[lxc-devel] Patch: pivot_root, new version

Michael Holzt lxc at my.fqdn.org
Wed Jan 6 22:18:59 UTC 2010 

> >+		SYSERROR("strdup failed");
> >+		return -1
> >  
> ";" is missing

Oops.

> Why the setup_rootfs_pivot_root_cb does not directly umount instead of 
> creating a list and then browse the list to umount ?

Some umounts will fail because they are busy, e.g. /dev before /dev/pts
is umounted. I need to store at least those failed umounts in a list to
retry later. To keep it simple and clean i then decided to first put 
all mounts in a list and then have one single loop which umounts instead
of having umount happen at two different positions in code.

> I think you convinced with your demonstration the chroot is insane for a 
> container, so IMO we can consider using always the pivot_root and 
> definitively get rid of the chroot only.

Ok. I do not want to offend anybody, but it puzzles me why no one else
noticed this before. Breaking chroot is a known problem and the stance
by the kernel developers at least a few years ago that it won't be fixed,
because root on the machine has other ways to break chroot.

This no longer holds true because the invent of namespaces/containers and 
capabilities has now made it possible to restrict even uid=0 in a chroot
context to a point where i believe the last point of failure is the damn
chroot. So maybe the kernel developers might chance their mind on this
but on the other hand we have a powerful alternative with pivot_root.

> Is it possible to not add the 
> pivotdir configuration variable and keep this internally by creating in 
> the /tmp/lxc-rootfs the pivotdir to be used ?

This would be possible, but by creating a temporary mount point in
/tmp/lxc-rootfs i create the temporary mount point in the filesystem
of the container which might be read only, also such modification
might not be desired.

Why not keep the variable optional and use it as the temporary mountpoint
if specified, and create a tmp dir in root fs when not set?

Regards
Michael

-- 
It's an insane world, but i'm proud to be a part of it. -- Bill Hicks

More information about the lxc-devel mailing list