[lxc-devel] [PATCH 1/1] setup_rootfs: always mount / slave
Serge Hallyn
serge.hallyn at ubuntu.com
Thu Feb 27 18:37:05 UTC 2014
Quoting Serge Hallyn (serge.hallyn at ubuntu.com):
> When the host root is rshared, this appears to fix both the extra mounts
> in the container's /proc/self/mounts, and the lxc-attach ending up in
> the host rootfs.
>
> chroot_into_slave is careful to turn mounts into slave mounts
> as quickly as possible, but for reasons I haven't wrapped my
> head around, not quickly enough. Mounting / ms_slave first
> appears to do the trick.
>
> It's possible that in cases (like android) where / is a chroot
> and not a bind mount, this will fail, in which case we'll need
> to first do a bind mount of / onto itself. Let's not do that
> until we're sure we need it.
>
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> ---
> src/lxc/conf.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> index fc39897..2b1ba20 100644
> --- a/src/lxc/conf.c
> +++ b/src/lxc/conf.c
> @@ -1500,6 +1500,11 @@ static int setup_rootfs(struct lxc_conf *conf)
> return 0;
> }
>
> + if (mount("", "/", NULL, MS_SLAVE, 0)) {
Ok, so thanks Stéphane for testing this on arch. Where it fails.
Here are some datapoints:
1. On Ubuntu, mount("", "/", NULL, MS_SLAVE|MS_REC) fails with -EPERM.
I don't understand why. However mount("", "/", NULL, MS_SLAVE)
works, and makes lxc work with / mount-rshared.
2. On Arch, using mount("", "/", NULL, MS_SLAVE|MS_REC) instead of
the above line fixes lxc-start and lxc-attach. The reason why not
having MS_REC failed is that chroot_into_slave() is now being
skipped altogether, but all mounts UNDER / are still shared. So
things like cgroups are getting unmounted on the host while the
container does its mount cleanup after pivot_root().
So,
1. we need to understand why MS_SLAVE|MS_REC sometimes fails. (doesn't
seem to be apparmor)
2. if we go with MS_SLAVE|MS_REC (perhaps ignoring return value), we'll
still want the chroot_into_slave to catch the case where / on the host
is a directory on ramfs. We will then need a better test for when we
need to call it (in setup_rootfs()).
-serge
More information about the lxc-devel
mailing list