[lxc-devel] a container can remount ro the host's mount point

lxc at zitta.fr lxc at zitta.fr
Mon Mar 15 14:39:23 UTC 2010



Le 15/03/2010 15:05, Michael H. Warfield a écrit :
> On Sun, 2010-03-14 at 08:33 +0100, lxc at zitta.fr wrote:
>   
>> Hi,
>>
>> When I create a full os container (for example a debian), I have to
>> remove init script that remount / read only on halt
>> example : umountfs for lenny
>>
>> If I don't do this, the container remounts readonly the mount point
>> where rootfs are when it stops.
>>
>> Why a container is able to do this?
>> If you store multiples containers on the same mount point, it could be
>> very problematic.
>>     
> Ah HA!  So THAT'S the root cause of THAT problem.  Several of us have
> noticed that effect.  Yeah, major PITA.  Also explains just why I no
> longer see it.  Because of a practice I started using in setting up my
> containers...
>
> As it so happens, because all of my containers are OpenVZ compatibility
> containers, I use a bind mount in the fstab for the root fs.  OpenVZ has
> this concept of a "private" and a "rootfs" to aid in setting disk quotas
> in the container and I'm hoping to also eventually use that with union
> mounts / unionfs to do a linux-vservers style unify.  But...  That also
> prevents this problem because the container's rootfs is NOT a real fs in
> the host, it's the bind mount and that insulates the hosts fs and mount
> points from any actions in the container.
>
> Example from one of my containers is like this:
>
> Config:
>
> == 
> lxc.rootfs = /srv/lxc/rootfs
> lxc.mount = /srv/lxc/config/1004.fstab
>   =
>
> fstab:
>
> == 
> /srv/lxc/private/1004 /srv/lxc/rootfs    none bind 0 0
>
> /export               /srv/lxc/rootfs/export        none bind 0 0
> /home/shared          /srv/lxc/rootfs/srv/shared    none bind 0 0
> == 
>
> Would be really NICE if that bind could be something like a fuse with
> unionfs or, eventually, a union mount once those are mature and stable
> in the kernel, but we're not there yet.
>
> Now, you won't actually see anything in /srv/lxc/rootfs because it's
> private to the container and it's just a dummy mount point that can be
> used by all of your containers.  The only thing that varies between my
> containers then is the location of the fstab (and the network stuff,
> obviously).  The container can screw up its mounts all it want's their
> ALL isolated and private to the container, including the rootfs.
>
>   
>> Regards,
>>     
>   
>> Guillaume ZITTA
>>     
> Regards,
> Mike
>   
Thanks.
I noticed that practice whas used by lxc-create in version 0.6.3

with lxc-0.6.3, lxc-create is a binary and it does this for you and
other things in /var/lib/lxc
with lxc-0.6.5, lxc-create is a shell script and it does less things
than the binary one

Is this a voluntary regression?

If not I propose myself to update lxc-create script to propose the same
kind of functionality than the C version.





More information about the lxc-devel mailing list