[lxc-devel] [RFC] rootfs pinning

Christian Seiler christian at iwakd.de
Tue Sep 24 20:51:43 UTC 2013 

Hi there,

>> Yep, we discussed this at Plumbers and I think it's really the way 
>> to
>> go, basically remove all of that fs pinning code and just do a
>> bind-mount of the rootfs on itself in the container's mountns before
>> starting it.
>
>> That way if the container decideds to remount / ro at any point, 
>> it'll
>> succeed and will give the user a read-only / but without affecting 
>> the
>> outside world.
>
> Ideally, I think that's the way to go and I use to do that manually 
> when
> setting up my containers but I was thinking there was some breakage
> between that and the way we were working around the pivot_root 
> problem
> introduced by systemd (Fedora, Suse, Arch, et al).  If we can verify
> that works with all the init flavors without breaking, that could be
> part of the general cleanup of the mount tables in the containers as
> well, maybe...

Just a short comment about what I found out when looking at the
auto-mount stuff I just sent to the list when it comes to
bind-mounts and remounting ro:

Take the following example:

mount --bind /foo /bar
mount -o remount,ro /bar

In kernels up to at least 3.2 (but not much later) this would make the
mount /bar read-only, but keep /foo read-write.

But: in kernel from at most 3.8 (possibly earlier), this would actually
remount the entire filesystem read-only or give a busy message. There
was apparently some kind of change here.

In order to properly remount bind-mounts read-only in newer kernels,
you have to do the following:

mount -o remount,bind,ro /bar

This will also work in older kernels (I could only test 2.6.32, not
earlier), so in that sense it's portable.

BUT: the typical bind-mount trick one could use to keep the container
from remounting / ro at shutdown will apparently, as far as I can
tell, not work anymore in 3.8, possibly earlier, since typical
shutdown will do the equivalent of remount,ro and not add the bind
option there.

So unfortunately, I think we'll have to stick with pinning... :(

-- Christian

More information about the lxc-devel mailing list