[lxc-devel] Patch/RFC: allow pivot_root, unmount old fs

Michael Holzt lxc at my.fqdn.org
Tue Jan 5 21:05:55 UTC 2010 

> Umounting everything in the container may break the ro-bind mount of 
> some different configuration scheme, we have to look how to deal with 
> that. 

I do not umount "everything", only mounts under the old rootfs. 

Bind mounts in the new rootfs survive this operation and continue to 
work, even if the bind target is now outside our rootfs-tree. Another
example showing this, with some additional info from the logfile:

| root at synergy:~# cat /etc/lxc/webhost.fstab 
| /home/kju/test /container/webhost/mnt2 auto rbind,rw,defaults 0 0
| root at synergy:~# ls /home/kju/test/
| this_is_home_kju_test
| root at synergy:~# rm log ; lxc-start -o log -l DEBUG -n webhost /bin/sh

Reformatted excerpt from logfile:
  lxc-start 1262724870.575 lxc_conf - pivot_root syscall successfull
  lxc-start 1262724870.575 lxc_conf - unmounted /oldrootfs/lib/init/rw
  lxc-start 1262724870.575 lxc_conf - unmounted /oldrootfs/sys/fs/fuse/connections
  lxc-start 1262724870.575 lxc_conf - unmounted /oldrootfs/dev/shm
  lxc-start 1262724870.575 lxc_conf - unmounted /oldrootfs/dev/pts
  lxc-start 1262724870.575 lxc_conf - unmounted /oldrootfs/var/local/cgroup
  lxc-start 1262724870.575 lxc_conf - unmounted /oldrootfs/container/webhost/mnt2
  lxc-start 1262724870.575 lxc_conf - unmounted /oldrootfs/container/webhost/dev/console
  lxc-start 1262724870.575 lxc_conf - unmounted /oldrootfs/proc
  lxc-start 1262724870.575 lxc_conf - unmounted /oldrootfs/sys
  lxc-start 1262724870.575 lxc_conf - unmounted /oldrootfs/dev

So only filesystems under /oldrootfs/ are umounted. The final umount is
/oldrootfs, but missing from my log.

| # mount -t proc proc /proc
| # cat /proc/mounts
| rootfs / rootfs rw 0 0
| /dev/root / ext3 rw,relatime,errors=remount-ro,data=writeback 0 0
| /dev/root /mnt2 ext3 rw,relatime,errors=remount-ro,data=writeback 0 0
| devpts /dev/console devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
| proc /proc proc rw,relatime 0 0
| # ls /mnt2
| this_is_home_kju_test

So the bind mount still works, even if the same directory is no longer
accessible through our normal rootfs tree.

While we now have some kind of pointer out of our rootfs cell, this still
can't be abused to break chroot:

| # cd /mnt2
| # ../breakchroot
| # ls this*
| this_is_the_container

> Otherwise +1 for the pivot_root.

I feel that adding this is very important because with only the chroot the
whole container concept is severely insecure when not dropping the chroot
capability from the container, which might be undesirable. But when root
or a user with chroot capability can break out of the chroot, this is in
my opinion a showstopper for containers and what currently prevents me from
deployment.

I know there are other methods to break chroot, but while not having
checked, i believe that all of them are mitigated by pivot_root and our
cleaned up container specific mount namespace.


Regards
Michael

-- 
It's an insane world, but i'm proud to be a part of it. -- Bill Hicks

More information about the lxc-devel mailing list