[lxc-devel] lxc-destroy considered harmful
Serge Hallyn
serge.hallyn at ubuntu.com
Wed Sep 4 18:58:18 UTC 2013
Quoting Thomas Moschny (thomas.moschny at gmail.com):
> Hi,
>
> in https://bugzilla.redhat.com/show_bug.cgi?id=1003136 , a Fedora LXC
> user reports a problem with lxc-destroy removing parts of his host
> file system.
>
> He's using 0.8.0, and the obvious advice for him is to try with 0.9.0
> (which I am currently building packages of), but that said, the
> problem is deeper imho.
>
> The lxc-destroy script contains this line at its end:
>
> rm -rf --one-file-system --preserve-root $lxc_path/$lxc_name
>
> Now, if - for one reason or the other (we cannot guarantee the lxc is
> bug free, or that the configuration is correct, etc.) - the bind
We're not relying on lxc being bug-free, but rather all mounts for
a container are done in a new mounts namespace. So there can be no
bind mounts left-over from a container run. That's not to say there
can't be mistakes due to templates or user error, both of which are
worth taking care to watch out for.
> mounts pointing to the host's file system are still present at that
> point in the script, the rm command will do something very harmful to
> the host. We should protect the user here. The --one-file-system
> option does not help in the case of bind mounts. This has been
> discussed in coreutils bug #9472 (see
> http://lists.gnu.org/archive/html/bug-coreutils/2011-09/msg00040.html,
> as I once experienced the same problem :( ), which is still open
> afaik.
>
> Wouldn't it be possible to have some code around that final rm command
> in lxc-destroy to avoid this scenario? Something like temporarily
> bind-mounting $lxc_path somewhere and then rm'ing $lxc_name in that
> bind mount?
>
> What do you think?
Nice idea, that sounds like it might work. Would you be able to send a
patch for testing?
-serge
More information about the lxc-devel
mailing list