[lxc-devel] lxc-destroy considered harmful

Thomas Moschny thomas.moschny at gmail.com
Wed Sep 4 17:08:07 UTC 2013


Hi,

in https://bugzilla.redhat.com/show_bug.cgi?id=1003136 , a Fedora LXC
user reports a problem with lxc-destroy removing parts of his host
file system.

He's using 0.8.0, and the obvious advice for him is to try with 0.9.0
(which I am currently building packages of), but that said, the
problem is deeper imho.

The lxc-destroy script contains this line at its end:

  rm -rf --one-file-system --preserve-root $lxc_path/$lxc_name

Now, if - for one reason or the other (we cannot guarantee the lxc is
bug free, or that the configuration is correct, etc.) - the bind
mounts pointing to the host's file system are still present at that
point in the script, the rm command will do something very harmful to
the host. We should protect the user here. The --one-file-system
option does not help in the case of bind mounts. This has been
discussed in coreutils bug #9472 (see
http://lists.gnu.org/archive/html/bug-coreutils/2011-09/msg00040.html,
as I once experienced the same problem :( ), which is still open
afaik.

Wouldn't it be possible to have some code around that final rm command
in lxc-destroy to avoid this scenario? Something like temporarily
bind-mounting $lxc_path somewhere and then rm'ing $lxc_name in that
bind mount?

What do you think?

Regards
Thomas




More information about the lxc-devel mailing list