[lxc-devel] Patch/RFC: allow pivot_root, unmount old fs

Daniel Lezcano dlezcano at fr.ibm.com
Wed Jan 6 12:08:58 UTC 2010 

Michael Holzt wrote:
>> Umounting everything in the container may break the ro-bind mount of 
>> some different configuration scheme, we have to look how to deal with 
>> that. 
> 
> I do not umount "everything", only mounts under the old rootfs. 
> 
> Bind mounts in the new rootfs survive this operation and continue to 
> work, even if the bind target is now outside our rootfs-tree. Another
> example showing this, with some additional info from the logfile:
> 
> | root at synergy:~# cat /etc/lxc/webhost.fstab 
> | /home/kju/test /container/webhost/mnt2 auto rbind,rw,defaults 0 0
> | root at synergy:~# ls /home/kju/test/
> | this_is_home_kju_test
> | root at synergy:~# rm log ; lxc-start -o log -l DEBUG -n webhost /bin/sh
> 
> Reformatted excerpt from logfile:
>   lxc-start 1262724870.575 lxc_conf - pivot_root syscall successfull
>   lxc-start 1262724870.575 lxc_conf - unmounted /oldrootfs/lib/init/rw
>   lxc-start 1262724870.575 lxc_conf - unmounted /oldrootfs/sys/fs/fuse/connections
>   lxc-start 1262724870.575 lxc_conf - unmounted /oldrootfs/dev/shm
>   lxc-start 1262724870.575 lxc_conf - unmounted /oldrootfs/dev/pts
>   lxc-start 1262724870.575 lxc_conf - unmounted /oldrootfs/var/local/cgroup
>   lxc-start 1262724870.575 lxc_conf - unmounted /oldrootfs/container/webhost/mnt2
>   lxc-start 1262724870.575 lxc_conf - unmounted /oldrootfs/container/webhost/dev/console
>   lxc-start 1262724870.575 lxc_conf - unmounted /oldrootfs/proc
>   lxc-start 1262724870.575 lxc_conf - unmounted /oldrootfs/sys
>   lxc-start 1262724870.575 lxc_conf - unmounted /oldrootfs/dev
> 
> So only filesystems under /oldrootfs/ are umounted. The final umount is
> /oldrootfs, but missing from my log.
> 
> | # mount -t proc proc /proc
> | # cat /proc/mounts
> | rootfs / rootfs rw 0 0
> | /dev/root / ext3 rw,relatime,errors=remount-ro,data=writeback 0 0
> | /dev/root /mnt2 ext3 rw,relatime,errors=remount-ro,data=writeback 0 0
> | devpts /dev/console devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
> | proc /proc proc rw,relatime 0 0
> | # ls /mnt2
> | this_is_home_kju_test

Excellent !

> So the bind mount still works, even if the same directory is no longer
> accessible through our normal rootfs tree.
> 
> While we now have some kind of pointer out of our rootfs cell, this still
> can't be abused to break chroot:
> 
> | # cd /mnt2
> | # ../breakchroot
> | # ls this*
> | this_is_the_container
> 
>> Otherwise +1 for the pivot_root.
> 
> I feel that adding this is very important because with only the chroot the
> whole container concept is severely insecure when not dropping the chroot
> capability from the container, which might be undesirable. But when root
> or a user with chroot capability can break out of the chroot, this is in
> my opinion a showstopper for containers and what currently prevents me from
> deployment.

Right.

> I know there are other methods to break chroot, but while not having
> checked, i believe that all of them are mitigated by pivot_root and our
> cleaned up container specific mount namespace.

Ok, I will play with your patch

Thanks !

   -- Daniel

More information about the lxc-devel mailing list