[lxc-devel] a container can remount ro the host's mount point
lxc at zitta.fr
lxc at zitta.fr
Mon Mar 15 14:39:23 UTC 2010
Le 15/03/2010 15:05, Michael H. Warfield a écrit :
> On Sun, 2010-03-14 at 08:33 +0100, lxc at zitta.fr wrote:
>
>> Hi,
>>
>> When I create a full os container (for example a debian), I have to
>> remove init script that remount / read only on halt
>> example : umountfs for lenny
>>
>> If I don't do this, the container remounts readonly the mount point
>> where rootfs are when it stops.
>>
>> Why a container is able to do this?
>> If you store multiples containers on the same mount point, it could be
>> very problematic.
>>
> Ah HA! So THAT'S the root cause of THAT problem. Several of us have
> noticed that effect. Yeah, major PITA. Also explains just why I no
> longer see it. Because of a practice I started using in setting up my
> containers...
>
> As it so happens, because all of my containers are OpenVZ compatibility
> containers, I use a bind mount in the fstab for the root fs. OpenVZ has
> this concept of a "private" and a "rootfs" to aid in setting disk quotas
> in the container and I'm hoping to also eventually use that with union
> mounts / unionfs to do a linux-vservers style unify. But... That also
> prevents this problem because the container's rootfs is NOT a real fs in
> the host, it's the bind mount and that insulates the hosts fs and mount
> points from any actions in the container.
>
> Example from one of my containers is like this:
>
> Config:
>
> ==
> lxc.rootfs = /srv/lxc/rootfs
> lxc.mount = /srv/lxc/config/1004.fstab
> =
>
> fstab:
>
> ==
> /srv/lxc/private/1004 /srv/lxc/rootfs none bind 0 0
>
> /export /srv/lxc/rootfs/export none bind 0 0
> /home/shared /srv/lxc/rootfs/srv/shared none bind 0 0
> ==
>
> Would be really NICE if that bind could be something like a fuse with
> unionfs or, eventually, a union mount once those are mature and stable
> in the kernel, but we're not there yet.
>
> Now, you won't actually see anything in /srv/lxc/rootfs because it's
> private to the container and it's just a dummy mount point that can be
> used by all of your containers. The only thing that varies between my
> containers then is the location of the fstab (and the network stuff,
> obviously). The container can screw up its mounts all it want's their
> ALL isolated and private to the container, including the rootfs.
>
>
>> Regards,
>>
>
>> Guillaume ZITTA
>>
> Regards,
> Mike
>
Thanks.
I noticed that practice whas used by lxc-create in version 0.6.3
with lxc-0.6.3, lxc-create is a binary and it does this for you and
other things in /var/lib/lxc
with lxc-0.6.5, lxc-create is a shell script and it does less things
than the binary one
Is this a voluntary regression?
If not I propose myself to update lxc-create script to propose the same
kind of functionality than the C version.
More information about the lxc-devel
mailing list