[lxc-devel] mountflag propagation from slave to host
Wolfgang Bumiller
w.bumiller at proxmox.com
Mon Dec 7 13:12:39 UTC 2015
> On December 4, 2015 at 10:08 PM Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
>
>
> Quoting Wolfgang Bumiller (w.bumiller at proxmox.com):
> > Not sure this is the right place to ask as I've narrowed it down to
> > raw mount commands, but it also affects privileged unconfined
> > containers when using bind-mounts to bind _mountpoints_ (not arbitrary
> > subdirectories) into a container (and I found it through some hooks
> > in my containers).
> >
> > For some reason doing a remount,ro in a slave mount namespace
> > propagates the read-only flag into its master namespace, while at the
> > same time a remount,rW does _not_ propagate that way, and I'm
> > wondering if anybody can offer some insight, or maybe it's a bug in
> > the kernel?
>
> doing remount,ro and remount,rw is a touchy issue because it can mean two
> different things.a It can mean changing the superblock options, or changing
> the bind mount options.
>
> > To test, compare:
> >
> > # mount -t tmpfs -o rw none /a
> > # unshare -m
> > # mount --make-rslave /
> > # mount -o remount,ro /a
>
> Try mount -o bind,remount,ro /a
Not really up to me. I also realized that when the stop hook unmounts / it
gets ro-remounted, and if it's a mountpoint on the host this also happens
on the host. I wish syncfs() was namespaced for bindmounts ;-)
More information about the lxc-devel
mailing list