[lxc-users] lxc.mount.entry selectively mount parts of sys and proc read write

Serge Hallyn serge.hallyn at ubuntu.com
Sat Mar 22 04:11:48 UTC 2014 

Quoting GC (catchall at gc9.org):
> On 03/21/2014 07:15 AM, Serge Hallyn wrote:
> >Quoting GC (catchall at gc9.org):
> >>Hello,
> >>
> >>I want to selectively mount parts of sys and proc rw, but the rest
> >>ro.  I thought I might be able to e.g., mount /sys ro (in the
> >>container), and mount /.sys rw (in the container), then bind mount
> >>bits from /.sys to /sys, and finally hide the rw /.sys by mounting
> >>another directory on top of it, like:
> >>
> >>lxc.mount.entry = sysfs sys sysfs ro 0 0
> >>lxc.mount.entry = sysfs .sys sysfs rw 0 0        # (dot)sys
> >>
> >>lxc.mount.entry = /var/lib/lxc/container/.sys/module/ipv6
> >>sys/module/ipv6 none defaults,bind 0 0
> >># or alternatively (also doesn't work) this instead of line above
> >>#lxc.mount.entry = .sys/module/ipv6 sys/module/ipv6 none defaults,bind 0 0
> >>
> >>lxc.mount.entry = /var/lib/lxc/dummy_mount .sys none ro,bind 0 0
> >>
> >>
> >>The part where I try to perform the bind mount of the read/write
> >>.sys/module/ipv6 (in the container) on top of the read only
> >>sys/module/ipv6  (in the container) fails.  Is there  a way to get
> >>this to work?
> >Wouldn't it be simpler to simply bind mount /sys ro from the host,
> >then bind-mount /sys/module/ipv6 from the host rw into the container?
> 
> I thought there would be issues with namespace support.  I thought
> it would break network namespaces, which appears to be wrong from

Oh - yeah, right you are.

> your comment.  But, I also don't see how this can work with user
> namespaces, since root in container will not be able to write to the
> host's /sys, if it is bind mounted.    I'm still trying to get a
> container to work with user namespaces, so my assumption that writes
> will work to /sys, mounted rw via lxc.mount.entry, is untested.
> 
> >
> >I assume your container won't have cap_sys_admin to prevent remounting?
> 
> Correct.
> 
> Thnx,
> 
> g
> 
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

More information about the lxc-users mailing list