lucid fuse-utils fails to install in lxc container

So the question asked on irc is whether we feel safe allowing this for all containers, or whether we should have fuse-utils print out a helpful message.

Note that other things, like libvirt's containers, and anything else using the devices cgroup, can also cause this.

Is /dev/fuse's API considered safe?

This was discussed on irc; consensus was its fine:

08:53 < hallyn> cool, thanks. yeah i just meant top of head. if research is required i'll go read the code.
08:54 < kees> hallyn: my understanding is that the fuse perms are checked at the kernel level.
08:54 < kees> hallyn: I haven't though much about how that might behave with a container, though.
08:54 < kees> in _theory_, it should be fine, but I've never tested it
08:55 < hallyn> kees: oh i wasn't even thinking about uid translations over namespaces. (that'll be my job :)
08:55 < hallyn> kees: I'm wondering how... 'rich' the API over /dev/fuse is. Do you trust people who connect to it?
08:56 < hallyn> kees: or does it have a small, ilmited API that I can sort of trust
08:56 < hallyn> by 'do you trust people' i meant 'do you *have* to trust people'
09:02 < kees> hallyn: well, it's designed for non-root users, but I haven't spent any time auditing it.
09:03 < hallyn> kees: so it's world writeable usually?
09:03 < hallyn> so it is
09:03 < kees> hallyn: yes
09:03 < hallyn> so why would i worry about it
09:03 < hallyn> kees: thx :)
09:03 < kees> heh, np
09:03 < hallyn> of course,
09:03 < hallyn> i assume th kernel code checks uids. but again that just means its up to me to clean that up when time comes
09:03 < hallyn> neaty
09:03 < hallyn> neato, even

This bug was fixed in the package lxc - 0.7.4-0ubuntu11

---------------
lxc (0.7.4-0ubuntu11) oneiric; urgency=low

  * Allow containers to access /dev/fuse (LP: #800886)
 -- Serge Hallyn <email address hidden> Wed, 22 Jun 2011 16:06:23 -0500