[lxc-devel] [PATCH 1/1] ubuntu templates: add some kernel filesystems to container fstab

Stéphane Graber stgraber at ubuntu.com
Wed Jul 17 14:44:28 UTC 2013 

On Wed, Jul 17, 2013 at 09:41:43AM -0500, Serge Hallyn wrote:
> The debugfs, fusectl, and securityfs may not be mounted inside a
> non-init userns.  But mountall hangs waiting for them to be
> mounted.  So just pre-mount them using $lxcpath/$name/fstab as
> bind mounts, which will prevent mountall from trying to mount
> them.
> 
> If the kernel doesn't provide them, then the bind mount failure
> will be ignored, and mountall in the container will proceed
> without the mount since it is 'optional'.  But without these
> bind mounts, starting a container inside a user namespace
> hangs.
> 
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>

I think that's reasonable, I'm assuming this won't somehow bypass our
existing apparmor policies (on non-userns) that prevent access to most
of those right?

An alternative would have been to bind-mount the directory on itself
which I believe is sufficient to trick mountall (it won't bother mount
anything that's already a mountpoint) but that's probably a bad idea at
least for fuse which we may actually need, at least on non-userns.

Anyway:
Acked-by: Stéphane Graber <stgraber at ubuntu.com>

> ---
>  templates/lxc-ubuntu-cloud.in | 3 +++
>  templates/lxc-ubuntu.in       | 3 +++
>  2 files changed, 6 insertions(+)
> 
> diff --git a/templates/lxc-ubuntu-cloud.in b/templates/lxc-ubuntu-cloud.in
> index 5ffb5ba..480ef14 100644
> --- a/templates/lxc-ubuntu-cloud.in
> +++ b/templates/lxc-ubuntu-cloud.in
> @@ -96,6 +96,9 @@ EOF
>      cat <<EOF > $path/fstab
>  proc            proc         proc    nodev,noexec,nosuid 0 0
>  sysfs           sys          sysfs defaults  0 0
> +/sys/fs/fuse/connections sys/fs/fuse/connections none bind 0 0
> +/sys/kernel/debug sys/kernel/debug none bind 0 0
> +/sys/kernel/security sys/kernel/security none bind 0 0
>  EOF
>  
>      # rmdir /dev/shm for containers that have /run/shm
> diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
> index 0b73529..af3c2b3 100644
> --- a/templates/lxc-ubuntu.in
> +++ b/templates/lxc-ubuntu.in
> @@ -427,6 +427,9 @@ EOF
>      cat <<EOF > $path/fstab
>  proc            proc         proc    nodev,noexec,nosuid 0 0
>  sysfs           sys          sysfs defaults  0 0
> +/sys/fs/fuse/connections sys/fs/fuse/connections none bind 0 0
> +/sys/kernel/debug sys/kernel/debug none bind 0 0
> +/sys/kernel/security sys/kernel/security none bind 0 0
>  EOF
>  
>      if [ $? -ne 0 ]; then
> -- 
> 1.8.1.2
> 
> 
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20130717/918f921b/attachment.pgp>

More information about the lxc-devel mailing list