[lxc-devel] [PATCH] Set all mounts to MS_SLAVE when starting a container without a rootfs
Serge Hallyn
serge.hallyn at ubuntu.com
Wed Mar 27 12:53:44 UTC 2013
Quoting David Ward (david.ward at ll.mit.edu):
> If the filesystem mounts on the host have the MS_SHARED or MS_SLAVE
> flag set, and a container without a rootfs is started, then any new
> mounts created inside the container are currently propagated into
> the host. In addition to mounts placed in the configuration file of
> the container or performed manually after startup, the automatic
> mounting of /proc by lxc-execute will propagate back into the host,
> effectively crippling the entire system. This can be prevented by
> setting the MS_SLAVE flag on all mounts (inside the container's own
> mount namespace) during startup if a rootfs is not configured.
>
> Signed-off-by: David Ward <david.ward at ll.mit.edu>
> ---
> src/lxc/conf.c | 7 ++++++-
> 1 files changed, 6 insertions(+), 1 deletions(-)
>
> diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> index 965a0d2..6b3f318 100644
> --- a/src/lxc/conf.c
> +++ b/src/lxc/conf.c
> @@ -1129,8 +1129,13 @@ static int setup_rootfs(struct lxc_conf *conf)
> {
> const struct lxc_rootfs *rootfs = &conf->rootfs;
>
> - if (!rootfs->path)
> + if (!rootfs->path) {
> + if (mount("", "/", NULL, MS_SLAVE|MS_REC, 0)) {
> + SYSERROR("Failed to make / rslave");
> + return -1;
There are points here which might merit discussion, but I'm not feeling
chatty and overall this is best:
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
> + }
> return 0;
> + }
>
> if (access(rootfs->mount, F_OK)) {
> SYSERROR("failed to access to '%s', check it is present",
> --
> 1.7.1
>
>
> ------------------------------------------------------------------------------
> Own the Future-Intel® Level Up Game Demo Contest 2013
> Rise to greatness in Intel's independent game demo contest.
> Compete for recognition, cash, and the chance to get your game
> on Steam. $5K grand prize plus 10 genre and skill prizes.
> Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel
More information about the lxc-devel
mailing list