[lxc-devel] [PATCH 1/1] setup_rootfs: always mount / slave

Serge Hallyn serge.hallyn at ubuntu.com
Fri Feb 28 05:52:35 UTC 2014 

Quoting Serge Hallyn (serge.hallyn at ubuntu.com):
> Quoting Serge Hallyn (serge.hallyn at ubuntu.com):
> > When the host root is rshared, this appears to fix both the extra mounts
> > in the container's /proc/self/mounts, and the lxc-attach ending up in
> > the host rootfs.
> > 
> > chroot_into_slave is careful to turn mounts into slave mounts
> > as quickly as possible, but for reasons I haven't wrapped my
> > head around, not quickly enough.  Mounting / ms_slave first
> > appears to do the trick.
> > 
> > It's possible that in cases (like android) where / is a chroot
> > and not a bind mount, this will fail, in which case we'll need
> > to first do a bind mount of / onto itself.  Let's not do that
> > until we're sure we need it.
> > 
> > Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> > ---
> >  src/lxc/conf.c | 5 +++++
> >  1 file changed, 5 insertions(+)
> > 
> > diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> > index fc39897..2b1ba20 100644
> > --- a/src/lxc/conf.c
> > +++ b/src/lxc/conf.c
> > @@ -1500,6 +1500,11 @@ static int setup_rootfs(struct lxc_conf *conf)
> >  		return 0;
> >  	}
> >  
> > +	if (mount("", "/", NULL, MS_SLAVE, 0)) {
> 
> Ok, so thanks Stéphane for testing this on arch.  Where it fails.
> Here are some datapoints:
> 
> 1. On Ubuntu, mount("", "/", NULL, MS_SLAVE|MS_REC) fails with -EPERM.
> I don't understand why.  However mount("", "/", NULL, MS_SLAVE)
> works, and makes lxc work with / mount-rshared.
> 
> 2. On Arch, using mount("", "/", NULL, MS_SLAVE|MS_REC) instead of
> the above line fixes lxc-start and lxc-attach.  The reason why not
> having MS_REC failed is that chroot_into_slave() is now being
> skipped altogether, but all mounts UNDER / are still shared.  So
> things like cgroups are getting unmounted on the host while the
> container does its mount cleanup after pivot_root().
> 
> So,
> 
> 1. we need to understand why MS_SLAVE|MS_REC sometimes fails.  (doesn't
> seem to be apparmor)
> 
> 2. if we go with MS_SLAVE|MS_REC (perhaps ignoring return value), we'll
> still want the chroot_into_slave to catch the case where / on the host
> is a directory on ramfs.  We will then need a better test for when we
> need to call it (in setup_rootfs()).

oh I forgot to mention another route.  The above paths try to also solve
the problem of having extra entries polluting /proc/$$/mounts (which do
not show up in /proc/self/mountinfo).  However I had also tried adding
a chroot(/proc/init_pid/root) to attach.  This worked in the case of a
MS_SHARED / on the host, but strangely failed otherwise.

If anyone else is looking into these things, hopefully my findings are
helpful...  personally my next step when I have time will be to take a
step back and figure out why we're getting the extra mounts in the
first place.

-serge

More information about the lxc-devel mailing list