[lxc-devel] lxc-destroy considered harmful
Thomas Moschny
thomas.moschny at gmail.com
Wed Sep 4 17:08:07 UTC 2013
Hi,
in https://bugzilla.redhat.com/show_bug.cgi?id=1003136 , a Fedora LXC
user reports a problem with lxc-destroy removing parts of his host
file system.
He's using 0.8.0, and the obvious advice for him is to try with 0.9.0
(which I am currently building packages of), but that said, the
problem is deeper imho.
The lxc-destroy script contains this line at its end:
rm -rf --one-file-system --preserve-root $lxc_path/$lxc_name
Now, if - for one reason or the other (we cannot guarantee the lxc is
bug free, or that the configuration is correct, etc.) - the bind
mounts pointing to the host's file system are still present at that
point in the script, the rm command will do something very harmful to
the host. We should protect the user here. The --one-file-system
option does not help in the case of bind mounts. This has been
discussed in coreutils bug #9472 (see
http://lists.gnu.org/archive/html/bug-coreutils/2011-09/msg00040.html,
as I once experienced the same problem :( ), which is still open
afaik.
Wouldn't it be possible to have some code around that final rm command
in lxc-destroy to avoid this scenario? Something like temporarily
bind-mounting $lxc_path somewhere and then rm'ing $lxc_name in that
bind mount?
What do you think?
Regards
Thomas
More information about the lxc-devel
mailing list