[lxc-devel] [PATCH] lxc-busybox: remove unnecessary bind-mount

Stéphane Graber stgraber at ubuntu.com
Fri Dec 6 14:42:23 UTC 2013 

On Fri, Dec 06, 2013 at 12:11:29PM +0200, Bogdan Purcareata wrote:
> Since the line immediately following will mount the entire
> /sys read-only, hence /sys/kernel/security too.
> 
> Also, when installing the container template on systems with
> no securityfs support, starting the container will fail.
> 

Did you confirm that the lxc.mount.auto entry actually mounts securityfs
on /sys/kernel/security?

/sys/kernel/security isn't part of sysfs and needs to be mounted on top of it.
If it's not mounted, your proposed change will lead to failure to setup
apparmor and an unconfined container on systems supporting it.

Instead, I think it'd be better to change that line to simply
"ro,bind,optional" so that failure to mount doesn't cause a failure to
start the container.

> Signed-off-by: Bogdan Purcareata <bogdan.purcareata at freescale.com>
> ---
>  templates/lxc-busybox.in | 1 -
>  1 file changed, 1 deletion(-)
> 
> diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
> index 23d654e..906dc5d 100644
> --- a/templates/lxc-busybox.in
> +++ b/templates/lxc-busybox.in
> @@ -296,7 +296,6 @@ EOF
>              echo "lxc.mount.entry = /$dir $dir none ro,bind 0 0" >> $path/config
>          fi
>      done
> -    echo "lxc.mount.entry = /sys/kernel/security sys/kernel/security none ro,bind 0 0" >>$path/config
>      echo "lxc.mount.auto = proc:mixed sys" >>$path/config
>  }
>  
> -- 
> 1.7.11.7
> 
> 
> 
> ------------------------------------------------------------------------------
> Sponsored by Intel(R) XDK 
> Develop, test and display web and hybrid apps with a single code base.
> Download it for free now!
> http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20131206/f60455cf/attachment.pgp>

More information about the lxc-devel mailing list