nsenter -m -t $PID -- mount --make-rshared /
sudo mount --bind /proc/$PID/root "$TARGET_DIR"