[lxc-devel] [PATCH] lxc-busybox: remove unnecessary bind-mount
bogdan.purcareata at freescale.com
bogdan.purcareata at freescale.com
Mon Dec 9 10:55:47 UTC 2013
> -----Original Message-----
> From: Purcareata Bogdan-B43198
> Sent: Monday, December 09, 2013 12:55 PM
> To: 'Stéphane Graber'
> Cc: lxc-devel at lists.sourceforge.net
> Subject: RE: [lxc-devel] [PATCH] lxc-busybox: remove unnecessary bind-mount
>
> > -----Original Message-----
> > From: Stéphane Graber [mailto:stgraber at ubuntu.com]
> > Sent: Friday, December 06, 2013 4:42 PM
> > To: Purcareata Bogdan-B43198
> > Cc: lxc-devel at lists.sourceforge.net
> > Subject: Re: [lxc-devel] [PATCH] lxc-busybox: remove unnecessary bind-mount
> >
> > On Fri, Dec 06, 2013 at 12:11:29PM +0200, Bogdan Purcareata wrote:
> > > Since the line immediately following will mount the entire
> > > /sys read-only, hence /sys/kernel/security too.
> > >
> > > Also, when installing the container template on systems with
> > > no securityfs support, starting the container will fail.
> > >
> >
> > Did you confirm that the lxc.mount.auto entry actually mounts securityfs
> > on /sys/kernel/security?
>
> Sorry, my bad - I only checked to see whether I have the /sys/kernel/security
> folder in the container. However, securityfs is not automatically mounted
> there, hence the bind-mount is still necessary.
>
> >
> > /sys/kernel/security isn't part of sysfs and needs to be mounted on top of
> it.
> > If it's not mounted, your proposed change will lead to failure to setup
> > apparmor and an unconfined container on systems supporting it.
> >
> > Instead, I think it'd be better to change that line to simply
> > "ro,bind,optional" so that failure to mount doesn't cause a failure to
> > start the container.
>
> I think this would be a way better approach, I will send a patch.
>
> >
> > > Signed-off-by: Bogdan Purcareata <bogdan.purcareata at freescale.com>
> > > ---
> > > templates/lxc-busybox.in | 1 -
> > > 1 file changed, 1 deletion(-)
> > >
> > > diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
> > > index 23d654e..906dc5d 100644
> > > --- a/templates/lxc-busybox.in
> > > +++ b/templates/lxc-busybox.in
> > > @@ -296,7 +296,6 @@ EOF
> > > echo "lxc.mount.entry = /$dir $dir none ro,bind 0 0" >>
> > $path/config
> > > fi
> > > done
> > > - echo "lxc.mount.entry = /sys/kernel/security sys/kernel/security none
> > ro,bind 0 0" >>$path/config
> > > echo "lxc.mount.auto = proc:mixed sys" >>$path/config
> > > }
> > >
> > > --
> > > 1.7.11.7
> > >
> > >
> > >
> > > --------------------------------------------------------------------------
> --
> > --
> > > Sponsored by Intel(R) XDK
> > > Develop, test and display web and hybrid apps with a single code base.
> > > Download it for free now!
> > >
> http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
> > > _______________________________________________
> > > lxc-devel mailing list
> > > lxc-devel at lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/lxc-devel
> >
> > --
> > Stéphane Graber
> > Ubuntu developer
> > http://www.ubuntu.com
More information about the lxc-devel
mailing list